| SOV-1 Strategic Sovereignty | SEAL-3 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity: Cleura AB is incorporated and headquartered in Karlskrona, Sweden (reg. 556630-7806), operating as an Iver company; legal entity control entirely within the EU -> opt4. (src: https://cleura.com/resources/trust-center/certifications/) |
| SOV-1.2 | Change of control risk | 3. Somewhat likely takeover/transfer to non-EU sovereign entity | 63/125 | SEAL-4 | medium | foreign_parent (UK): ultimate owner is ICG plc, a UK-listed asset manager that acquired Iver from EQT in 2021; PE/fund ownership makes a future trade sale to a non-EU buyer somewhat likely -> opt3 (existing choice kept, all seal-4). |
| SOV-1.3 | Control over roadmap | 3. Governance bodies exist with EU actors participation | 83/125 | SEAL-3 | low | EU-controlled provider running OpenStack with its own R&D and EU governance; customers influence via Open Infrastructure Foundation community/governance bodies with EU-actor participation -> opt3. |
| SOV-1.4 | Financial independence from non-EU capital | 3. Balanced mix of EU and non-EU funding | 63/125 | SEAL-4 | medium | foreign_parent (UK): operating company is Swedish but its capital backer is ICG plc (UK, non-EU/EEA), so financing is a balanced mix of EU operations and non-EU capital -> opt3 (existing choice kept, all seal-4). |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | All operations, data centres (Sweden, Germany), staff and subprocessors are EU-based; economic contribution fully within the EU -> opt5 (existing choice kept, all seal-4). |
| SOV-1.6 | Participation in EU strategic programs | 3. Active participant in strategic projects | 63/125 | SEAL-4 | medium | Active in the European sovereign-cloud ecosystem and a Gold member of the Open Infrastructure Foundation (OpenStack), an active participant in strategic open-infrastructure projects -> opt3 (existing choice kept, all seal-4). |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Governed strategy ('committed to a data-sovereign Europe') with measurable certifications and product lines aligned to EU digital-sovereignty goals -> opt3 (existing choice kept, all seal-4). |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: open-source OpenStack core maintained by EU teams on EU DCs lets Cleura source alternatives and internalise key functions; residual non-EU dependency is only commodity hardware/chips -> full autonomy & continuity opt5 (seal 4). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | Contracting entity is Swedish; Compliant Cloud operates exclusively under EU/EEA member-state law, not subject to US extraterritorial surveillance -> opt3 (seal 4). (src: https://cleura.com/compliant-cloud/) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | immunity not certified: pure-EU operating structure marketed as shielded from US extraterritorial laws, but a UK parent (ICG) exists and NO SecNumCloud/EUCS-High is held, so legal structures shield (opt4, seal 2) rather than verified immunity. |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent under US CLOUD Act/FISA or PRC law (UK financial owner has no equivalent compelled-cloud-access statute); wholly EU-jurisdiction provider with no US/CN parent able to compel access, requests rejected -> opt5 (seal 4). (src: https://cleura.com/compliant-cloud/) |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | low | Pure-EU provider, large majority of revenue in the EU, no non-EU technology gating its offer; the EU/EEA-exclusive open-source offer is shielded from foreign export-control restrictions toward EU MSs and international orgs -> key 2.4 opt5 (seal 4), consistent with the Nordic OpenStack peers. (src: https://cleura.com/compliant-cloud/) |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Core platform IP is OpenStack-based and maintained by Cleura's EU teams; bulk of controlled software IP is EU-originated though open-source upstream is global -> opt4 (existing choice kept, all seal-4). |
| SOV-2.6 | IP holder jurisdiction | 4. EU law with exceptions | 125/167 | SEAL-4 | medium | IP and operating entity sit under EU (Swedish) law; upstream open-source licences originate partly outside the EU, so EU law applies with exceptions -> opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | medium | OpenStack Barbican KMS and S3 SSE-C give customers primary key control; without a documented HYOK/confidential-computing guarantee the provider could read data, so customer-primary not exclusive -> opt4. |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | low | OpenStack/Cleura provides customer-accessible activity/access logging with EU-stored logs (full customer-controlled visibility) but independent real-time auditability is not evidenced -> opt4. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | ISO 27001-governed deletion with internal validation per policy; no public guarantee of independently verified proof-of-erasure -> opt3 (seal 1). |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | high | eu_exclusive: data centres exclusively Sweden and Germany, all documented subprocessors EU/EEA, no third-country fallback -> opt5 (seal 4). (src: https://cleura.com/resources/getting-started-with-cleura-cloud/regions-services-sub-processors/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | Cleura AI runs inference entirely in EU data centres on open/auditable models with data-sovereignty guarantees but relies on foreign (Nvidia) accelerators -> EU-led AI on foreign accelerators opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Standards-based OpenStack APIs plus documented data export and formal migration services on portable open infrastructure -> opt4 (seal 4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | high | eu_ops: entire stack operated by EU-based teams (Cleura/Iver Sverige) with all subprocessors in the EU; no critical operation delivered by non-EU teams -> opt5 (seal 4). |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | eu_ops: Swedish company with EU-based engineering/operations staff and no documented routine offshore escalation (security clearances not broadly claimed) -> all-EU staff opt4 (seal 3). |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | eu_ops: support delivered by EU-based teams within the Iver group, no non-EU escalation, formal clearances not claimed -> all support staff in EU opt4 (seal 3). |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | low | Documentation/knowledge maintained by the EU-based company on EU infrastructure; primary repositories EU-based with no documented non-EU dependency -> EU-only primary repositories opt4 (seal 4). