| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-0 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-0 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | Brightbox is a wholly-owned, independent UK company (registered in Leeds, data centre in Manchester) operating entirely from the United Kingdom, a third country outside the EU/EEA, with no EU/EEA data footprint at all -> legal entity control entirely outside the EU, SOV-1.1 opt1 (seal 1). (src: https://www.brightbox.com/cloud/storage/) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | low | Small, long-established (2005/2007) founder/engineer-led independent UK firm with no disclosed external/sovereign-fund capital; takeover by a non-EU sovereign entity looks unlikely, though small private firms remain acquirable. |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | low | No formal governance bodies with EU-actor participation exist; roadmap influence is limited to customer feedback and GitHub/community channels typical of a small commercial IaaS provider. |
| SOV-1.4 | Financial independence from non-EU capital | 3. Balanced mix of EU and non-EU funding | 63/125 | SEAL-4 | low | Privately held UK company that self-funds and bootstrapped its platform; capital is UK (non-EU) based rather than clearly majority EU, treated as a balanced/non-EU mix from the EU perspective. |
| SOV-1.5 | EU economic contribution | 1. Minimal | 0/125 | SEAL-4 | medium | All infrastructure, data centre (Manchester), staff and corporate value are in the UK with no EU presence; EU economic contribution is minimal. |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | medium | No evidence of participation in EU strategic programs such as Gaia-X or IPCEI-CIS; the company is a purely UK-focused independent provider. |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | medium | No published action plan or governance demonstrating alignment with EU industrial strategies; Brightbox markets UK data sovereignty under UK law, not EU strategy. |
| SOV-1.8 | Resilience to cut-off | 4. Ability to source alternatives or internalise key functions | 94/125 | SEAL-2 | low | Brightbox owns and operates every layer of its own stack (hardware, software, network, IP space) on OpenStack, giving strong ability to source alternatives and internalise key functions, though it still relies on foreign hardware supply chains. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 1. Non-EU only | 0/167 | SEAL-1 | high | Primary jurisdiction is the United Kingdom; the company explicitly states data is subject only to UK law. UK is a third country, so this is non-EU jurisdiction, not EU law -> SOV-2.1 opt1 (seal 1). (src: https://www.brightbox.com/cloud/storage/) |
| SOV-2.2 | Extraterritorial laws exposure | 2. Mitigation clauses, exposure remains | 42/167 | SEAL-1 | low | no immunity: as a UK-only entity it is outside the US CLOUD Act, but it is fully subject to UK law (Investigatory Powers Act etc.) with no SecNumCloud/EUCS-High, offering contractual/DPA mitigations rather than immunity; meaningful exposure remains -> SOV-2.2 opt2 (seal 1). |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | medium | no immunity: subject to non-EU compelled access under the UK Investigatory Powers Act (lawful-access powers can compel without notification in specific cases); as a UK entity it cannot commit to always-reject -> SOV-2.3 opt2 (seal 1). Normalised across the UK cluster (all subject to UK IPA). |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | low | No known export-control restrictions against EU member states, but as a non-EU UK provider its offer is not specifically shielded from any future UK/third-country restrictions toward EU customers. |
| SOV-2.5 | Origin of IP | 2. Mostly outside the EU | 42/167 | SEAL-4 | low | Core platform IP is UK-developed (non-EU) on top of open-source (OpenStack/Linux); the proprietary control plane IP originates mostly outside the EU. |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | medium | Proprietary platform IP is held by the UK parent company under UK (non-EU, single-country) law. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | low | Object storage is encrypted at rest by the provider and in transit via HTTPS; there is no advertised customer-held key management giving exclusive control, so the provider retains effective key/override access (shared model). |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Access control lists and standard operational logging exist, but logs are vendor-controlled and not advertised as real-time independently auditable customer feeds. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion is handled per internal operational policy on its OpenStack platform; no published independently verified proof-of-erasure mechanism is offered. |
| SOV-3.4 | Data location strictly in EU/EEA | 2. Partly EU, significant third-country reliance | 50/200 | SEAL-0 | high | no eu_exclusive: data is confined exclusively to the UK ('your data never leaves the UK'), but the UK is a third country with zero EU/EEA data location; third-country hosting with contractual safeguards but no EU-exclusivity guarantee -> SOV-3.4 opt2 (seal 0), per key anchor 'no EU-exclusivity guarantee -> SEAL-0'. Normalised with the UK-only cluster members. (src: https://www.brightbox.com/cloud/storage/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | low | No in-scope AI service (pure IaaS), so there is no foreign-AI/black-box model dependency to penalise -> key judgment-call #2 maps 'no in-scope AI service' to opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | OpenStack-compatible (Swift/Nova) APIs, standard images, Terraform/Kubernetes/Docker tooling and documented data export provide strong, standards-based portability and effectively formal migration paths off the platform. |
| SOV-4.2 | Ability to operate without foreign dependencies | 1. Critical ops delivered by non-EU teams | 0/167 | SEAL-1 | high | All operations are delivered by UK-based teams; no staff outside the UK have access to infrastructure. From the EU perspective, critical ops are delivered entirely by non-EU (UK) teams. |
