| SOV-1 Strategic Sovereignty | SEAL-2 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-0 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 3. Mostly within the EU | 83/125 | SEAL-3 | high | eu_entity (parent G-Core Labs S.A. incorporated/HQ in Contern, Luxembourg) but large non-EU operational footprint (Cyprus, Serbia, Georgia, Uzbekistan, South Korea) -> control mostly but not entirely within the EU -> SOV-1.1 opt3. (src: https://fedil.lu/en/members/13336c49-7d74-ed11-81aa-6045bd87097c/) |
| SOV-1.2 | Change of control risk | 3. Somewhat likely takeover/transfer to non-EU sovereign entity | 63/125 | SEAL-4 | medium | Privately held, VC-backed (2024 Series A led by Wargaming, Constructor Capital, Han River, Northern Data) with global non-EU investors -> somewhat-likely takeover/transfer risk -> opt3 (all SOV-1.2 options seal 4). |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | low | No published governance bodies giving EU actors a roadmap vote; influence limited to customer feedback channels -> SOV-1.3 opt2 (kept at existing all-seal choice). |
| SOV-1.4 | Financial independence from non-EU capital | 2. Mostly relying on non-EU funding | 31/125 | SEAL-4 | high | Sole funding round (USD 60M Series A 2024) led by non-EU capital (Wargaming, Constructor Capital, Han River, Northern Data) -> mostly non-EU funding -> opt2 (all SOV-1.4 options seal 4). |
| SOV-1.5 | EU economic contribution | 3. Balanced EU/non-EU | 63/125 | SEAL-4 | low | EU HQ/offices contribute to the EU economy but large share of staff, PoPs and revenue generated outside the EU -> roughly balanced EU/non-EU contribution -> opt3 (kept). |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | low | No evidence of Gaia-X membership or IPCEI-CIS participation; involvement in EU strategic programs limited at best -> opt2 (kept). |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | low | Markets 'sovereign cloud' and EU AI offerings (action plan) but no measured governance or dedicated sovereignty program evidenced -> opt2 (kept). |
| SOV-1.8 | Resilience to cut-off | 3. Can continue temporarily per contractual agreement | 63/125 | SEAL-2 | low | own_stack only partial: owns its network and Tier III/IV facilities so service can continue temporarily, but deep critical dependency on non-EU chips (NVIDIA, Graphcore) and global colocation breaks full autonomy -> 'continue temporarily' opt3 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | medium | EU parent under Luxembourg law but global subsidiaries/operations span non-EU jurisdictions (Cyprus, Georgia, Uzbekistan, Serbia, South Korea) -> mixed EU/non-EU law -> SOV-2.1 opt2 (seal 1). (src: https://fedil.lu/en/members/13336c49-7d74-ed11-81aa-6045bd87097c/) |
| SOV-2.2 | Extraterritorial laws exposure | 3. EU subsidiary with contractual protections | 84/167 | SEAL-1 | medium | No immunity: no SecNumCloud/EUCS-High, and extensive non-EU operational nexus (Georgia, Uzbekistan, Serbia, S. Korea) is compellable. EU-incorporated parent gives GDPR-aligned contractual protections only -> 'EU subsidiary with contractual protections' opt3 (seal 1). (src: https://gcore.com/secure-infrastructure) |
| SOV-2.3 | Data access pathways for non-EU authorities | 4. Requests disputed, sometimes accepted with notification | 125/167 | SEAL-1 | low | No foreign_parent (independent EU-incorporated, not US/PRC-owned) so not capped by CLOUD Act/FISA; but global subsidiaries (Georgia, Uzbekistan, Cyprus) can face local legal requests and no commit to always-reject -> 'requests disputed, sometimes accepted with notification' opt4 (seal 1). (src: https://gcore.com/secure-infrastructure) |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | low | No export restrictions evident toward EU member states and substantial European revenue, but no scoped offer formally shielded from restrictions -> 'share of revenues >50% in EU' opt3 (seal 2). |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | low | Core CDN/cloud software developed in-house by EU/CIS engineering, but AI-accelerator IP and key hardware originate outside the EU -> mixed within/outside-EU IP origin -> opt3 (kept; all SOV-2.5 seal 4). |
