| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-2 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | foreign_parent: the AWS European Sovereign Cloud's German GmbHs are 100% subsidiaries of Amazon.com Inc. (US). Ultimate entity control sits entirely outside the EU -> SOV-1.1 opt1. (src: https://aws.amazon.com/compliance/europe-digital-sovereignty/) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | Amazon is a ~$2T US public company; takeover transferring it to a non-EU sovereign entity is very unlikely (this factor concerns transfer to a non-EU sovereign owner, not realistic for Amazon). Kept at existing all-seal-4 choice. |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | medium | Roadmap set centrally by Amazon in the US; ESC has an EU advisory board but the platform roadmap is foreign-set. EU customers influence only via 'voice of the customer' channels -> opt2. |
| SOV-1.4 | Financial independence from non-EU capital | 1. Almost entirely relying on non-EU funding | 0/125 | SEAL-4 | high | Amazon is funded almost entirely by non-EU (US) capital markets/retained earnings; no material EU equity ownership of the parent. Kept at existing all-seal-4 choice. |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | medium | AWS makes substantial EU investments (EUR 7.8B Sovereign Cloud, jobs) but the overwhelming majority of economic value/R&D/profit accrues in the US; EU contribution is 'some'. Kept at existing all-seal-4 choice. |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | medium | AWS participates in some EU initiatives (Gaia-X, public-sector frameworks) but is not a core dependency of EU strategic programs; limited participation. Kept at existing all-seal-4 choice. |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | low | AWS publishes EU-facing sovereignty action plans (ESC, EUR 7.8B) showing an existing action plan, but as a US hyperscaler is not a vehicle of EU industrial strategy. Kept at existing all-seal-4 choice. |
| SOV-1.8 | Resilience to cut-off | 3. Can continue temporarily per contractual agreement | 63/125 | SEAL-2 | medium | no own_stack but ESC has a contractual continuity design: independent EU governance (German GmbHs, EU advisory board) and a dedicated EU SOC let it continue operating temporarily per contractual agreement on a parent/cut-off event -> opt3 (seal 2). It cannot internalise/replace the Amazon stack, so not opt4/5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | high | ESC offers German/EU contracting but the parent (Amazon.com Inc.) and CLOUD Act exposure are governed by US law; offer is mixed EU/non-EU law, not exclusively EU -> opt2. (src: https://aws.amazon.com/compliance/europe-digital-sovereignty/) |
| SOV-2.2 | Extraterritorial laws exposure | 3. EU subsidiary with contractual protections | 84/167 | SEAL-1 | high | no certified immunity: ESC uses EU corporate structures (German GmbHs, EU advisory board) with contractual data-protection protections, but a US-parented group's EU subsidiary is compellable via the parent and holds no SecNumCloud 3.2/EUCS-High -> EU subsidiary with contractual protections (opt3, seal 1). Normalised to opt3 across the US-hyperscaler cluster (same profile as Azure/GCP/Oracle/IBM). (src: https://aws.amazon.com/compliance/europe-digital-sovereignty/) |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | high | foreign_parent / CLOUD Act / FISA 702: German GmbHs are 100% Amazon.com Inc. subsidiaries; under 'possession, custody, or control' US courts can compel the US parent to produce data without customer notification in specific gag-ordered cases -> SOV-2.3 opt2 (seal 1). This is the gating cap: SEAL-1. (src: https://aws.amazon.com/compliance/europe-digital-sovereignty/) |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | low | No EU-Member-State-targeted export restrictions apply; AWS is subject to US EAR but EU revenue share is large with no restrictions toward EU MSs evidenced. Conservatively the >50% EU-revenue tier -> opt3. |
| SOV-2.5 | Origin of IP | 1. Entirely outside the EU | 0/167 | SEAL-4 | high | Core AWS IP (services, Nitro, custom silicon designs, software) originates and is owned in the US (Amazon.com / Annapurna Labs); essentially entirely outside the EU. Kept at existing all-seal-4 choice. |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | high | IP held by US entities under US law (single jurisdiction) -> opt1. