| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-3 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | Google Cloud is operated by Google LLC, a subsidiary of Alphabet Inc., incorporated in Delaware and headquartered in Mountain View, California. The controlling legal entity is entirely outside the EU. (src: https://abc.xyz/investor/) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | Alphabet is one of the world's largest companies with founder super-voting shares; a takeover or transfer to a non-EU sovereign entity is very unlikely. (Note: this leaves the entity firmly under US control, which the takeover-risk factor scores favorably regardless.) |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | high | Roadmap is controlled centrally by Google; EU customers can only influence through 'voice of the customer' feedback channels, advisory boards and feature requests, with no governance seat. |
| SOV-1.4 | Financial independence from non-EU capital | 1. Almost entirely relying on non-EU funding | 0/125 | SEAL-4 | high | Alphabet is funded almost entirely by non-EU (US) capital markets and its own US-based revenues; there is no material EU funding base. |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | medium | Google has substantial EU data-centre investments, offices and employment, but the overwhelming majority of value capture, R&D and profit accrues to the US parent, so EU economic contribution is only 'some'. |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | medium | Google participates in some EU-relevant initiatives (Gaia-X membership, sovereign partnerships) but is not a core actor in EU strategic programs such as IPCEI-CIS; participation is limited. |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | medium | Google has published sovereignty action plans and EU 'Cloud. On Europe's Terms' commitments and digital-sovereignty offerings, constituting an existing action plan rather than EU-governed achievement. |
| SOV-1.8 | Resilience to cut-off | 3. Can continue temporarily per contractual agreement | 63/125 | SEAL-2 | medium | No own_stack, but the qualified EU offer (GCP EU regions with sovereignty controls / Assured Workloads) runs in EU regions with EU-resident operations and contractual continuity arrangements, so it can continue operating temporarily per contractual agreement on a parent cut-off -> opt3 (seal 2). Normalised to opt3 across the US-hyperscaler cluster (same EU-region continuity profile as AWS/Oracle); an EU-region offering does not 'stop on cut-off' more than a peer's. (src: https://cloud.google.com/sovereign-cloud) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | high | Customer contracts can be with a Google Cloud EMEA/Ireland entity under EU law, but the ultimate parent and core operations sit under US jurisdiction, making the effective jurisdiction mixed EU/non-EU. (src: https://cloud.google.com/terms/data-processing-addendum) |
| SOV-2.2 | Extraterritorial laws exposure | 3. EU subsidiary with contractual protections | 84/167 | SEAL-1 | high | Google offers an EU/Ireland contracting subsidiary with contractual data-protection protections, but a US-parented group's EU subsidiary is compellable via the US parent (CLOUD Act, FISA 702) and holds no SecNumCloud/EUCS-High -> EU subsidiary with contractual protections (opt3, seal 1). Consistent with the cluster. (src: https://cloud.google.com/security/compliance/bsi-c5) |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | high | foreign_parent (US CLOUD Act/FISA) -> SOV-2.3 opt2 (seal 1): Google LLC/Alphabet is US-incorporated, so US authorities can compel data production without notification in specific gag-ordered cases; the SecNumCloud 3.2 immunity belongs to the separate S3NS JV (Google <=24%), not to GCP itself. This is the binding SEAL-1 gate. Normalised to opt2 across the cluster. (src: https://cloud.google.com/terms/data-processing-addendum) |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | medium | Google is a US company subject to US export controls (EAR), but it generates more than 50% of cloud revenue outside the US with a large EU footprint; no part of the standard offer is structurally shielded from US export restrictions toward EU member states. |
| SOV-2.5 | Origin of IP | 1. Entirely outside the EU | 0/167 | SEAL-4 | high | Core GCP intellectual property (Borg/Kubernetes lineage, BigQuery, Spanner, TPUs, Gemini) is developed and owned by Google in the US; IP origin is entirely outside the EU. |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | high | The IP is held by Google LLC / Alphabet under US (California/Delaware) law, a single non-EU jurisdiction. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | high | Customers can use Cloud KMS with CMEK and Cloud External Key Manager (EKM) for primary key control, but in the standard offering Google retains technical ability to access data; only the separate dedicated/trusted-cloud tiers approach provider-cannot-read. Default GCP gives customer primary control while provider can technically read. |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | high | Access Transparency and Access Approval logs give customers full visibility and approval rights over Google personnel access, but logs are generated by Google systems and are not fully independent real-time auditable. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | medium | Google documents data-deletion policies and timelines with internal validation per policy, but does not provide independently verified cryptographic proof of irreversible erasure in the standard offering. |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | high | Assured Workloads / EU data residency lets customers keep data in EU regions by default with tightly controlled exceptions, but third-country fallback and US-parent access pathways remain and it is not an air-gapped realm -> EU-by-default with controlled exceptions, opt4 (seal 1). Above the seal-0 gate but genuinely below AWS ESC / Oracle Sovereign Cloud isolated realms (opt5). (src: https://cloud.google.com/assured-workloads) |
| SOV-3.5 | AI services sovereignty | 2. Mostly non-EU: licensed AI, chip dependency | 50/200 | SEAL-2 | high | AI services (Gemini, Vertex AI) are Google-proprietary models running on Google-designed TPUs and US-controlled chip supply; mostly non-EU with chip dependency, though data residency regions exist. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | high | GCP provides standard documented data export methods and tooling (Storage Transfer, BigQuery export, Kubernetes/GKE portability), with broad open formats; migration support exists but core differentiated services create lock-in. |
