| SOV-1 Strategic Sovereignty | SEAL-0 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-0 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 2. Mostly outside the EU | 42/125 | SEAL-1 | high | foreign_parent (Chinese): EU offering runs via Irish subsidiary Sparkoo Technologies Ireland, but controlling parent Huawei Investment & Holding is Chinese; control sits mostly outside the EU -> opt2 (seal 1). (src: https://scope-europe.eu/en/detail/sparkoo-technologies-ireland-co-limited-with-its-cloud-brand-name-huawei-cloud-declares-adherence-to-the-eu-cloud-code-of-conduct) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | medium | Already a Chinese-controlled group; no realistic risk of further takeover by another non-EU sovereign entity, so a transfer is very unlikely -> opt5 (all-seal-4 factor, choice kept). |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | medium | foreign_parent: roadmap is set centrally by Huawei in China; EU customers have only voice-of-customer public channels, no EU governance body -> opt2 (seal 2). |
| SOV-1.4 | Financial independence from non-EU capital | 1. Almost entirely relying on non-EU funding | 0/125 | SEAL-4 | high | Funding originates almost entirely from the Chinese parent group; no meaningful EU capital base -> opt1 (all-seal-4 factor, choice kept). |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | medium | Some EU economic contribution via Irish entity, data centres and local jobs, but the bulk of R&D, manufacturing and value capture is in China -> opt2 (all-seal-4 factor, choice kept). |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | medium | Gaia-X member but contentious; not a recognised participant in EU strategic programs like IPCEI-CIS, only limited participation -> opt2 (all-seal-4 factor, choice kept). |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | medium | No evidence of alignment with EU industrial strategy; positions itself as an alternative to Western/EU tech and EU policy treats it as a sovereignty risk -> opt1 (all-seal-4 factor, choice kept). |
| SOV-1.8 | Resilience to cut-off | 2. Service would stop, with delay for customer reaction | 31/125 | SEAL-0 | low | No own_stack: not EU-autonomous; on a sanctions/export cut-off the service would stop with some delay for customer reaction (single non-EU vendor/parent dependency) -> opt2 (seal 0). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | high | EU ops under Irish entity (Sparkoo Technologies Ireland) but ultimate parent and IP governed by PRC law; jurisdiction is mixed EU/non-EU -> opt2 (seal 1). (src: https://eucoc.cloud/en/detail/press-release-huawei-cloud-becomes-a-member-of-the-eu-cloud-code-of-conduct) |
| SOV-2.2 | Extraterritorial laws exposure | 2. Mitigation clauses, exposure remains | 42/167 | SEAL-1 | high | No immunity: EU subsidiary with contractual privacy commitments (EU Cloud CoC adherence) but remains exposed to PRC National Intelligence/Data Security/Cybersecurity laws via the parent -> opt2 (seal 1). Genuine differentiator vs peers: dedicated Irish operating entity. (src: https://www.huaweicloud.com/eu/securecenter/compliance/compliance-center/eu_cloud_coc.html) |
| SOV-2.3 | Data access pathways for non-EU authorities | 1. Can compel access without customer notification | 0/167 | SEAL-1 | high | foreign_parent (PRC law): National Intelligence Law Art. 7 compels Chinese organisations and overseas subsidiaries to assist intelligence work, allowing compelled access without notification -> opt1 (seal 1) [caps SEAL at 1]. (src: https://www.huaweicloud.com/eu/securecenter/compliance/compliance-center/eu_cloud_coc.html) |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | medium | Subject to extensive Western export controls affecting chip/tech supply, creating restriction risk toward EU customers and international orgs -> opt2 (seal 1). |
| SOV-2.5 | Origin of IP | 1. Entirely outside the EU | 0/167 | SEAL-4 | high | Core IP (Kunpeng/Ascend chips, Pangu models, cloud software) is designed and held in China, entirely outside the EU -> opt1 (all-seal-4 factor, choice kept). |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | high | IP held under PRC law by Chinese entities, a single non-EU country -> opt1 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | medium | KMS/customer-managed keys offered, but as provider it retains override capability and is compellable under PRC law; keys are shared, not customer-exclusive -> opt3 (seal 2). |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | medium | Cloud Trace/audit logging exists but is vendor-operated, not real-time independently auditable by the customer -> opt3 (seal 2). |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion performed per internal policy with confirmation but without independently verifiable proof of irreversible erasure -> opt3 (seal 1). |
| SOV-3.4 | Data location strictly in EU/EEA | 2. Partly EU, significant third-country reliance | 50/200 | SEAL-0 | medium | No eu_exclusive guarantee: although it has genuine EU regions (Dublin/Amsterdam/Paris) the offer is global-default with non-EU regions, global support and PRC parent access -> significant third-country reliance -> opt2 (seal 0 gate). (src: https://www.huaweicloud.com/eu/securecenter/data_protection/region_query.html) |