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 5. Customer exclusive control - provider cannot read data | 200/200 | SEAL-4 | high | AWS KMS supports customer-managed keys and External Key Store (XKS/HYOK), letting customers hold keys outside AWS so the provider cannot decrypt when properly configured -> opt5 (best-case exclusive customer control). |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | medium | CloudTrail provides comprehensive customer-controlled access/API logs covering data flows, but delivery is near-real-time rather than guaranteed real-time independent oversight; AWS controls the pipeline -> opt4. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | medium | AWS documents secure decommissioning/deletion per policy (NIST 800-88, attested) but no per-customer cryptographically independent proof of irreversible erasure -> opt3. |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | medium | eu_exclusive: ESC is a physically and logically separate partition (aws-eusc) that stores AND processes all data including metadata exclusively within the EU, with infrastructure entirely in the EU, zero operational access from outside EU borders and no critical non-EU dependencies -> SOV-3.4 opt5 (exclusively EU, no third-country fallback). Genuine differentiator vs Azure/GCP/IBM data-boundary products that retain controlled third-country fallback. (src: https://aws.eu/) |
| SOV-3.5 | AI services sovereignty | 2. Mostly non-EU: licensed AI, chip dependency | 50/200 | SEAL-2 | medium | ESC AI (Bedrock/SageMaker) is dominated by US-origin models on AWS Trainium/Inferentia accelerators fabbed at TSMC; mostly non-EU AI with chip dependency -> opt2 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | high | AWS provides standard documented export tooling plus formal migration services (Migration Hub, Snow, DataSync), despite managed-service lock-in -> opt4. |
| SOV-4.2 | Ability to operate without foreign dependencies | 4. Ops predominantly EU-based teams | 125/167 | SEAL-3 | medium | eu_ops: ESC is operated by EU-resident personnel only and non-EU AWS staff have no access to customer content -> ops predominantly EU-based teams, opt4 (seal 3). Not opt5 (fully EU-built stack) as the platform is US-engineered. |
| SOV-4.3 | Skill availability in the EU | 3. Majority EU, escalation abroad | 84/167 | SEAL-3 | medium | eu_ops: ESC day-to-day technical support and operations are staffed by EU residents, with deeper platform engineering escalation to the global (US) pool -> majority EU with escalation abroad, opt3 (seal 3). |
| SOV-4.4 | Support channels | 3. Majority in EU, non-EU escalations | 84/167 | SEAL-3 | medium | eu_ops: ESC customer service and technical support are provided by EU-located personnel, with non-EU escalation for the underlying platform -> majority in EU with non-EU escalations, opt3 (seal 3). |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation/knowledge bases are global (US-hosted, English-primary); EU-only handling is optional/not enforced -> opt2 (seal 2). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 2. Service would stop with delay | 42/167 | SEAL-2 | low | no own_stack: continuity depends on Amazon (non-EU vendor) and non-EU silicon; on a sustained supplier/parent disruption the service would stop with delay rather than continue autonomously under EU control -> opt2 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | medium | AWS discloses some hardware/Nitro detail but not full component provenance; partial disclosure with foreign-origin components -> opt2. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | high | Servers and custom silicon are built outside the EU (ODMs in Asia/US; chips fabbed at TSMC Taiwan); foreign-origin manufacturing, partial disclosure -> opt2. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | medium | Nitro firmware/embedded code designed by AWS/Annapurna (US) with some published architecture but no full open provenance; partial disclosure -> opt2. (All-seal-4 factor; choice kept.) |
| SOV-5.4 | Origin of software | 2. Foreign origin, partial disclosure | 36/143 | SEAL-2 | high | foreign_core: ESC core platform software is AWS proprietary US-designed/US-maintained technology with only partial architectural disclosure -> SOV-5.4 opt2 (seal 2). This is a SEAL-2 ceiling on software origin. |
| SOV-5.5 | Software build/release jurisdiction | 1. Non-EU control & execution | 0/143 | SEAL-1 | high | Platform software build and release are controlled and executed by AWS in the US (non-EU control and execution) -> opt1. |