| SOV-4.3 | Skill availability in the EU | 1. Global team, mainly non-EU | 0/167 | SEAL-1 | high | The entire team is UK-based (no EU/EEA staff); skills are wholly outside the EU. |
| SOV-4.4 | Support channels | 1. Global, majority outside EU | 0/167 | SEAL-1 | medium | Support is provided by the UK-only team; there is no EU-based support presence, so support sits entirely outside the EU. |
| SOV-4.5 | Documentation & knowledge transfer | 1. Global/non-EU exposure | 0/167 | SEAL-0 | low | Documentation and knowledge live with the UK team / global GitHub repositories; there is no EU-resident handling of documentation, so it is non-EU exposed. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Owning the full stack and running its own OpenStack platform gives Brightbox the ability to source alternative suppliers or internalise functions, though hardware/colocation suppliers are non-EU. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Standard x86 server hardware of foreign origin; component provenance is at most partially disclosed and not EU-certified. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Servers and chips are manufactured abroad (US/Asia); Brightbox assembles/operates rather than designs hardware and discloses little manufacturing detail. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/BIOS on commodity servers comes from foreign OEMs with at most partial disclosure; no EU-certified firmware provenance. |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | medium | The cloud control plane is built and maintained by Brightbox's own (UK) team on top of open-source OpenStack/Linux; core/essential software is self-maintained and not a black box, though the team is non-EU. |
| SOV-5.5 | Software build/release jurisdiction | 2. EU control, non-EU execution | 36/143 | SEAL-1 | low | Software build/release is controlled and executed by the UK company (non-EU control, non-EU execution from the EU standpoint). |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | low | Critical dependencies on non-EU hardware vendors and a UK colocation facility exist and are partly documented, remaining significant single points of dependency from the EU perspective. |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some suppliers (UK data-centre, hardware vendors) are identifiable, but there is no comprehensive auditable supply-chain transparency program. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | OpenStack-based, Swift/Nova-compatible APIs, standard OS images and broad tool support (Terraform, Kubernetes, Docker) make the platform standards-based and broadly compatible, avoiding heavy proprietary lock-in. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Adopts open standards for core compute/storage (OpenStack APIs, Swift, standard images) but without a published comprehensive open-standards policy across all services. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | low | Built on open-source OpenStack/Linux and publishes open-source client tooling (CLI, gobrightbox), but the operated platform/orchestration is not itself an openly published, community-governed product. |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Some public architectural insight via blog, docs and OpenStack heritage, but no deep customer-contributable transparency into the running platform. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | No in-scope HPC service; key maps 'no in-scope HPC' to opt2 (no imported black-box HPC dependency to penalise). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 1. EAL0 / none | 0/143 | SEAL-1 | medium | No Common Criteria EAL, SecNumCloud or EUCS certification is evident for the platform -> SOV-7.1 opt1 'none' (seal 1). (src: https://www.brightbox.com/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 3. Moderate compliance | 72/143 | SEAL-4 | medium | Brightbox provides a GDPR-compliant DPA, registers with the ICO and remains bound by (UK) GDPR, indicating moderate compliance; no evidence of full audited NIS2/DORA compliance or independent ISO certification of the cloud platform. |
| SOV-7.3 | EU-based SOC & incident handling | 1. SOC/IR outside EU | 0/143 | SEAL-1 | low | Security operations and incident handling are run by the UK-only team; the SOC/IR function is outside the EU. |
| SOV-7.4 | Control over security monitoring/logging | 2. Customers receive periodic reports | 36/143 | SEAL-1 | low | Customers get standard monitoring/reporting and ACL-based controls, but security monitoring/logging is largely provider-controlled rather than full customer-owned EU-resident logs. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | As a (UK) GDPR-bound provider with a DPA, breach disclosure is GDPR-aligned, but no published real-time CSIRT/ENISA sharing commitments exist. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Operating its own OpenStack platform gives moderate maintenance autonomy with versioned releases and customer notice, subject to underlying vendor/OpenStack patches. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | Independent assurance is limited; no evidence of full independent audit by any customer-chosen entity, at most limited contractual/DPA audit access. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 2. PUE < 3 | 63/250 | SEAL-1 | low | Modern UK data-centre operation is generally efficient, but Brightbox does not publish a verified PUE below 1.5 for its Manchester footprint -> SOV-8.1 opt2 (seal 1). (src: https://www.brightbox.com/) |
| SOV-8.2 | Hardware reuse & recycling | 2. Basic circular practices | 63/250 | SEAL-0 | low | As infrastructure owner some hardware reuse is likely, but no documented circular-economy / recycling program is published. |
| SOV-8.3 | Environmental impact reporting | 2. Basic reporting | 63/250 | SEAL-1 | low | No detailed environmental/sustainability report is published; at most basic statements about renewable energy use. |
| SOV-8.4 | Energy supplies | 1. Non traceable | 0/250 | SEAL-4 | low | Brightbox states its infrastructure is powered entirely by renewable energy, but energy supplies are UK-based (non-EU) and not traceable to EU green sources; from the EU-supply standpoint they are not EU-traceable -> SOV-8.4 opt1. (src: https://www.brightbox.com/) |