| SOV-4.2 | Ability to operate without foreign dependencies | 1. Critical ops delivered by non-EU teams | 0/167 | SEAL-1 | high | Critical platform engineering, SRE and control-plane operations are delivered by Google's global (predominantly US) teams; the standard GCP cannot operate independently of non-EU teams. |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | medium | Google has EU engineering and operations staff, but the core skills and platform ownership are concentrated in a global team that is majority outside the EU. |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | medium | Google Cloud support is delivered via a global follow-the-sun model; while EU-based support is available, the overall support workforce is majority outside the EU with non-EU escalation. |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | medium | Documentation and knowledge bases are global and US-hosted; EU-only handling is optional/contractual rather than enforced in the standard offering. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 2. Service would stop with delay | 42/167 | SEAL-2 | medium | Subcontractors and suppliers are largely under non-EU (US) jurisdiction; if the parent were cut off, service would stop after some delay rather than continuing autonomously in the standard offering. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | medium | Google designs custom hardware and publishes some sustainability and security details, but provides only partial public disclosure of the physical component origin of its servers and networking gear. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | medium | Hardware is designed by Google (US) and manufactured by Asian ODMs/foundries; manufacturing is of foreign origin with only partial disclosure, no EU build or EU audit rights for the standard fleet. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware and embedded code (incl. Titan security chip) provenance is Google-controlled with limited public disclosure; partial transparency at best. |
| SOV-5.4 | Origin of software | 2. Foreign origin, partial disclosure | 36/143 | SEAL-2 | high | GCP software is Google-proprietary and developed in the US; some components are open-sourced (Kubernetes, TensorFlow) giving partial disclosure, but the core platform is foreign-origin and not maintained by EU teams. |
| SOV-5.5 | Software build/release jurisdiction | 1. Non-EU control & execution | 0/143 | SEAL-1 | high | Software build and release pipelines are controlled and executed by Google in the US; no EU control or EU policy gates over the standard platform build/release. |
| SOV-5.6 | Single point of dependency | 2. Mostly non-EU, undocumented | 36/143 | SEAL-1 | high | The standard GCP is critically dependent on Google itself (a single non-EU vendor) for the control plane, software and hardware design, mostly undocumented for substitution purposes. |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | medium | Google publishes some supply-chain security information (SLSA, audits) and certifications allow auditing of some suppliers, but the full supply chain is not broadly independently auditable by customers. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 3. Mixed (partial openness) | 100/200 | SEAL-2 | high | GCP exposes broad APIs and supports many open standards and Kubernetes/Anthos, but many differentiated managed services (BigQuery, Spanner) use proprietary interfaces; openness is mixed/partial. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | high | Google adopts open standards for core services (Kubernetes, SQL, S3-compatible APIs, OpenTelemetry) partially, but not as a blanket policy across all services. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | high | The GCP platform itself is closed-source and vendor-controlled; Google open-sources major adjacent projects (Kubernetes, TensorFlow, gVisor) but the operated service code is not open, and governance is not EU/independent. |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | medium | Google publishes extensive public documentation, whitepapers and architecture insight, but customers cannot inspect the full internal service architecture; some public insight. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | medium | GCP HPC/AI compute is available in EU-hosted regions but runs on a fully foreign (Google TPU / NVIDIA, US/Asian fab) stack with no EU design or fab; EU-hosted, foreign stack. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | GCP holds BSI C5 plus ISO 27001 + SOC 2; per key a high-assurance EU/national cloud certification (BSI C5) maps to EAL3 -> opt4 (seal 3). No EUCS-High/EAL4-5 (SecNumCloud 3.2 is held by S3NS, a separate entity). Normalised across the cluster (all five hold C5). (src: https://cloud.google.com/security/compliance/bsi-c5) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | high | Google demonstrates partial compliance to most EU regulations (GDPR DPA, NIS2 readiness, DORA addendums, EU SCCs), independently audited via ISO/SOC/C5, though full sovereign compliance is delivered only via separate offerings. |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | medium | Google operates a global SOC/incident-response capability with EU presence; for the standard offering it is a hybrid EU/non-EU model rather than EU-exclusive lifecycle. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | high | Cloud Logging, Audit Logs and Access Transparency give customers full direct access to security monitoring and logs that can be stored in EU regions, though not provably immutable/tamper-proof end-to-end independently. |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | medium | Google provides EU-aligned incident disclosure with monitored notification flows and contractual SLAs (GDPR 72h, NIS2), constituting partial compliance with monitored flow and SLAs. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | medium | Customers have moderate maintenance autonomy: they can schedule and test many updates with notice, but Google controls underlying platform patching including zero-day emergency changes. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | high | Independent audit access is limited to third-party attestations (ISO, SOC, C5) and customer-scoped audit rights; customers cannot perform full independent audits of Google's infrastructure. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 5. PUE < 1.2, EU verified | 250/250 | SEAL-4 | high | Google reports a fleet-wide average annual PUE of 1.09 in 2024, well below 1.2, with detailed published methodology -> opt5 (PUE < 1.2, EU verified). (src: https://datacenters.google/efficiency/) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | medium | Google runs a documented hardware reuse, refurbishment and component-recycling program with circular-economy targets, though not specifically EU-certified lifecycle. |
| SOV-8.3 | Environmental impact reporting | 4. Detailed EU methodology | 188/250 | SEAL-3 | high | Google publishes a detailed annual Environmental Report with comprehensive methodology and metrics, but it is a global self-reported framework rather than an EU-audited one. |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | medium | Google matches 100% renewable energy globally and pursues 24/7 carbon-free energy, but its energy supplies are a mix of EU and non-EU sources, not exclusively EU. (src: https://blog.google/company-news/outreach-and-initiatives/sustainability/2024-environmental-report/) |