| SOV-2.6 | IP holder jurisdiction | 4. EU law with exceptions | 125/167 | SEAL-4 | low | Software IP held by the Luxembourg parent under EU law, with some foreign-developed/licensed components -> 'EU law with exceptions' opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 2. Primarily provider, not exclusively | 50/200 | SEAL-1 | low | Standard provider-managed encryption (AES 128/256); no documented customer-exclusive HYOK/BYOK preventing provider access -> 'primarily provider, not exclusively' opt2. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Logging/IDS/access controls with monitoring portal, but logs vendor-controlled and not independently real-time auditable -> 'logs exist but not real-time / vendor-controlled' opt3. |
| SOV-3.3 | Secure deletion & proof of erasure | 2. Manual confirmation only | 50/200 | SEAL-1 | low | GDPR deletion supported but no published verifiable proof-of-erasure; effectively manual confirmation -> opt2. |
| SOV-3.4 | Data location strictly in EU/EEA | 3. Mainly EU, some third-country use with safeguards | 100/200 | SEAL-1 | medium | Not eu_exclusive: EU training regions exist but default network is global by design (180+ PoPs / 50+ cloud locations, six continents) with no contractually EU-exclusive scoped offer -> 'mainly EU, some third-country use with safeguards' opt3 (seal 1). (src: https://gcore.com/infrastructure) |
| SOV-3.5 | AI services sovereignty | 3. Mixed: auditable/open-source AI, foreign chips | 100/200 | SEAL-2 | medium | AI supports open-source/auditable models and EU training regions but runs on foreign accelerators (NVIDIA GPUs, Graphcore IPUs) -> 'mixed: auditable/open-source AI, foreign chips' opt3 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Standards-based cloud APIs, S3-compatible storage and documented export methods -> 'standard documented data export methods' opt3 (seal 4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 2. Ops partially sourced within EU | 42/167 | SEAL-1 | medium | Not eu_ops: engineering/operations spread across EU and non-EU hubs (Lithuania, Poland alongside Georgia, Uzbekistan, Cyprus, Serbia, Korea) -> ops only partially EU-sourced -> opt2 (seal 1). |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | medium | 600+ staff distributed globally with major engineering hubs outside the EU (Tbilisi, Tashkent, Belgrade, Nicosia, Seoul) -> mixed, majority likely outside EU -> opt2 (seal 1). |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | low | Global 24/7 support with staff across non-EU offices -> mixed, majority outside EU -> opt2 (seal 2). |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation/knowledge maintained across a global organisation; no EU-only repository or enforced knowledge transfer -> 'EU optional, not enforced' opt2 (seal 2). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 3. Continue temporarily per contractual agreement | 84/167 | SEAL-3 | low | Relies on third-party colocation and chip suppliers; Tier III/IV facilities and multi-day autonomy suggest temporary continuity under contract if a supplier were cut off -> opt3 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Hardware (NVIDIA, Graphcore, x86 servers, Equinix/Intel) is foreign-origin with only partial provenance disclosure -> 'partial disclosure' opt2. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Servers/accelerators manufactured outside the EU (US/Asia foundries/OEMs) with limited disclosure -> 'foreign origin, partial disclosure' opt2. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/embedded code from foreign OEMs with partial disclosure -> opt2 (kept; all SOV-5.3 seal 4). |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | low | No foreign_core: core CDN/cloud/edge platform software developed and maintained in-house by EU/CIS teams (not licensed Google/MS/AWS), with foreign third-party components layered in -> 'core/essential parts maintained by EU teams' opt3 (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 3. Non-EU control, EU execution | 72/143 | SEAL-3 | low | Build/release controlled by the company but engineering execution distributed across EU and non-EU teams -> 'non-EU control, EU execution' / EU presence -> opt3 (seal 3). |
