| SOV-1 Strategic Sovereignty | SEAL-4 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-1 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity (100% Dutch-owned Cyso Group, Alkmaar NL, no non-EU parent) -> SOV-1.1 opt4 (entirely within EU). (src: https://cyso.com/en/about-cyso/) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | medium | Privately held founder/owner-run Dutch hosting company since 1997 with no external non-EU capital; non-EU takeover very unlikely (existing all-SEAL-4 choice kept). |
| SOV-1.3 | Control over roadmap | 4. Full influence of EU actors | 125/125 | SEAL-4 | medium | eu_entity running open-governance OpenStack; EU customers and EU operator fully drive the roadmap -> SOV-1.3 opt4 (full EU influence). |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | medium | Bootstrapped/self-funded Dutch company with no disclosed non-EU investors; funding effectively entirely EU-based (existing all-SEAL-4 choice kept). |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | All staff, infrastructure and revenue in NL/EU; economic contribution fully in the EU (existing all-SEAL-4 choice kept). |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | low | Aligns with Gaia-X/EU sovereignty messaging but no evidence of named IPCEI-CIS participation; limited participation (existing all-SEAL-4 choice kept). |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | low | Markets EU digital sovereignty / Gaia-X posture (action plan) but no measured achievement or dedicated governance (existing all-SEAL-4 choice kept). |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: open-source OpenStack on Cyso's own NL/DE infrastructure with continuity depending on no non-EU vendor (foreign chips residual hardware only); same own-stack profile as Leafcloud/TransIP/Greenhost -> Full autonomy and continuity, opt5 (judgment call per key #1, normalised across the pure-EU Benelux own-stack providers). (src: https://cyso.com/en/about-cyso/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | eu_entity operating only in NL/DE data centres, governed exclusively by EU (Dutch/German) law -> SOV-2.1 opt3 (exclusively EU law). (src: https://cyso.cloud/trust-centre) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | eu_entity with structural separation (pure-EU, no non-EU parent) but immunity NOT certified (no SecNumCloud/EUCS-High) -> SOV-2.2 opt4 'legal structures shielding' (seal 2), not certified opt5. |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent: not subject to US CLOUD Act/FISA/PRC compelled access and no legal basis to honour foreign orders -> SOV-2.3 opt5 (requests always rejected). (src: https://cyso.cloud/trust-centre) |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | low | EU-only provider with revenues overwhelmingly in the EU and no foreign-state export-control leverage, but no specifically documented shielding mechanism for the offer -> share of revenues >50% in EU, opt3. Normalised to match the other pure-EU Benelux providers (no documented export-control shielding). |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | medium | Core platform is open-source OpenStack (globally developed) integrated/operated by EU teams; IP origin mixed within/outside EU -> SOV-2.5 opt3 (existing all-SEAL-4 choice kept). |
| SOV-2.6 | IP holder jurisdiction | 3. Mixed law, some EU | 84/167 | SEAL-3 | low | OpenStack IP governed under non-EU OpenInfra/Apache framework while Cyso code is EU-held; mixed law with some EU -> SOV-2.6 opt3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | low | Standard OpenStack IaaS: encryption is provider-operated but customers can layer their own keys/encryption, so control is shared with provider override rather than provider-only; no customer-exclusive HYOK -> SOV-3.1 opt3 (shared). Normalised to the common OpenStack-IaaS key-control posture across the pure-EU Benelux providers. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | OpenStack provides usage/access logs available to customers but not real-time independently auditable; logs exist, largely vendor-controlled -> SOV-3.2 opt3. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | ISO 27001/NEN 7510 imply deletion policies with internal validation but no published cryptographic proof-of-erasure -> SOV-3.3 opt3 (policy-only). |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | high | eu_exclusive: data stored and replicated exclusively on Fuga/Cyso infra in Amsterdam and Frankfurt (EU/EEA), no third-country fallback -> SOV-3.4 opt5. (src: https://cyso.cloud/trust-centre) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | low | No in-scope AI service (no foreign-AI dependency); per key, absence -> SOV-3.5 opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | high | Standard OpenStack with open APIs and S3-compatible storage plus documented export methods -> SOV-4.1 opt3 (documented data export). |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | medium | eu_ops: entire stack operated by Cyso's Dutch team in NL/DE with no non-EU operational dependency -> SOV-4.2 opt5 (fully EU team). |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Small Dutch company; all engineering/operations skills EU-based, no documented formal clearances -> SOV-4.3 opt4 (all EU staff). |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Support delivered from the Netherlands by the Cyso team; all support staff EU-based, no advertised clearances -> SOV-4.4 opt4 (all support in EU). |
