| SOV-1 Strategic Sovereignty | SEAL-0 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-0 | |
| SOV-5 Supply Chain Sovereignty | SEAL-0 | |
| SOV-6 Technology Sovereignty | SEAL-0 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-0 | |
| SOV-8 Environmental Sustainability | SEAL-0 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | Baidu AI Cloud is operated by Baidu, Inc., headquartered in Beijing, China and listed on NASDAQ/HKEX; no EU/EEA legal entity controls the service. Operations are entirely outside the EU. (src: https://en.wikipedia.org/wiki/Baidu) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | medium | Baidu is a Chinese national champion under PRC control; a takeover by an EU sovereign entity is very unlikely. The risk being measured (transfer to a non-EU entity) is effectively already realized, but a shift toward EU control is extremely improbable. |
| SOV-1.3 | Control over roadmap | 1. No influence possible | 0/125 | SEAL-2 | high | Product roadmap is set centrally by Baidu in China with no EU governance bodies or formal channels for EU customer influence. |
| SOV-1.4 | Financial independence from non-EU capital | 1. Almost entirely relying on non-EU funding | 0/125 | SEAL-4 | high | Baidu is funded by Chinese/global capital markets (NASDAQ, HKEX) and Robin Li's controlling stake; funding relies almost entirely on non-EU capital. |
| SOV-1.5 | EU economic contribution | 1. Minimal | 0/125 | SEAL-4 | high | Baidu's revenue, employment and investment are overwhelmingly in China; EU economic contribution is minimal with no EU data centers or significant EU operations. |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | high | No clear participation in EU strategic programs such as Gaia-X or IPCEI-CIS; Baidu's strategic alignment is with Chinese national initiatives. |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | high | No evidence of alignment with EU industrial strategies; Baidu aligns with China's national AI and chip self-sufficiency strategies. |
| SOV-1.8 | Resilience to cut-off | 2. Service would stop, with delay for customer reaction | 31/125 | SEAL-0 | low | No own_stack (single non-EU vendor whose withdrawal halts service) -> SOV-1.8 opt2 (seal 0). Service hosted entirely in China/APAC by a Chinese entity would stop on cut-off; no EU autonomy or continuity mechanism. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 1. Non-EU only | 0/167 | SEAL-1 | high | Baidu AI Cloud operates under Chinese law (PRC); the international offering is governed by Singapore/Hong Kong terms, not EU law, and there is no EU region or EU entity. Primary jurisdiction is non-EU only -> SOV-2.1 opt1 (genuine differentiator vs peers with EU regions). (src: https://intl.cloud.baidu.com/doc/Reference/s/2jwvz23xx-en) |
| SOV-2.2 | Extraterritorial laws exposure | 1. Fully exposed to non-EU laws | 0/167 | SEAL-1 | high | foreign_parent, no immunity -> SOV-2.2 opt1 (seal 1). Fully exposed to PRC extraterritorial laws (National Intelligence Law, National Security Law, Data Security Law, Cybersecurity Law) with no EU legal shielding. |
| SOV-2.3 | Data access pathways for non-EU authorities | 1. Can compel access without customer notification | 0/167 | SEAL-1 | high | foreign_parent (PRC law) -> SOV-2.3 opt1 (seal 1, CEIL). Under China's National Intelligence Law (Art. 7) Baidu can be compelled to support state intelligence work and provide data without customer notification. |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | medium | Subject to Chinese export-control/data-transfer regimes plus US/EU restrictions on Chinese tech affecting EU citizens/international orgs; no documented restriction targeting a specific EU Member State -> normalised to cluster answer SOV-2.4 opt2 (seal 1; was opt1), consistent with Alibaba/Tencent/Huawei. |
| SOV-2.5 | Origin of IP | 1. Entirely outside the EU | 0/167 | SEAL-4 | high | Core IP (ERNIE models, BCE platform, Kunlun chip designs) is developed and held entirely outside the EU, in China. |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | high | IP is held by Baidu under Chinese law, a single non-EU jurisdiction. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | low | Standard cloud KMS/customer-managed keys exist but the PRC-compellable provider retains override and can technically read data -> shared keys, provider has override -> normalised to cluster answer SOV-3.1 opt3 (seal 2; was opt2), consistent with Tencent/Huawei KMS+override. |
