| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | IBM Cloud is operated by International Business Machines Corporation, a US-incorporated, Armonk (NY)-headquartered public company. Legal entity control sits entirely outside the EU; EU MZRs and the EU support model are sub-offerings of a US parent. (src: https://www.ibm.com/investor) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | IBM is a ~$160B+ market-cap US public company and a Dow component held by Vanguard/BlackRock; a takeover transferring it to a non-EU sovereign entity is very unlikely. |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | medium | The IBM Cloud roadmap is set centrally by IBM in the US; EU customers influence it mainly through 'voice of the customer' feedback channels, with no EU governance body controlling the global service roadmap. |
| SOV-1.4 | Financial independence from non-EU capital | 1. Almost entirely relying on non-EU funding | 0/125 | SEAL-4 | high | IBM is funded almost entirely through US public capital markets and retained earnings; there is no material EU equity ownership of the parent. |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | medium | IBM invests substantially in the EU (Frankfurt/Madrid MZRs, large EU workforce, research labs) but the majority of corporate value, R&D and profit accrues outside the EU; EU contribution is 'some' relative to the whole. |
| SOV-1.6 | Participation in EU strategic programs | 2. Limited participation | 31/125 | SEAL-4 | low | IBM participates in some EU-facing initiatives and public-sector frameworks and offers EU sovereign support, but it is not a core dependency of EU strategic programs; EU sovereignty programs explicitly aim to reduce reliance on US hyperscalers. Limited participation. |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | low | IBM publishes EU sovereignty action plans (IBM Sovereign Core, EU sovereign support, EU data residency) aligned with EU digital goals, constituting an existing action plan, but as a US firm it is not a vehicle of EU industrial strategy. |
| SOV-1.8 | Resilience to cut-off | 3. Can continue temporarily per contractual agreement | 63/125 | SEAL-2 | medium | No own_stack, but the qualified EU offer (IBM Cloud EU MZRs / IBM Sovereign Core with EU data residency and EU support) runs in EU regions with EU-resident operations and contractual continuity arrangements, so it can continue operating temporarily per contractual agreement on a parent cut-off -> opt3 (seal 2). Normalised to opt3 across the US-hyperscaler cluster (same EU-region continuity profile as AWS/Oracle); an EU-region offering does not 'stop on cut-off' more than a peer's. (src: https://www.ibm.com/cloud/compliance/regional) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | high | Mixed EU/non-EU law (SOV-2.1 opt2, seal 1): IBM offers EU contracting entities/Model Clauses but the ultimate parent and platform are governed by US law, so the qualified offer is not exclusively under EU/EEA member-state law -> key 'mixed/foreign law -> seal 1'. (src: https://www.ibm.com/cloud/compliance/regional) |
| SOV-2.2 | Extraterritorial laws exposure | 3. EU subsidiary with contractual protections | 84/167 | SEAL-1 | high | No immunity (SOV-2.2 opt3, seal 1): IBM offers EU contracting/Model Clauses and an EU support model, but a US-parented group's EU subsidiary is compellable via the parent and holds no SecNumCloud/EUCS-High -> key 'foreign parent + contractual clauses only -> opt3'. EU-subsidiary-with-contractual-protections does not grant certified immunity. Consistent with the cluster. (src: https://www.ibm.com/cloud/compliance/regional) |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | high | foreign_parent (US CLOUD Act / FISA 702) -> SOV-2.3 opt2 (seal 1): IBM can be compelled to provide access without customer notification in specific national-security/gag-order cases; the EU support model adds approval/notification for routine access but cannot override compelled secret requests. This is the gating cap (SEAL-1). (src: https://www.ibm.com/cloud/compliance/regional) |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | low | No EU-Member-State-targeted export restrictions apply; IBM is a US firm subject to US EAR but has a large EU revenue share and no evidence of restrictions toward EU MSs. Conservatively placed at the revenue-share tier. |
