| SOV-1 Strategic Sovereignty | SEAL-2 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-4 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-2 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | GleSYS AB is incorporated in Sweden; majority owned by Cube Infrastructure Managers (Luxembourg/Stockholm EU infrastructure fund) with the Swedish founder retaining a minority stake. Entity and control are entirely within the EU/EEA. (src: https://glesys.com/) |
| SOV-1.2 | Change of control risk | 3. Somewhat likely takeover/transfer to non-EU sovereign entity | 63/125 | SEAL-4 | medium | As a PE-backed mid-market infrastructure firm (Cube Fund III), an eventual sale is plausible, though Cube is an EU investor and the sector trend favours EU buyers; a transfer to a non-EU sovereign entity is somewhat conceivable but not the base case. |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | low | No published governance bodies with EU-actor participation; customers influence the roadmap mainly through standard support/sales 'voice of the customer' channels. |
| SOV-1.4 | Financial independence from non-EU capital | 4. Majority of funding is EU-based | 94/125 | SEAL-4 | medium | Backed by Cube Infrastructure Managers, a Luxembourg/Stockholm-based EU fund, plus prior Danish (VIA Equity) backing; funding is majority EU-based. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | All operations, staff, data centres and revenue base are in Sweden and Finland; economic contribution is fully within the EU. |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | medium | No clear evidence of participation in EU strategic programs such as Gaia-X or IPCEI-CIS; positions itself as a sovereign provider but without documented strategic-program involvement. |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | low | Markets itself around EU/Nordic sovereignty and renewable energy aligned with EU industrial aims; amounts to an existing positioning/action plan rather than measured governance with dedicated means. |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: vertically integrated EU provider that owns/operates its own EU data centres AND builds its own servers, with in-house teams able to source alternatives or internalise functions; only residual foreign-chip hardware as commodity input -> key 1.8 own_stack -> opt5 'Full autonomy and continuity' (seal 4), consistent with the Nordic OpenStack peers. (src: https://glesys.com/data-center/falkenberg) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | A Swedish company with EU ownership operating only EU/EEA data centres under EU jurisdiction; governed exclusively by EU/Swedish law with no non-EU parent imposing other jurisdiction. (src: https://glesys.com/) |
| SOV-2.2 | Extraterritorial laws exposure | 5. Verified legal immunity, non-EU laws unenforceable | 167/167 | SEAL-4 | medium | immunity flag (a): pure-SE entity with an EU (Luxembourg/Stockholm) PE owner and no non-EU parent, subsidiary or operational nexus a foreign authority could compel -> key 2.2 immunity -> opt5 'Verified legal immunity' (seal 4), consistent with the pure-EU Nordic OpenStack peers (Elastx, Safespring). (src: https://glesys.com/) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent and pure-EU no-nexus immunity: no non-EU jurisdictional hook to compel access (no US CLOUD Act/FISA reach); requests routed via MLAT/EU process and rejected -> SOV-2.3 opt5 (seal 4). |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | low | Pure-EU provider, revenue overwhelmingly in the EU, no non-EU technology gating its offer; the EU/EEA-exclusive sovereign offer is shielded from foreign export-control restrictions toward EU MSs and international orgs -> key 2.4 opt5 (seal 4), consistent with the Nordic OpenStack peers. (src: https://glesys.com/) |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | GleSYS's own platform/automation software and operational IP are developed in-house in Sweden; underlying hypervisors and OS are largely open-source/foreign-origin, so IP is mostly within the EU. |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | medium | GleSYS-developed IP is held by the Swedish entity under EU law; the company is fully EU-incorporated, placing its IP holding under EU jurisdiction. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | low | GleSYS manages platform encryption (data at rest/in transit) while customers can manage their own application-level keys; the provider retains an override and there is no documented provider-incapable customer-exclusive (HYOK) offering -> key 3.1 shared (provider has override key) -> opt3 (seal 2). Safespring's customer-held-keys remains the cluster differentiator at opt5. (src: https://glesys.com/) |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Provides monitoring and audit logs via its portal but with vendor-controlled, non-real-time independent auditability; no evidence of customer-controlled real-time oversight. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | ISO 27001 ISMS implies documented deletion procedures validated against policy, but no customer-facing cryptographic proof-of-erasure is published. |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | medium | eu_exclusive: sovereign-cloud tier keeps all data in Swedish/Finnish DCs, never leaving sovereign borders, under EU Access Policy, no third-country fallback -> SOV-3.4 opt5 (seal 4). (src: https://glesys.com/locations/our-data-centers/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | low | Offers dedicated GPU servers rather than a managed black-box AI service; customers run their own (often open-source/auditable) models on foreign-made accelerators, so no foreign-AI lock-in -> key judgment-call (no in-scope foreign AI dependency / EU-led AI on foreign accelerators) -> opt4 (seal 3), consistent with the Nordic OpenStack peers. (src: https://glesys.com/locations/our-data-centers/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Standard IaaS on KVM/VMware with documented APIs (public GitHub API docs) and standard export methods; portability via common formats but no special sovereign-migration guarantee beyond documented export. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | medium | Owns and operates its full stack with the entire operation run from Sweden/Finland by EU-based teams; no critical operations delivered by non-EU teams. |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | A Nordic company with staff in Sweden and Finland; engineering and operations skills are EU-based, but no security-clearance regime is documented. |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Support is delivered by GleSYS's own Nordic teams under a strict EU Access Policy ensuring only EU personnel handle EU data; all support staff EU-based but no security-clearance claim. |
