| SOV-1 Strategic Sovereignty | SEAL-2 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-2 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-2 | |
| SOV-8 Environmental Sustainability | SEAL-1 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity: Gigas Hosting, S.A. is a Spanish company (Madrid/Alcobendas) listed on BME Growth (ticker GIGA), controlling entity entirely within the EU with no non-EU parent -> opt4. (src: https://en.wikipedia.org/wiki/Gigas_(company)) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | medium | Small-cap publicly listed Spanish company with distributed ownership and founder/management involvement; non-EU takeover conceivable for a micro-cap free-float but not currently signalled -> unlikely (opt4). |
| SOV-1.3 | Control over roadmap | 4. Full influence of EU actors | 125/125 | SEAL-4 | medium | EU-owned autonomous company controlling its own roadmap (proprietary Gyper virtualization, Biblion AI); EU actors have full influence -> opt4. |
| SOV-1.4 | Financial independence from non-EU capital | 4. Majority of funding is EU-based | 94/125 | SEAL-4 | medium | Early funding from EU VCs (Cabiedes & Partners, Bonsai Venture Capital, Caixa Capital Risc) and now BME Growth listing; majority EU-based funding, free-float allows some non-EU shareholding -> opt4. |
| SOV-1.5 | EU economic contribution | 4. Majority in the EU | 94/125 | SEAL-4 | medium | HQ, listing and core engineering in Spain, but material non-EU operations (Miami datacenter, offices/DCs in Chile, Colombia, Peru); economic contribution majority-EU rather than fully EU -> opt4. |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | medium | Member of Gaia-X and CISPE indicating participation in EU sovereignty initiatives, but no lead role in flagship programs like IPCEI-CIS; limited participation -> opt2. |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | medium | Positions itself as a sovereign cloud aligned with EU data-sovereignty goals (Gaia-X, CISPE) with an action plan around data residency, but lacks measured achievement with dedicated sovereignty governance at scale -> opt2 (existing action plan). |
| SOV-1.8 | Resilience to cut-off | 4. Ability to source alternatives or internalise key functions | 94/125 | SEAL-2 | low | own_stack partial: EU operator running its own KVM-based Gyper stack on leased/colocated DCs could source alternatives or internalise if cut off, but not full autonomy given foreign hardware/chip dependency and no documented vertically-integrated continuity plan -> opt4 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | medium | Spanish company; EU-hosted services governed exclusively by Spanish/EU law (its US/LatAm footprint is contractually separate from the EU offering) -> opt3 (exclusively EU law). (src: https://gigas.com/en/seguridad.html) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | eu_entity with EU control and no US/non-EU parent shields from extraterritorial regimes, but Gigas has non-EU subsidiaries/operations (Miami DC, LatAm) compellable as an operational nexus and holds NO SecNumCloud/EUCS-High, so immunity is structural-not-certified -> opt4 'Legal structures shielding' (seal 2 ceiling), consistent with the Spanish-provider basis. (src: https://gigas.com/en/seguridad.html) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No non-EU parent and EU-hosted data under Spanish law; not subject to US CLOUD Act/FISA/PRC compelled access for the EU offering, requests would be rejected -> opt5 (no foreign_parent). |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | low | EU-controlled software/ops with no non-EU vendor able to impose export controls against EU MSs; conservatively scored mid given the multi-continent footprint -> opt3 (>50% EU revenue). |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Core platform IP (Gyper KVM-based virtualization, Biblion AI, control plane) developed in-house in Spain; integrates third-party open source and foreign hardware IP -> mostly within the EU (opt4). |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | medium | IP holder is Gigas Hosting, S.A., a Spanish entity; its own software IP is held fully under EU law -> opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | low | IaaS/PaaS with provider-managed encryption and no published HYOK/confidential-computing; the provider retains administrative access and override keys, consistent with the other Spanish IaaS providers -> shared control with provider override (opt3). (src: https://gigas.com/en/seguridad.html) |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Access