| SOV-1 Strategic Sovereignty | SEAL-2 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-2 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity: gridscale GmbH (Cologne, DE) is 100% owned by OVHcloud SA (France, Euronext Paris). Both entities entirely within the EU -> opt4. (src: https://corporate.ovhcloud.com/en/newsroom/news/ovhcloud-to-acquire-gridscale/) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | medium | Wholly-owned subsidiary of OVHcloud, a French listed company with European-sovereignty commitments; transfer to a non-EU sovereign entity is unlikely though not formally ring-fenced -> opt4. |
| SOV-1.3 | Control over roadmap | 3. Governance bodies exist with EU actors participation | 83/125 | SEAL-3 | medium | As an OVHcloud entity and Gaia-X founding-member group, EU actors participate in governance bodies; customers lack full direct roadmap control -> opt3. |
| SOV-1.4 | Financial independence from non-EU capital | 4. Majority of funding is EU-based | 94/125 | SEAL-4 | medium | Backed by OVHcloud (Euronext Paris-listed, EU funding); majority of funding is EU-based -> opt4. |
| SOV-1.5 | EU economic contribution | 4. Majority in the EU | 94/125 | SEAL-4 | medium | Engineering in Cologne plus OVHcloud's EU manufacturing/R&D/datacenters; majority of economic contribution in the EU -> opt4. |
| SOV-1.6 | Participation in EU strategic programs | 3. Active participant in strategic projects | 63/125 | SEAL-4 | medium | Parent OVHcloud is a Gaia-X founding member and active in EU sovereign-cloud initiatives; gridscale tech powers OVHcloud Local Zones -> active participant, opt3. |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | OVHcloud group has an explicit EU digital-sovereignty strategy with measured commitments (SecNumCloud roadmap, Gaia-X, EU manufacturing) and dedicated governance -> opt3. |
| SOV-1.8 | Resilience to cut-off | 4. Ability to source alternatives or internalise key functions | 94/125 | SEAL-2 | low | own_stack but residual non-EU operational dependency (foreign silicon/firmware): EU-owned/operated stack on OVHcloud-built EU servers can source/internalise key functions; full autonomy not guaranteed -> opt4 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | German GmbH owned by a French parent; contracting entity and primary jurisdiction are exclusively EU law (German/French) -> opt3. (src: https://gridscale.io/en/about-us/compliance-and-certification/) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | eu_entity with structural separation but no certified immunity (gridscale product holds ISO 27001/C5, not SecNumCloud/EUCS-High): legal structures shield from foreign law but immunity is not statutorily verified -> opt4 (seal 2). (src: https://gridscale.io/en/about-us/compliance-and-certification/) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent (EU-owned, no US/CN nexus): not subject to CLOUD Act/FISA/PRC law; OVHcloud commits to reject/challenge foreign-authority compelled access -> opt5. (src: https://gridscale.io/en/about-us/compliance-and-certification/) |
| SOV-2.4 | Export control restrictions | 4. Part of offer shielded from restrictions towards EU MSs | 125/167 | SEAL-3 | low | EU (German/French) provider with no export-control restrictions toward EU member states; consistent with the pure-EU cluster, the sovereign offer is shielded from restrictions toward EU MSs -> opt4 (seal 3). |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | gridscale platform is self-developed in Cologne and OVHcloud's core IP is developed in France; IP mostly within the EU -> opt4. |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | medium | Software IP held by EU entities (gridscale GmbH / OVHcloud SA), fully under EU law -> opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | low | Platform offers encryption and customer key management, but standard IaaS does not by default prevent provider read access (no default HYOK/confidential computing) -> opt4. |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | low | Access logs and customer-visible monitoring with full traceability of data access; independent real-time auditability not clearly established -> opt4. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Standard cloud deletion per policy with internal validation; no published independently-verified proof-of-erasure mechanism -> opt3 (seal 1). |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | medium | NOT eu_exclusive: datacenters are in DE/NL/AT (EU/EEA) PLUS Switzerland (non-EU); data is EU by default with tightly controlled exceptions, no contractual EU-only guarantee -> opt4 (seal 1). (src: https://gridscale.io/en/about-us/data-centers/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | Parent OVHcloud AI Endpoints serve EU-hosted open models (Mistral, Llama) on foreign NVIDIA accelerators; EU-led AI on foreign chips -> opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Standards-based IaaS/PaaS (S3-compatible storage, managed Kubernetes, documented API) with documented export and OVHcloud formal migration services -> opt4. |
| SOV-4.2 | Ability to operate without foreign dependencies | 4. Ops predominantly EU-based teams | 125/167 | SEAL-3 | medium | eu_ops: operations on EU infrastructure with Cologne engineering and OVHcloud EU operations; teams predominantly EU-based -> opt4 (seal 3). |
| SOV-4.3 | Skill availability in the EU | 3. Majority EU, escalation abroad | 84/167 | SEAL-3 | low | Engineering and core staff EU-based (Cologne + OVHcloud France), majority of skills in the EU with some non-EU escalation -> opt3. |
