| SOV-1 Strategic Sovereignty | SEAL-3 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity: evroc AB is incorporated and headquartered in Stockholm, Sweden, European-owned and -operated with no controlling non-EU parent; entity control entirely within the EU -> opt4. (src: https://evroc.com/about/) |
| SOV-1.2 | Change of control risk | 3. Somewhat likely takeover/transfer to non-EU sovereign entity | 63/125 | SEAL-4 | medium | Young (founded ~2022, launched July 2025) VC-backed startup raising up to EUR 3bn; reliance on large external rounds and an eventual exit/IPO makes a future change of control to a non-EU buyer somewhat plausible -> opt3 (all seal-4). (src: https://techcrunch.com/2025/03/20/amid-calls-for-sovereign-eu-tech-stack-evroc-raises-55m-to-build-a-hyperscale-cloud-in-europe/) |
| SOV-1.3 | Control over roadmap | 3. Governance bodies exist with EU actors participation | 83/125 | SEAL-3 | low | EU-controlled provider building its own stack with in-house R&D and EU governance; roadmap set in Europe with community/standards (SUSE/CNCF) influence, no foreign-set roadmap -> opt3. |
| SOV-1.4 | Financial independence from non-EU capital | 3. Balanced mix of EU and non-EU funding | 63/125 | SEAL-4 | medium | Series A led by blisce/ (a Franco-American fund) alongside EQT Ventures, Norrsken VC (Swedish) and Giant Ventures (UK/US); funding is an EU-anchored but balanced mix of EU and non-EU venture capital -> opt3 (all seal-4). (src: https://arcticstartup.com/evroc-raises-e50m-series-a/) |
| SOV-1.5 | EU economic contribution | 4. Majority in the EU | 94/125 | SEAL-4 | medium | HQ, flagship data centres (Stockholm, Mougins/Paris, Frankfurt) and most staff are in the EU; a London development office adds minor non-EU activity, so economic contribution majority-EU rather than fully -> opt4 (all seal-4). (src: https://evroc.com/about/) |
| SOV-1.6 | Participation in EU strategic programs | 3. Active participant in strategic projects | 63/125 | SEAL-4 | medium | Signatory of the EuroStack initiative and positioned as 'Europe's first sovereign hyperscaler', an active participant in the European sovereign-cloud strategic agenda -> opt3 (all seal-4). (src: https://www.suse.com/news/suse-and-evroc-announce-strategic-partnership-to-deliver-sovereign-european-cloud-solutions/) |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Explicit sovereignty-and-sustainability strategy with dedicated means (EUR 3bn build-out, 10 EU DCs by 2030) aligned to EU digital-autonomy and Green Deal goals -> opt3 (all seal-4). (src: https://evroc.com/news/europes-first-sovereign-hyperscale-cloud/) |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: builds/operates its own EU data centres and an EU-maintained open-source cloud-native stack (SUSE RKE2/Rancher, SUSE Linux) plus proprietary EU software, 'no foreign control planes, no external software dependencies'; only residual non-EU dependency is commodity chips -> full autonomy & continuity opt5 (seal 4). (src: https://www.suse.com/news/suse-and-evroc-announce-strategic-partnership-to-deliver-sovereign-european-cloud-solutions/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | [CEIL] Contracting entity evroc AB is Swedish and the offer operates exclusively under EU/EEA member-state law, not subject to US extraterritorial surveillance -> opt3 (seal 4). (src: https://evroc.com/sovereignty/) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | immunity not certified: pure-Swedish entity with no non-EU parent marketed as 'safe from unlawful intervention by foreign governments', but it holds NO SecNumCloud/EUCS-High and keeps a London (UK, non-EU) development office, so legal structures shield (opt4, seal 2) rather than verified immunity. (src: https://evroc.com/sovereignty/) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent: wholly EU-jurisdiction provider with no US/CN parent able to compel access, asserting data is safe from foreign-government intervention; requests rejected -> opt5 (seal 4). (src: https://evroc.com/sovereignty/) |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | low | Pure-EU provider on an EU-maintained open-source stack with no non-EU technology gating its offer; the EU-exclusive offer is shielded from foreign export-control restrictions toward EU MSs and international orgs -> opt5 (seal 4), consistent with the Nordic peers. (src: https://evroc.com/sovereignty/) |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Core platform IP is evroc's own software plus EU-origin open source (SUSE, Germany); bulk of controlled IP is EU-originated though some upstream open source is global -> opt4 (all seal-4). |