| SOV-3.5 | AI services sovereignty | 2. Mostly non-EU: licensed AI, chip dependency | 50/200 | SEAL-2 | high | Pangu models and Ascend AI accelerators are Chinese-origin; AI services are largely licensed/black-box with a hard non-EU chip dependency -> opt2 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Standard documented data export and S3/OpenStack-compatible interfaces enable standard export methods, though no sovereign-infra deployment -> opt3 (seal 4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 2. Ops partially sourced within EU | 42/167 | SEAL-1 | medium | No eu_ops: critical engineering and platform operations run from China with EU regions locally staffed; ops only partially sourced within the EU -> opt2 (seal 1). |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | medium | Workforce and expertise predominantly in China with EU-local presence; majority of skills sit outside the EU -> opt2 (seal 1). |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | low | Support is global with significant follow-the-sun/China-based escalation; majority of support capability is outside the EU -> opt2 (seal 2). |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | EU-language documentation and trust-centre material exist but EU-only knowledge custody not enforced; global repositories apply -> opt2 (seal 2). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 2. Service would stop with delay | 42/167 | SEAL-2 | low | No own_stack: on loss of the foreign parent/chip supply chain the service would stop with delay; limited ability to internalise critical functions in the EU -> opt2 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | medium | Hardware (Kunpeng/Ascend, Huawei servers) is Chinese-origin with only partial public disclosure of component provenance -> opt2 (seal 1). |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | high | Servers and silicon designed and manufactured in China; foreign origin with at best partial disclosure, no EU build -> opt2 (seal 1). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | medium | Firmware/embedded code is Huawei-proprietary from China with only partial disclosure; no EU-certified firmware provenance -> opt2 (all-seal-4 factor, choice kept). |
| SOV-5.4 | Origin of software | 1. Fully foreign origin, black box | 0/143 | SEAL-0 | high | Worse than foreign_core: cloud software is fully Chinese-origin black-box, designed and maintained in China, not EU-maintained and not a disclosed licensed core -> opt1 (seal 0 gate). |
| SOV-5.5 | Software build/release jurisdiction | 1. Non-EU control & execution | 0/143 | SEAL-1 | medium | Software build and release pipeline is controlled and executed in China; non-EU control and execution -> opt1 (seal 1). |
| SOV-5.6 | Single point of dependency | 2. Mostly non-EU, undocumented | 36/143 | SEAL-1 | medium | Critical dependencies (chips, core software, parent) are non-EU and largely undocumented from a sovereignty standpoint -> opt2 (seal 1). |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some certification-driven auditability exists, but the deep China-based supply chain is not broadly independently auditable -> opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 3. Mixed (partial openness) | 100/200 | SEAL-2 | medium | Mix of proprietary APIs with some OpenStack/S3-compatible and Kubernetes-based open interfaces; partial openness -> opt3 (seal 2). |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | medium | Partial adoption of open standards (OpenStack, Kubernetes, S3 API) across core services rather than a comprehensive open-standards policy -> opt3 (seal 2). |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | low | foreign_core: platform largely vendor-controlled; Huawei contributes to some OSS but the cloud stack itself is mostly closed with limited review rights -> opt2 (seal 2). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Public architecture/security white papers and trust-centre documentation provide some public insight into the service architecture -> opt3 (seal 3). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | medium | HPC/AI compute can be EU-hosted but runs on a fully foreign (Chinese Ascend) stack, no EU processor IP -> opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Holds German BSI C5 plus ISO 27001 and SOC 2 Type II; per gating_key BSI C5 (high-assurance national cloud cert) maps to EAL3 -> SOV-7.1 opt4 (seal 3; was opt3). Applied identically to Alibaba which also holds C5. (src: https://www.huaweicloud.com/intl/en-us/securecenter/compliance/compliance-center.html) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | GDPR alignment, EU Cloud Code of Conduct adherence (Sparkoo Ireland) and broad certifications indicate partial compliance to most EU regulatory regimes -> opt4 (all-seal-4 factor, choice kept). |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | low | Security operations and incident response are hybrid, with EU presence but China-based escalation and threat intelligence -> opt2 (seal 1). |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get a monitoring/logging portal (Cloud Eye/Cloud Trace) but not full immutable EU-resident tamper-proof control of all logs -> opt3 (seal 1). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | Incident disclosure is GDPR/NIS2-aligned for the EU entity but without demonstrated real-time CSIRT integration -> opt3 (seal 2). |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Customers have moderate maintenance autonomy with notice and testing windows for non-zero-day updates -> opt3 (seal 4). |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights: auditability limited to certification-driven access and vendor-mediated audits; no full independent audit by any entity -> opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | medium | Flagship Huawei data centres report PUE around 1.12-1.15 with an efficiency roadmap, but these are not EU-verified figures for the EU regions -> PUE<1.5 + roadmap -> opt3 (seal 4). (src: https://www.huawei.com/en/sustainability/the-latest/stories/green-data-centers-optimal-pue) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Documented hardware reuse and recycling programs, but not demonstrably EU-aligned circular-economy certification -> opt3 (seal 3). |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | low | Annual sustainability/environmental reporting published at group level, but not using a detailed EU methodology or EU-audited -> opt3 (seal 2). |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | low | Energy supply for EU data centres draws on a mix of EU grid and renewable PPAs alongside non-EU group operations; mixed EU/non-EU supply -> opt3 (all-seal-4 factor, choice kept). (src: https://www.huawei.com/en/sustainability/the-latest/stories/full-liquid-cooling-data-centers-energy-efficient) |