| SOV-5.6 | Single point of dependency | 2. Mostly non-EU, undocumented | 36/143 | SEAL-1 | low | Critical dependencies on non-EU chip vendors (NVIDIA, Graphcore) and global colocation, mostly non-EU and not fully documented -> 'mostly non-EU, undocumented' opt2. |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some suppliers/facilities documented (Tier III/IV, named partners) but full supply chain not comprehensively customer-auditable -> 'some suppliers auditable' opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based, S3-compatible and OpenStack-style APIs supporting interoperability without heavy lock-in -> 'standards-based and broadly compatible' opt4. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Adopts common open standards (S3, OpenStack, standard networking/streaming) for core services but no published open-standards-for-all policy -> 'partial core adoption' opt3. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | low | Core cloud/CDN stack is predominantly proprietary/vendor-controlled though some OSS use/contribution; no foreign_core but source largely closed -> 'source available for review, strict rights' opt2 (seal 2). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Public documentation, technical blogs and architecture overviews give some public insight -> 'some public insight' opt3. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | medium | HPC/AI compute is EU-hostable but runs entirely on a foreign hardware/software stack (NVIDIA, Graphcore IPUs) -> 'EU-hosted, foreign stack' opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 2. EAL1 | 36/143 | SEAL-1 | high | Holds ISO/IEC 27001 + PCI DSS (+ GDPR), but no SecNumCloud/EUCS/C5/ENS or Common Criteria EAL; per key ISO-27001-grade maps to ~EAL1 -> opt2 (seal 1). Consistent with Anexia's ISO-27001->opt2 mapping; not EAL0/none since an accredited ISMS certification exists. (src: https://gcore.com/secure-infrastructure) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 3. Moderate compliance | 72/143 | SEAL-4 | medium | ISO 27001 and PCI DSS held plus GDPR compliance, indicating moderate adherence; no independently-audited full NIS2/DORA evidence -> 'moderate compliance' opt3 (kept; all SOV-7.2 seal 4). |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | low | Security operations run by a global team with hubs inside and outside the EU -> hybrid EU/non-EU SOC -> opt2 (seal 1). |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Monitoring portal, 2FA and API token controls, but no full customer-controlled EU-resident immutable logging evidenced -> 'basic monitoring portal' opt3 (seal 1). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | EU-based GDPR provider following GDPR/NIS2-aligned breach disclosure -> 'moderate (GDPR/NIS2-aligned)' opt3 (seal 2). |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Operates its own infrastructure/software with moderate maintenance autonomy (notice + testing windows), subject to vendor firmware/chip updates -> opt3 (seal 4). |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights: access limited to certification audits (ISO 27001/PCI QSA); no full independent audit by any entity -> 'limited independent access' opt2 (seal 1). (src: https://gcore.com/secure-infrastructure) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 2. PUE < 3 | 63/250 | SEAL-1 | low | Tier III/IV colocation generally efficient but no verified fleet-wide PUE published; no sub-1.5 commitment -> 'PUE < 3' opt2 (seal 1). (src: https://gcore.com/infrastructure) |
| SOV-8.2 | Hardware reuse & recycling | 2. Basic circular practices | 63/250 | SEAL-0 | low | No detailed hardware reuse/recycling program published; assumed basic circular practices via colocation partners -> 'basic circular practices' opt2 (seal 0). |
| SOV-8.3 | Environmental impact reporting | 2. Basic reporting | 63/250 | SEAL-1 | low | No comprehensive annual environmental report with EU methodology; only basic environmental messaging -> 'basic reporting' opt2 (seal 1). |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | low | Operating across six continents in third-party data centres; energy supply is a mix of EU and non-EU sources, no verified all-green/all-EU commitment -> opt3 (kept; all SOV-8.4 seal 4). |