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | medium | own_stack: subprocessors (Iver, Interxion/Digital Realty EU entities, 23 Technologies) all EU and the open-source stack lets Cleura source alternatives or internalise if a supplier failed -> opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Hardware/component provenance not publicly detailed; servers and chips are foreign-sourced (global x86/Nvidia) with only partial disclosure -> opt2 (seal 1). |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Server hardware and chips manufactured outside the EU (foreign OEMs/fabs) with limited disclosure of the manufacturing chain -> opt2 (seal 1). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode on commodity servers and accelerators originates from foreign vendors and is not fully disclosed; partial provenance only -> opt2 (existing choice kept, all seal-4). |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | Not foreign_core: platform is open-source OpenStack (not licensed Google/MS tech); large majority of deployed/operated software is maintained by Cleura's EU teams -> opt4 (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Software build/release controlled and executed by Cleura's EU engineering organisation; no documented formal EU policy gates beyond ISO controls -> EU control & execution opt4 (seal 3). |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | medium | Residual non-EU hardware/chip vendors (and US-owned colo operators Interxion/Digital Realty) remain single points in the critical supply path, documented but unavoidable -> key few-non-EU-in-critical-services -> opt3 (seal 2), consistent with the Nordic OpenStack peers that share the same foreign-chip dependency. (src: https://cleura.com/resources/getting-started-with-cleura-cloud/regions-services-sub-processors/) |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Critical subprocessors named and auditable under ISO 27001/DPA terms, but full upstream hardware supply-chain transparency is limited -> critical suppliers auditable opt3 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 5. Open-by-default with portability | 200/200 | SEAL-4 | high | Built on OpenStack with open, standards-based APIs and strong portability; open-by-default at the IaaS interface layer -> opt5 (seal 4). |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | OpenStack and S3-compatible interfaces mean open standards applied as policy across most core services with documented public APIs -> opt4 (seal 3). |
| SOV-6.3 | Open source availability | 4. Open source, significant EU contributions, restricted governance | 150/200 | SEAL-4 | high | Not foreign_core: core platform is open-source OpenStack; Cleura is a Gold OIF member with significant EU contributions under foundation (centralised but open) governance -> opt4 (seal 4). |
| SOV-6.4 | Service architecture transparency | 4. Large corpus of public insight | 150/200 | SEAL-3 | medium | Extensive public documentation, open-source architecture and published regions/subprocessors provide a large corpus of public insight -> opt4 (seal 3). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | Any HPC/GPU capability (Cleura AI) is EU-hosted but runs on a foreign accelerator stack (Nvidia), not EU-designed silicon -> EU-hosted foreign stack opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 2. EAL1 | 36/143 | SEAL-1 | high | certs: Cleura holds ISO 27001:2022 only (plus ISO 9001/14001); NO SecNumCloud, EUCS, C5, ENS-High or Common Criteria EAL. Per key 'ISO 27001 only -> opt2' -> EAL1-equiv opt2 (seal 1). GATES SEAL. (src: https://cleura.com/resources/trust-center/certifications/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | high | Supports GDPR, NIS2 and DORA compliance and is independently ISO 27001:2022 certified (partial-to-strong across most EU regulations, not one audited cert covering all) -> opt4 (existing choice kept, all seal-4). |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | eu_ops: security operations and incident handling run by EU-based teams in an EU-only operation (full lifecycle EU); explicit ENISA/CSIRT sharing not documented -> opt4 (seal 3). |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | Customers get direct access to logging/monitoring with logs stored in EU DCs via OpenStack; immutable tamper-proof logging not specifically claimed -> full direct access, EU-stored opt4 (seal 3). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | Incident disclosure aligned with GDPR/NIS2 obligations as an EU provider; no documented real-time CSIRT sharing with SLAs beyond regulatory baseline -> moderate opt3 (seal 2). |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | medium | own_stack: self-operated OpenStack gives high maintenance autonomy to schedule and deploy patches independently without a foreign vendor's release cycle -> opt4 (seal 4). |
| SOV-7.7 | Auditability | 3. Partial independent control | 72/143 | SEAL-1 | low | audit_rights not certified: independent assurance is via ISO 27001 audits plus DPA customer audit rights (partial independent control), no SecNumCloud-grade contractual full audit by the contracting authority or any independent EU body -> key 7.7 (audits via cert bodies + DPA) -> opt3 (seal 1), consistent with the non-audit-rights Nordic peers. (src: https://cleura.com/resources/trust-center/certifications/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Modern EU data centres (Interxion/Digital Realty, Cleura facilities) imply PUE well under 1.5 with a sustainability roadmap; no specific PUE figure published -> PUE<1.5 + roadmap opt3 (seal 4). (src: https://cleura.com/resources/trust-center/certifications/) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | ISO 14001-certified environmental management implies a documented hardware lifecycle/reuse program; no formal EU-certified circular-economy scheme evidenced -> documented program opt3 (seal 3). |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | medium | ISO 14001 certification and EcoVadis sustainability recognition indicate regular environmental reporting, but not a detailed EU-methodology or EU-audited carbon report -> annual report opt3 (seal 2). |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | high | Cleura states its data centres run exclusively on 100% renewable (green) energy sourced within the EU -> only green EU energy supplies opt5 (existing choice kept, all seal-4). (src: https://cleura.com/resources/trust-center/certifications/) |