| SOV-2.6 | IP holder jurisdiction | 4. EU law with exceptions | 125/167 | SEAL-4 | medium | evroc's own IP and operating entity sit under Swedish/EU law; some embedded third-party (chip/firmware/upstream OSS) IP under non-EU law -> EU law with exceptions opt4 (seal 4). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | low | Targets sensitive workloads with customer control over 'most sensitive data' and zero-trust IAM, implying customer-managed keys; without a documented HYOK/confidential-computing guarantee the provider could still read data -> customer-primary not exclusive opt4. (src: https://evroc.com/cloud-services/) |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | low | Advertises 'full auditability from day one' with customer-accessible logging/IAM and EU-stored logs (full customer-controlled visibility), but independent real-time auditability is not yet evidenced for a just-launched platform -> opt4. (src: https://evroc.com/cloud-services/) |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion handled per policy with no public proof-of-erasure or independent verification mechanism for a newly launched service -> internal validation per policy opt3 (seal 1). |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | medium | eu_exclusive: 'all data is stored in the European Union', control-plane data kept fully inside Europe, DCs only in Sweden/France/Germany with no third-country fallback claimed -> opt5 (seal 4). (src: https://evroc.com/sovereignty/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | AI services run entirely on EU infrastructure/operations but on foreign NVIDIA Blackwell/B200/L40S accelerators -> EU-led AI on foreign accelerators opt4 (seal 3). (src: https://evroc.com/news/evroc-cloud-live/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Standards-based Kubernetes (RKE2/Rancher), S3-compatible object storage and documented data export plus a developer ecosystem support portability and migration on open infrastructure -> opt4 (seal 4). (src: https://evroc.com/cloud-services/) |
| SOV-4.2 | Ability to operate without foreign dependencies | 4. Ops predominantly EU-based teams | 125/167 | SEAL-3 | medium | eu_ops: stack operated predominantly by EU-based teams under European jurisdiction; a London (UK, non-EU) development office means not 100% EU-team, so predominantly EU rather than fully -> opt4 (seal 3). (src: https://evroc.com/about/) |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | eu_ops: European personnel subject to extensive background checks and security clearance; a UK development office means staff are EU-majority, not exclusively EU + clearance -> all-EU staff opt4 (seal 3). (src: https://www.datacenterdynamics.com/en/news/sovereign-european-cloud-evroc-launches/) |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Support delivered by European personnel; no documented routine non-EU escalation, formal clearances asserted via background checks -> all support staff in EU opt4 (seal 3). (src: https://evroc.com/sovereignty/) |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | low | Documentation/developer knowledge maintained by the EU-based company on EU infrastructure; EU-primary repositories with no documented non-EU dependency -> EU-only primary repositories opt4 (seal 4). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | own_stack: owns its DCs and an EU open-source stack (SUSE) with no critical non-EU subprocessor, letting evroc source alternatives or internalise if a supplier failed -> opt4 (seal 3). (src: https://www.suse.com/news/suse-and-evroc-announce-strategic-partnership-to-deliver-sovereign-european-cloud-solutions/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Server hardware and chips (x86 CPUs, NVIDIA GPUs) are foreign-sourced with no published bill-of-materials provenance -> partial disclosure opt2 (seal 1). (src: https://evroc.com/news/evroc-cloud-live/) |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Compute/GPU hardware is manufactured outside the EU by foreign OEMs/fabs with limited disclosure of the manufacturing chain -> opt2 (seal 1). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode on commodity servers and NVIDIA accelerators originates from foreign vendors and is not fully disclosed -> partial provenance opt2 (all seal-4). |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | No foreign_core: control-plane/management software is evroc's own plus EU-maintained open source (SUSE RKE2/Rancher, SUSE Linux), 'no external software dependencies'; large majority maintained by EU teams -> opt4 (seal 3). (src: https://www.suse.com/news/suse-and-evroc-announce-strategic-partnership-to-deliver-sovereign-european-cloud-solutions/) |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Software development and release controlled and executed by evroc's EU engineering organisation (HQ Sweden, dev in France) -> EU control & execution opt4 (seal 3). |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | low | Foreign chip/GPU OEMs (Intel/AMD/NVIDIA) are non-EU single points in the critical hardware supply chain, documented as standard hardware -> few non-EU in critical services opt3 (seal 2). |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Critical infrastructure suppliers are identifiable/auditable, but full