| SOV-3.2 | Transparent data flows & access logs | 2. Basic incomplete logs | 50/200 | SEAL-1 | low | Cloud audit/access logs exist but are vendor-controlled and incomplete from a sovereignty standpoint; no independent EU auditability. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion follows internal lifecycle policy with no independent cryptographic proof of irreversible erasure -> internal validation per policy -> normalised to cluster answer SOV-3.3 opt3 (seal 1; was opt2), consistent with Alibaba/Tencent/Huawei policy-based deletion. |
| SOV-3.4 | Data location strictly in EU/EEA | 1. Largely unknown, third countries without controls | 0/200 | SEAL-0 | high | No eu_exclusive and no EU/EEA region at all (DCs in Beijing/Baoding/Guangzhou/Suzhou/Shanghai/Wuhan/Hong Kong/Singapore) -> SOV-3.4 opt1 (seal 0 gate, CEIL). Data resides in third countries without EU residency controls; genuine differentiator vs peers with EU regions. (src: https://intl.cloud.baidu.com/doc/Reference/s/2jwvz23xx-en) |
| SOV-3.5 | AI services sovereignty | 2. Mostly non-EU: licensed AI, chip dependency | 50/200 | SEAL-2 | high | AI is Baidu's proprietary ERNIE models running on self-developed Kunlun chips plus Nvidia GPUs; licensed/black-box AI with non-EU chip dependency, controlled entirely outside the EU. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 2. Best-effort portability | 42/167 | SEAL-1 | low | Some data export tooling exists but no strong portability guarantees or sovereign-infrastructure deployment; best-effort at most for EU users. |
| SOV-4.2 | Ability to operate without foreign dependencies | 1. Critical ops delivered by non-EU teams | 0/167 | SEAL-1 | high | Critical operations are delivered by Baidu teams in China/APAC; no EU-based operational capability. |
| SOV-4.3 | Skill availability in the EU | 1. Global team, mainly non-EU | 0/167 | SEAL-1 | high | Engineering and operational skills sit in China; the team is global/non-EU with no meaningful EU staffing. |
| SOV-4.4 | Support channels | 1. Global, majority outside EU | 0/167 | SEAL-1 | medium | Support for the international offering is provided from Asia (China/Singapore/Hong Kong); majority of support staff are outside the EU. |
| SOV-4.5 | Documentation & knowledge transfer | 1. Global/non-EU exposure | 0/167 | SEAL-0 | medium | Documentation and knowledge bases are global, hosted on Baidu infrastructure in China, with non-EU exposure and no EU-only repositories. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 2. Service would stop with delay | 42/167 | SEAL-2 | low | Subcontractors/suppliers are predominantly non-EU (Chinese); on disruption the service would stop with some delay, with no EU continuity arrangement. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 1. No disclosure | 0/143 | SEAL-1 | medium | No public bill-of-materials disclosure of physical component origin for EU buyers; hardware provenance is opaque (no disclosure). |
| SOV-5.2 | Manufacturing location | 1. Fully foreign, black box | 0/143 | SEAL-1 | medium | Hardware is manufactured/assembled in China and abroad as a black box from the EU perspective, with no EU audit rights or disclosure. |
| SOV-5.3 | Embedded code/firmware provenance | 1. No disclosure | 0/143 | SEAL-4 | medium | No disclosure of embedded firmware provenance; firmware originates from Chinese and other non-EU vendors with no transparency to EU customers. |
| SOV-5.4 | Origin of software | 1. Fully foreign origin, black box | 0/143 | SEAL-0 | high | foreign_core / black-box foreign -> SOV-5.4 opt1 (seal 0 gate). Core platform software (BCE, ERNIE, management plane) is proprietary, fully Chinese-origin, a black box not maintained by EU teams. |
| SOV-5.5 | Software build/release jurisdiction | 1. Non-EU control & execution | 0/143 | SEAL-1 | high | Software is controlled and built/released by Baidu in China; both control and execution are non-EU. |
| SOV-5.6 | Single point of dependency | 1. Only non-EU vendors/facilities | 0/143 | SEAL-1 | high | All vendors and facilities are non-EU (Chinese, plus Hong Kong/Singapore); the entire stack is a single non-EU point of dependency. |