| SOV-4.5 | Documentation & knowledge transfer | 3. EU primary with non-EU fallback | 84/167 | SEAL-4 | low | Documentation and knowledge are maintained primarily in the EU by the in-house Nordic team; some public docs hosted on non-EU platforms (e.g. GitHub) act as fallback. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Owns its data centres and builds its own servers, so it can source alternative suppliers or internalise functions if a hardware supplier were cut off, though full continuity is bounded by global chip supply. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | low | GleSYS designs and builds its own servers and is transparent about owning its infrastructure, but underlying component (CPU/GPU/disk) provenance is foreign and only partially disclosed; transparent with exceptions. |
| SOV-5.2 | Manufacturing location | 4. Built by EU teams on foreign design | 107/143 | SEAL-3 | medium | Servers are assembled/built in-house by GleSYS's EU teams from foreign-designed components (e.g. x86 CPUs), matching built-by-EU-teams-on-foreign-design. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Embedded firmware (BIOS/BMC/NIC) originates from foreign component vendors with only partial disclosure; no firmware-provenance certification published. |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | medium | Core control-plane/automation software is built and maintained in-house by EU teams; relies on foreign-origin but open hypervisors (KVM) and proprietary VMware for part of the stack, so essential parts are EU-maintained. |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | low | GleSYS controls and executes its own software builds/releases from its Nordic operations (EU control and execution), but no formal EU policy-gate attestation is documented. |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | low | Some non-EU vendors are unavoidable in critical services (hardware components, VMware licensing); dependencies are limited and documented but present in critical paths. |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Owning its data centres and operations gives audit visibility into critical suppliers, but full upstream component supply-chain auditability is not demonstrated. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Offers standards-based interfaces (documented REST API, standard VM formats, S3-compatible object storage) that are broadly compatible, though not fully open-by-default across all services. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Adopts open standards in core services (S3 API, standard hypervisor disk/VM formats, DNS) on a partial/ad-hoc basis rather than a published policy across all services. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | low | Builds on open-source foundations (Linux/KVM) but its own platform software is proprietary and not published; source is effectively vendor-controlled with limited external availability. |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Provides public documentation, API references and infrastructure transparency (owns/operates its DCs), giving some public insight into architecture without full customer co-design. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | Offers GPU/HPC-style compute hosted in EU data centres but built on foreign accelerator and software stacks; EU-hosted with a foreign stack. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 2. EAL1 | 36/143 | SEAL-1 | medium | Holds ISO/IEC 27001:2022 (plus 9001/14001) but no SecNumCloud/EUCS/C5+ENS or Common Criteria EAL; per key, ISO 27001 only -> ~EAL1 opt2 (seal 1). No higher cert -> security cert remains a SEAL-1 gate. (src: https://glesys.com/sustainability/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | Fully GDPR-compliant and ISO/IEC 27001:2022 certified with an EU Access Policy; as an EU provider it is within NIS2 scope, but no independent DORA/full-suite audited attestation is documented, so partial compliance to most. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | Operations and incident handling are run by GleSYS's own Nordic teams under an EU Access Policy, implying the full lifecycle is handled by EU teams; no ENISA/CSIRT formal sharing membership documented. |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get a monitoring portal and logs but the provider retains primary control of security monitoring; no documented immutable customer-controlled logging. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | As a GDPR/NIS2-scoped EU provider it follows breach-notification obligations; incident disclosure is moderate and regulation-aligned without documented real-time CSIRT sharing or SLAs. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | GleSYS controls maintenance of its own infrastructure with notice and testing windows for customers, giving moderate maintenance autonomy except for zero-day patching. |
| SOV-7.7 | Auditability | 3. Partial independent control | 72/143 | SEAL-1 | low | No audit_rights flag: independent assurance is via ISO 27001 third-party auditors plus DPA customer audit rights (partial independent control), no contractual full audit by the contracting authority or any independent EU body (no SecNumCloud to imply it) -> key 7.7 -> opt3 (seal 1), consistent with the non-audit-rights Nordic peers. (src: https://glesys.com/sustainability/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 4. PUE < 1.3 | 188/250 | SEAL-4 | high | GleSYS publishes a PUE of 1.28 (vs 1.57 global average), which falls below the 1.3 threshold. (src: https://glesys.com/sustainability/) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | medium | Has documented sustainability practices including 84% waste-heat reuse via district heating and ISO 14001 environmental management, indicating a documented hardware/resource program; no EU-certified full-lifecycle scheme stated. |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | medium | Publishes environmental metrics (PUE, renewable share, heat reuse) and holds ISO 14001, consistent with regular/annual environmental reporting rather than an EU-audited methodology. |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | high | Uses 100% renewable electricity with verified origin in its EU (Swedish/Finnish) data centres; only green EU energy supplies. (src: https://glesys.com/sustainability/) |