| SOV-5.6 | Single point of dependency | 1. Only non-EU vendors/facilities | 0/143 | SEAL-1 | high | Critical services depend on Amazon itself as the non-EU vendor plus non-EU silicon (TSMC); fundamental dependency on a single non-EU vendor for the whole stack -> opt1. |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | medium | AWS attestation programs expose some supplier/control information to auditors, but the broad supply chain is not openly auditable by customers; some suppliers auditable -> opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 3. Mixed (partial openness) | 100/200 | SEAL-2 | medium | Many standards-based APIs and open protocols, but a large share of differentiated value sits in proprietary managed-service APIs; mixed/partial openness -> opt3. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | medium | Open standards adopted across many core services (S3 API, POSIX, SQL engines, EKS/Kubernetes) but no blanket policy mandating open standards for all; partial core adoption -> opt3. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | medium | foreign_core: the ESC platform substrate is closed-source and vendor-controlled (AWS contributes OSS like Firecracker/Bottlerocket but the service is not open); source-available-with-strict-rights best fits -> opt2 (seal 2). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | medium | AWS publishes extensive architecture/whitepaper material (Well-Architected, Nitro, ESC overview) giving substantial public insight, with deepest internals only under audit -> opt3. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | medium | ESC offers HPC capacity in the EU but the stack (chips, schedulers, accelerators) is foreign-designed and foreign-fabbed; EU-hosted with a foreign HPC stack -> opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | certs: ESC holds C5 (BSI) plus SOC 2 and seven ISO certifications, and AWS components (Nitro, KMS HSMs) hold Common Criteria/FIPS 140; per key high-assurance EU cloud cert (BSI C5) maps to EAL3 -> opt4 (seal 3). No platform-wide EAL4-5/EUCS-High. (src: https://aws.amazon.com/blogs/security/aws-european-sovereign-cloud-achieves-first-compliance-milestone-soc-2-and-c5-reports-plus-seven-iso-certifications) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | high | AWS supports GDPR (DPA, SCCs), NIS2 and DORA frameworks and is independently audited, but full end-to-end compliance is shared-responsibility; partial compliance to most. Kept at existing all-seal-4 choice. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | medium | eu_ops: ESC has a dedicated EU Security Operations Centre staffed exclusively by EU residents handling the incident lifecycle within the EU -> entire lifecycle by EU teams, opt4 (seal 3). Genuine differentiator vs peers' hybrid global SOCs. Not opt5 (no evidenced ENISA/CSIRT-network sharing). (src: https://aws.eu/) |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | medium | Customers get full direct access to security logs (CloudTrail, GuardDuty, Security Lake) and can store them in EU Regions; immutability depends on customer config -> full direct access, EU log storage, opt4. |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | medium | AWS provides GDPR/NIS2/DORA-aligned breach/incident notification with contractual monitored SLAs, though not full real-time CSIRT-network sharing -> partial compliance, monitored flow, SLAs, opt4 (seal 3). Normalised across the cluster (all five offer NIS2/DORA-aligned SLAs). |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | medium | Customers have moderate maintenance autonomy over workloads (patch/maintenance windows, advance notice, testing) while AWS controls platform maintenance except emergency/zero-day fixes -> opt3 (seal 4). |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | medium | no certified audit_rights: independent audit limited to AWS-defined attestation programs (C5/SOC2/ISO) and auditor access under NDA; customers/independent EU bodies cannot freely audit -> opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | high | AWS reports a global average PUE of ~1.15 (2023)/1.14 (2024) with an efficiency roadmap; falls in the 'PUE < 1.5 + roadmap' tier (lower tiers require verified per-facility figures) -> opt3 (seal 4). (src: https://sustainability.aboutamazon.com/products-services/aws-cloud) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | medium | AWS runs a documented hardware reuse/refurbishment/recycling program reported in Amazon's sustainability disclosures -> documented program, opt3 (seal 3). |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | high | Amazon publishes a detailed annual sustainability report with AWS data-centre metrics (PUE, WUE, renewables) but self-reported, not independently EU-methodology-audited -> annual report, opt3. |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | medium | AWS matches 100% of electricity with renewables globally and procures EU renewable capacity, but supply is a mix of EU and non-EU sources -> opt3. Kept at existing all-seal-4 choice. (src: https://sustainability.aboutamazon.com/products-services/aws-cloud) |