| SOV-4.5 | Documentation & knowledge transfer | 3. EU primary with non-EU fallback | 84/167 | SEAL-4 | low | Documentation maintained in EU (docs.cyso.cloud) but uses common SaaS/CDN tooling with possible non-EU fallback -> SOV-4.5 opt3 (EU primary with fallback). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Reliant on EU data-centre/transit suppliers plus open-source OpenStack; vanilla OSS + EU ops means it could source alternatives/internalise if a supplier failed -> SOV-4.6 opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Commodity server hardware with no published bill-of-materials/provenance; only partial disclosure -> SOV-5.1 opt2. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Servers are foreign-designed x86 commodity hardware manufactured abroad, no EU manufacturing; foreign origin, partial disclosure -> SOV-5.2 opt2. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/BIOS/microcode on commodity servers is vendor-proprietary and foreign; partial disclosure -> SOV-5.3 opt2 (existing all-SEAL-4 choice kept). |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | medium | No foreign_core: core platform is open-source OpenStack with essential integration/operation maintained by Cyso's EU team running close-to-vanilla releases -> SOV-5.4 opt3 (core maintained by EU teams). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | low | Cyso controls and executes the build/integration/release of its own platform from the EU (upstream OpenStack is open-source consumed, not a controlling vendor), as for the other pure-EU OpenStack operators in the cluster -> EU control & execution, SOV-5.5 opt4 (seal 3). Normalised to Leafcloud/TransIP/Greenhost. |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | low | Depends on foreign-made hardware vendors for critical compute, documented and substitutable; few non-EU in critical services -> SOV-5.6 opt3 (seal 2). |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Open-source OpenStack fully auditable and ISO 27001 implies supplier controls, but full upstream hardware supply chain not all independently auditable; critical suppliers auditable -> SOV-5.7 opt3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 5. Open-by-default with portability | 200/200 | SEAL-4 | high | OpenStack and S3-compatible APIs are open by default with strong portability and no proprietary lock-in -> SOV-6.1 opt5 (open-by-default). |
| SOV-6.2 | Open standards compliance | 5. Policy for all core services | 200/200 | SEAL-4 | high | OpenStack adheres to the '4 Opens' across all core services -> SOV-6.2 opt5 (policy for all core). |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | high | Platform is fully open-source OpenStack but upstream governance is centralised in the non-EU OpenInfra Foundation -> SOV-6.3 opt3 (open source, centralised governance). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | medium | Running vanilla open-source OpenStack with public documentation gives substantial public insight into the architecture -> SOV-6.4 opt3 (some public insight). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | No dedicated in-scope HPC offering; any high-performance compute is EU-hosted on a foreign hardware/accelerator stack -> SOV-6.5 opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 2. EAL1 | 36/143 | SEAL-1 | high | Certs held are ISO 20000 + ISO 27001 + NEN 7510 only (no SecNumCloud/EUCS/C5/SOC2/Common Criteria EAL); per key ISO 27001 only -> SOV-7.1 opt2 'EAL1' (seal 1). GATING CAP. (src: https://docs.cyso.cloud/faq/security-privacy/does-fuga-cloud-have-certifications/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | GDPR-compliant and ISO 27001/NEN 7510 certified EU provider; partial compliance to most relevant regulations (GDPR/NIS2/DORA) -> SOV-7.2 opt4 (existing all-SEAL-4 choice kept). |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | eu_ops: security monitoring, incident handling and internal security officer all in NL/EU; full incident lifecycle by EU teams, no documented ENISA sharing -> SOV-7.3 opt4 (EU lifecycle). |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | OpenStack provides customer monitoring/logging via portal/CLI but not full immutable tamper-proof access; basic-to-moderate monitoring -> SOV-7.4 opt3. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | EU/Dutch provider following GDPR/NIS2-aligned breach-notification obligations; moderate compliance -> SOV-7.5 opt3. |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | low | Operating its own OpenStack platform, Cyso can deploy patches/maintenance independently on its own schedule; high autonomy -> SOV-7.6 opt4. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights: ISO 27001/NEN 7510 give cert-body assurance only; customers cannot perform unrestricted independent audits (no SecNumCloud/tender-grade audit clause) -> SOV-7.7 opt2 (seal 1). GATING CAP. (src: https://docs.cyso.cloud/faq/security-privacy/does-fuga-cloud-have-certifications/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 2. PUE < 3 | 63/250 | SEAL-1 | low | No published PUE; TIER 3 DCs in Amsterdam/Frankfurt but no disclosed PUE figure or efficiency roadmap; conservatively PUE < 3 -> SOV-8.1 opt2. |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | CSR statement references hardware lifecycle management (decommissioned hardware repurposed/donated) and circular intent; documented program but not EU-certified -> SOV-8.2 opt3. |
| SOV-8.3 | Environmental impact reporting | 2. Basic reporting | 63/250 | SEAL-1 | low | Sustainability mentioned (Green-IT, CO2-neutral fleet, CSR) but no detailed annual environmental impact report published; basic reporting -> SOV-8.3 opt2. |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | low | Data centres in NL and DE on EU grids but no specific green/renewable energy sourcing documented; conservatively a mix of EU energy supplies -> SOV-8.4 opt3 (existing all-SEAL-4 choice kept). |