| SOV-5.7 | Supply chain transparency | 1. No suppliers auditable | 0/143 | SEAL-1 | medium | No supplier auditability available to EU customers; supply chain is opaque. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 3. Mixed (partial openness) | 100/200 | SEAL-2 | low | Baidu Cloud exposes REST APIs and supports some common formats/open-source engines, but interfaces are largely proprietary; partial openness at best. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Partial adoption of open standards in some core services (e.g., S3-compatible storage, Kubernetes), but no policy-level commitment across services. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | low | Baidu open-sources some components (e.g., PaddlePaddle framework), but the cloud platform and ERNIE models are largely closed/vendor-controlled with strict rights; source available for review at best. |
| SOV-6.4 | Service architecture transparency | 2. Insight accessible during audits | 50/200 | SEAL-2 | low | Limited public insight into the service architecture; some details accessible only under audit/enterprise engagement, with no EU-relevant transparency program. |
| SOV-6.5 | HPC sovereignty | 1. Imported black-box HPC | 0/200 | SEAL-0 | medium | HPC/AI acceleration relies on imported and self-developed Chinese chips (Kunlun) plus Nvidia GPUs, delivered as a black box with no EU involvement. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 2. EAL1 | 36/143 | SEAL-1 | low | Holds ISO 27001 (CSA STAR registry) but no SOC 2 / BSI C5 / SecNumCloud / EUCS for EU buyers; per gating_key ISO 27001 only maps to EAL1 -> SOV-7.1 opt2 (seal 1; was opt1). Lower than peers (no SOC2/C5) - genuine cert difference. (src: https://cloudsecurityalliance.org/star/registry/beijing-baidu-netcom-science-technology-co-ltd) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 2. Limited compliance | 36/143 | SEAL-4 | medium | Baidu holds Chinese and some international security certifications (e.g., ISO 27001) but no demonstrated GDPR/NIS2/DORA program with EU establishment; limited compliance with EU regulation. |
| SOV-7.3 | EU-based SOC & incident handling | 1. SOC/IR outside EU | 0/143 | SEAL-1 | medium | SOC and incident handling are run from China/APAC; no EU-based SOC or ENISA/CSIRT sharing. |
| SOV-7.4 | Control over security monitoring/logging | 1. Provider retains full control | 0/143 | SEAL-0 | low | Provider retains full control of security monitoring/logging; no customer-controlled immutable logging stored in the EU. |
| SOV-7.5 | Disclosure of incidents | 2. Limited compliance | 36/143 | SEAL-1 | low | Incident disclosure follows Chinese regulatory norms; only limited compliance with EU notification regimes, with no EU CSIRT integration. |
| SOV-7.6 | Maintenance autonomy | 2. Limited autonomy (vendor schedules) | 36/143 | SEAL-1 | low | Maintenance windows and patching are vendor-scheduled by Baidu; customers have limited autonomy over the managed stack. |
| SOV-7.7 | Auditability | 1. No access beyond vendor | 0/143 | SEAL-1 | medium | No audit_rights -> SOV-7.7 opt1 (seal 1, CEIL). Independent auditing beyond Baidu's own attestations is not available to EU entities; no access beyond the vendor. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Baidu reports an average data-centre PUE of 1.19 with a roadmap toward 1.14 and 100% renewable (2023 Sustainability Report); no EU-verified figure -> PUE<1.5 + roadmap -> SOV-8.1 opt3 (seal 4; was opt2), consistent with the cluster's evidence-based treatment. (src: https://esg.baidu.com/en_reports.html) |
| SOV-8.2 | Hardware reuse & recycling | 2. Basic circular practices | 63/250 | SEAL-0 | low | Some basic circular/hardware-reuse practices are likely but no documented EU-aligned program or certified lifecycle for EU customers; thinner disclosure than peers -> opt2 (seal 0). (src: https://esg.baidu.com/en_reports.html) |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | low | Baidu publishes an annual ESG/sustainability report with environmental metrics, but not under EU methodology or EU audit -> annual report -> SOV-8.3 opt3 (seal 2; was opt2), consistent with peers who publish annual ESG reports. (src: https://esg.baidu.com/en_reports.html) |
| SOV-8.4 | Energy supplies | 1. Non traceable | 0/250 | SEAL-4 | low | Energy is sourced from the Chinese grid with no EU energy supplies and no EU-relevant traceability; not traceable from an EU sovereignty standpoint -> opt1 (all-seal-4 factor; genuine, no EU footprint). (src: https://esg.baidu.com/en_reports.html) |