| SOV-4.4 | Support channels | 3. Majority in EU, non-EU escalations | 84/167 | SEAL-3 | low | Support primarily EU-based (German/French operations) with possible non-EU escalation across the global group -> opt3. |
| SOV-4.5 | Documentation & knowledge transfer | 3. EU primary with non-EU fallback | 84/167 | SEAL-4 | low | Documentation/knowledge EU-primary (German/French/EU teams) with potential non-EU fallback within the global group -> opt3 (seal 4). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Critical infrastructure (OVHcloud EU-built servers, EU datacenters) lets the provider source alternatives or internalise within the EU; not a guaranteed full-autonomy continuity contract -> opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | medium | OVHcloud designs/assembles its own servers with transparent vertical integration, but underlying chips are foreign; transparent with exceptions -> opt3. |
| SOV-5.2 | Manufacturing location | 4. Built by EU teams on foreign design | 107/143 | SEAL-3 | medium | OVHcloud manufactures servers in its own EU factory (Croix, France); built by EU teams on foreign component designs -> opt4 (seal 3). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode in CPUs/NICs/storage from foreign vendors with only partial disclosure; provenance not EU-certified -> opt2 (seal 4). |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | own_stack, no foreign_core: gridscale orchestration platform is self-developed by the Cologne EU team and OVHcloud's stack is largely EU-maintained; large majority maintained by EU teams -> opt4 (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Software developed, built and released by EU teams (gridscale Cologne / OVHcloud France) under EU control and execution -> opt4 (seal 3). |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | low | Few non-EU vendors remain in critical services (CPU/GPU silicon, certain firmware), documented at group level -> opt3 (seal 2). |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Critical suppliers auditable within OVHcloud's vertically-integrated, ISO 27001-certified supply chain, but not the full upstream component chain -> opt3 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Documented public API, S3-compatible object storage and managed Kubernetes; standards-based and broadly compatible interfaces -> opt4. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Open standards (S3 API, Kubernetes, standard IaaS protocols) adopted as policy across most core services -> opt4. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | low | gridscale orchestration platform is proprietary closed-source (built on/interoperable with open-source components but source not openly published) -> opt2 (seal 2). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Public API documentation and developer resources provide some public insight into the service architecture -> opt3. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | Any HPC/GPU capacity (via OVHcloud) is EU-hosted but runs a foreign hardware stack (NVIDIA); EU-hosted, foreign stack -> opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Certs held by gridscale product: ISO 27001 + BSI C5 + SOC 1 Type 2 (no SecNumCloud/EUCS-High). Per the key, BSI C5 is a high-assurance EU/national cloud certification mapping to EAL3 -> opt4 (seal 3). (src: https://gridscale.io/en/about-us/public-relations/bsi-c5-cloud-compliance/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | GDPR-compliant EU operations; gridscale holds ISO 27001/27018, BSI C5, NIS2/DORA alignment; partial compliance to most regimes, not all independently audited for the product -> opt4. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | Security operations and incident handling run by EU teams (German/French) with EU threat intelligence; full lifecycle within the EU group -> opt4 (seal 3). |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | Customers get direct access to monitoring/logging with logs stored in EU datacenters; tamper-proof immutable logging not clearly documented -> opt4. |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | low | GDPR/NIS2-aligned incident disclosure with monitored flow and SLAs per OVHcloud group practice; real-time CSIRT sharing not confirmed -> opt4. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Provider controls maintenance windows with customer notice and testing; moderate autonomy -> opt3 (seal 4). |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights: audits available only via certification frameworks (ISO 27001, C5), no tender-grade full audit rights for the contracting authority or independent EU bodies -> opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 4. PUE < 1.3 | 188/250 | SEAL-4 | medium | Parent OVHcloud reports average PUE ~1.28 via in-house water cooling; PUE < 1.3 -> opt4. (src: https://corporate.ovhcloud.com/en/sustainability/environment/) |
| SOV-8.2 | Hardware reuse & recycling | 4. Circular economy, EU-aligned | 188/250 | SEAL-4 | medium | OVHcloud runs a vertically-integrated circular model dismantling 100% of servers for reuse; EU-aligned circular economy -> opt4. |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | low | OVHcloud publishes annual environmental/sustainability reporting (PUE, WUE); not clearly EU-audited at gridscale level -> opt3 (seal 2). |
| SOV-8.4 | Energy supplies | 4. Only EU energy supplies (high renewable) | 188/250 | SEAL-4 | low | EU datacenters (DE/NL/AT, plus OVHcloud FR) use largely traceable EU energy with high renewable share per OVHcloud green-tech commitments -> opt4. (src: https://corporate.ovhcloud.com/en/sustainability/environment/) |