logs/monitoring consistent with ISO 27001 and SOC 2 Type II, but real-time independent customer auditability not documented; logs exist but vendor-controlled -> opt3. |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | low | ENS-High plus ISO 27001/27018 mandate verified media-sanitisation controls with access logging, so deletion is technically verified with logs (uniform sovereign-operator basis, consistent with the cluster) -> opt4. (src: https://gigas.com/en/seguridad.html) |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | medium | GENUINE differentiator vs EU-only Spanish peers: the product spans EU DCs (Spain, Portugal, Ireland) AND third-country DCs (Miami, Chile, Colombia, Peru) with no contractual EU-only no-third-country-fallback guarantee; EU-by-default with controlled exceptions -> opt4 (seal 1, gating cap). (src: https://gigas.com/en/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | Biblion is a sovereign GenAI offering run in Gigas's private EU cloud (RAG over LLMs, data kept on Gigas infra); EU-led/operated AI on foreign accelerators and foreign-origin base models -> opt4 (EU-led AI, foreign accelerators). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Standards-based IaaS/PaaS with documented data export; positions as a VMware/hyperscaler migration target with formal migration support -> opt4. |
| SOV-4.2 | Ability to operate without foreign dependencies | 4. Ops predominantly EU-based teams | 125/167 | SEAL-3 | medium | eu_ops partial: operations run predominantly by Gigas's own teams, but support/ops span EU and LatAm offices, so the stack is predominantly but not exclusively EU-team-managed -> opt4 (predominantly EU, seal 3). |
| SOV-4.3 | Skill availability in the EU | 3. Majority EU, escalation abroad | 84/167 | SEAL-3 | medium | Engineering anchored in Spain/EU but significant teams in LatAm (Colombia, Chile, Peru); majority EU with escalation abroad -> opt3. |
| SOV-4.4 | Support channels | 3. Majority in EU, non-EU escalations | 84/167 | SEAL-3 | medium | 24/7 support in Spanish, Portuguese and English from offices across its regions including LatAm; majority in EU for European customers with non-EU escalation -> opt3. |
| SOV-4.5 | Documentation & knowledge transfer | 3. EU primary with non-EU fallback | 84/167 | SEAL-4 | low | Documentation maintained in-house by Gigas, but given LatAm operations EU-primary with non-EU fallback is the realistic posture -> opt3 (seal 4). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Controls its own virtualization and core operations; for non-critical foreign supplier dependencies (hardware/colocation) could source alternatives or internalise, ensuring continuity -> opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | low | Server hardware/GPUs are foreign-made, but as an ISO 27001 / ENS-High certified operator Gigas provides component transparency to customers/auditors with exceptions (uniform sovereign-operator basis, consistent with the cluster); provenance not EU-certified -> transparent with exceptions (opt3). |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | medium | Hardware is foreign-designed/mixed-sourced but integrated and operated under ISO 27001 / ENS-High audited supply-chain controls (EU audit rights), matching the uniform key for EU sovereign providers -> mixed sourcing, EU audit rights (opt3). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Embedded firmware (BIOS, BMC, NIC/GPU) from foreign OEMs with partial provenance disclosure typical of commodity hardware -> opt2 (seal 4 factor). |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | medium | No foreign_core: core/essential platform software (Gyper KVM-based virtualization, control plane, Biblion) built and maintained by Gigas EU teams on open source; foreign components exist but core is EU-maintained -> opt3 (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | low | Build and release of the proprietary Gyper/control-plane software controlled and executed by Gigas's Spain-based engineering; EU control and EU execution -> opt4. |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | medium | Main single point of non-EU dependency is foreign chip/hardware vendors (Intel/AMD/NVIDIA) and some non-EU colocation in critical compute; documented but unavoidable for the segment -> opt3 (few non-EU critical, seal 2). |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Critical suppliers (datacentre/colocation, hardware) identifiable and auditable under ISO 27001 supplier governance, but full end-to-end supply-chain audit rights not published -> opt3 (critical only, seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 3. Mixed (partial openness) | 100/200 | SEAL-2 | medium | Proprietary KVM-based Gyper platform with standard cloud/VPS APIs offers partial openness/compatibility but is not open-by-default, consistent with the other Spanish IaaS providers' proprietary-stack-with-standard-APIs posture -> mixed partial openness (opt3). |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Open standards (KVM, standard cloud/storage protocols) adopted at the core, but no published open-standards policy across all services; partial core adoption -> opt3. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | medium | Gyper virtualization is proprietary (KVM-based) and not open-sourced; platform largely closed/vendor-controlled with open-source underpinnings, source not openly available -> opt2 (seal 2). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Public documentation and product/architecture information via site and support; some public insight into service architecture -> opt3. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | Any GPU/HPC compute for AI (Biblion) is EU-hosted but runs on a fully foreign accelerator stack (NVIDIA/AMD); EU-hosted, foreign stack -> opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Holds ENS Alto (High) (obtained Feb 2026) plus ISO 27001/27018, PCI-DSS L1 and SOC 1/2 Type II; per key, ENS-High is a high-assurance national cloud certification mapping to EAL3 (opt4), consistent with the other ENS-High Spanish providers -> opt4 (EAL3, seal 3). (src: https://gigas.com/blog/es/empresas-ens-alto-gigas-blinda-su-estrategia-cloud/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | high | Holds ISO 27001, ISO 27018, ENS High, PCI-DSS Level 1 and SOC 1/2 Type II, adheres to CISPE code, states GDPR compliance; partial compliance to most EU regulations, no explicit independently audited DORA/NIS2 attestation -> opt4. (src: https://gigas.com/en/seguridad.html) |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | Security operations and incident handling run by Gigas's own teams under ISO 27001/SOC 2 with EU-anchored operations; EU-team-led lifecycle, though formal ENISA/CSIRT real-time sharing and clearances not documented -> opt4 (seal 3). |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | Customers have direct access to monitoring/logs via the management portal with EU-hosted logging for EU services (ENS-High mandates security-log access/traceability); immutable tamper-proof logging not explicitly documented -> full direct access, logs stored in EU (opt4), consistent with the cluster. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | Operates under GDPR-aligned incident-disclosure obligations as an EU/ENS-certified provider; moderate GDPR/NIS2-aligned disclosure -> opt3 (seal 2). |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Manages its own maintenance with customer notice/testing windows typical of an EU operator controlling its stack; moderate autonomy -> opt3 (seal 4). |
| SOV-7.7 | Auditability | 5. Full independent audit by any entity | 143/143 | SEAL-4 | low | audit_rights: the ENS-High sovereign offer for Spanish public administration implies tender-grade full audit rights for the contracting authority and independent EU bodies (uniform basis with the cluster's ENS-High/ACN-qualified members) -> full independent audit (opt5). (src: https://gigas.com/blog/es/empresas-ens-alto-gigas-blinda-su-estrategia-cloud/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Uses Tier III/IV certified datacentres (Interxion/Equinix-class) that are modern and efficient; no public Gigas-specific PUE, so conservatively PUE<1.5 with a sustainability roadmap rather than verified sub-1.2 -> opt3 (seal 4). |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Operating in certified colocation facilities implies a documented hardware lifecycle/recycling program, but no EU-certified circular-economy lifecycle published -> opt3 (documented program, seal 3). |
| SOV-8.3 | Environmental impact reporting | 2. Basic reporting | 63/250 | SEAL-1 | low | As a BME Growth listed company Gigas publishes financial and some sustainability information, but no detailed EU-methodology environmental report for its datacentres is evident -> opt2 (basic reporting, seal 1). |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | low | EU datacentres draw on EU grids, but no published commitment to exclusively green/renewable energy and it operates non-EU facilities (Miami, LatAm); mix of EU and non-EU supplies -> opt3. (src: https://gigas.com/en/) |