upstream supply-chain auditability is not demonstrated for a just-launched provider -> critical suppliers auditable opt3 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based, broadly compatible interfaces (Kubernetes/RKE2, S3-compatible object storage, IAM) promoting interoperability -> opt4 (seal 3). (src: https://evroc.com/cloud-services/) |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Core services built on open standards (Kubernetes, OCI containers, S3-compatible storage, SUSE Linux) -> policy for most core services opt4 (seal 3). |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | No foreign_core; uses and publishes open source (evroc-oss GitHub org, SUSE Rancher/RKE2) but governance of upstream projects (CNCF/SUSE) is centralised outside its control -> open source, centralised governance opt3 (seal 3). (src: https://github.com/evroc-oss) |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Publishes developer docs, blogs and open-source components giving meaningful public insight into the architecture, though customers cannot directly co-develop the core platform -> some public insight opt3 (seal 3). (src: https://evroc.com/developer/blog/getting-started-with-evroc-s-csi-driver-persistent-storage-for-your-kubernetes-cluster/) |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | medium | HPC/GPU compute is EU-hosted/operated but runs a foreign accelerator stack (NVIDIA Blackwell/B200) -> EU-hosted, foreign stack opt2 (seal 3). (src: https://evroc.com/news/evroc-cloud-live/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 1. EAL0 / none | 0/143 | SEAL-1 | medium | Just-launched (July 2025) startup: no SecNumCloud/EUCS/C5/ENS/ISO 27001/SOC 2/Common Criteria certification is yet evidenced (only GDPR-compliance claims); per key 'none' -> opt1 (EAL0, seal 1). This caps the SEAL at 1, like the uncertified Nordic peers. (src: https://evroc.com/sovereignty/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | Built for GDPR compliance and explicitly targets NIS2/DORA-scope sectors (defence, government, finance, healthcare); as a new entrant full independently-audited compliance to all three is not yet demonstrated, so partial compliance to most -> opt4 (all seal-4). (src: https://evroc.com/sovereignty/) |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | Security operations handled by European personnel under EU jurisdiction with EU incident handling; formal ENISA/CSIRT sharing not yet documented -> entire lifecycle by EU teams opt4 (seal 3). |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | Customers get full direct access to monitoring/logs ('full auditability from day one') with logs stored in the EU; immutable tamper-proof logging not explicitly claimed -> opt4 (seal 3). (src: https://evroc.com/cloud-services/) |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | As a GDPR/NIS2-bound EU CSP targeting regulated sectors, incident disclosure aligns with EU breach-notification; no evidence yet of real-time CSIRT integration -> moderate (GDPR/NIS2-aligned) opt3 (seal 2). |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | medium | Owns and operates its full stack with an EU team, giving high autonomy to deploy maintenance/patches independently of any foreign vendor schedule -> opt4 (seal 4). |
| SOV-7.7 | Auditability | 3. Partial independent control | 72/143 | SEAL-1 | low | No audit_rights certification (lacks SecNumCloud/EUCS-High); 'full auditability from day one' is a marketing claim, not a tender-grade contractual full-audit right for the contracting authority + independent EU bodies -> partial independent control opt3 (seal 1). Caps the SEAL. (src: https://evroc.com/cloud-services/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | DCs designed for high efficiency (natural cooling, liquid cooling, fossil-free power) and bound by EU rules requiring PUE <=1.2 for new DCs, but the flagship site is not yet operational and no measured PUE is published -> PUE < 1.5 + roadmap opt3 (seal 4). (src: https://evroc.com/sustainability/) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Sustainability-led design (50+ year DCs, low-carbon local materials, energy-efficient IT equipment) implies a documented hardware-lifecycle program, but no EU-certified circular-economy lifecycle is yet evidenced -> documented program opt3 (seal 3). (src: https://evroc.com/sustainability/) |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | low | Markets itself on sustainability metrics (fossil-free energy, heat reuse) but as a pre-operational startup publishes no audited EU-methodology footprint report yet -> annual-report level opt3 (seal 2). (src: https://evroc.com/sustainability/) |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | medium | Sites run entirely on fossil-free energy in normal operation with surplus heat recycled into district heating; only green EU energy supplies -> opt5 (seal 4). (src: https://evroc.com/news/evroc-flagship-datacenter-2025/) |