| SOV-2.5 | Origin of IP | 1. Entirely outside the EU | 0/167 | SEAL-4 | high | Core IBM Cloud IP (platform software, watsonx models, IBM Z/Power and crypto-card designs) originates and is owned by IBM in the US; essentially entirely outside the EU. |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | high | The IP is held by IBM US entities under US law in a single jurisdiction, so the IP holder sits under non-EU law in a single country. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 5. Customer exclusive control - provider cannot read data | 200/200 | SEAL-4 | high | IBM Cloud Hyper Protect Crypto Services provides Keep Your Own Key (KYOK) on FIPS 140-2 Level 4 HSMs (IBM 4768), giving customers exclusive key control where no IBM administrator can access the keys; provider cannot read the data. |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | medium | IBM Cloud provides Activity Tracker and the EU support model gives Frankfurt clients access logs and approval over non-EU access, offering full customer-controlled visibility, though delivery is near-real-time and the pipeline is provider-operated. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | medium | IBM documents secure data destruction and decommissioning per policy (NIST 800-88, attested in SOC/ISO) but does not provide per-customer cryptographically independent proof of irreversible erasure; internal validation per policy without customer-verifiable proof. |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | medium | Not eu_exclusive (SOV-3.4 opt4, seal 1): IBM's EU MZRs (Frankfurt, Madrid) store/process data in-region by default, but the offering retains tightly-controlled support/metadata exceptions and a US-managed parent (not an air-gapped realm), so there is no contractual no-third-country-fallback guarantee -> key 'EU by default w/ controlled exceptions -> opt4 (seal 1)'. Above the seal-0 gate but genuinely below AWS ESC / Oracle Sovereign Cloud isolated realms (opt5). (src: https://www.ibm.com/cloud/compliance/regional) |
| SOV-3.5 | AI services sovereignty | 3. Mixed: auditable/open-source AI, foreign chips | 100/200 | SEAL-2 | medium | Mixed: auditable/open-source AI on foreign chips (SOV-3.5 opt3, seal 2). watsonx Granite models are open-sourced and auditable but US-developed (IBM, not EU-led) and run on foreign-designed/fabbed accelerators -> key 'brokered/foreign/open models on foreign chips -> opt3'. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | high | IBM Cloud is heavily built on Red Hat OpenShift, Kubernetes and open APIs and offers documented export tooling plus formal migration services, easing portability across environments; formal migration services available. |
| SOV-4.2 | Ability to operate without foreign dependencies | 2. Ops partially sourced within EU | 42/167 | SEAL-1 | medium | Critical operation of the global IBM Cloud control plane and core engineering is delivered largely by non-EU teams; the standard offering is partially EU-sourced (EU sovereign support) but cannot operate fully independently of non-EU teams (Sovereign Core is the exception, not the default). |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | medium | IBM's cloud engineering and skills are a global pool with the majority of core platform staff outside the EU (US/India), even though IBM has a very large EU workforce and EU-authorized sovereign support engineers exist for specific offerings. |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | medium | IBM Cloud support is a global follow-the-sun model; an EU support model and EU sovereign support exist, but the broader support organisation and escalations sit mostly outside the EU for the standard offering. |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation and knowledge bases are global (US-hosted, English-primary); EU-only handling is optional/not enforced for the standard offering. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 2. Service would stop with delay | 42/167 | SEAL-2 | low | Subcontractors/suppliers are predominantly non-EU; on a sustained supplier disruption the service would stop with some delay rather than continue autonomously under EU control. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | medium | IBM discloses some hardware and supply-chain detail but does not publish full component provenance for its cloud fleet; partial disclosure with foreign-origin components. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | high | Servers, GPUs and most silicon are manufactured outside the EU (Asia/US ODMs and fabs); foreign-origin manufacturing with only partial disclosure. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | medium | Firmware and embedded code are designed by IBM and component vendors (US/Asia) with limited published provenance; partial disclosure of firmware origin. |
| SOV-5.4 | Origin of software | 2. Foreign origin, partial disclosure | 36/143 | SEAL-2 | medium | foreign_core (SOV-5.4 opt2, seal 2): core IBM Cloud platform software is US-designed and US-maintained; though a large share is Red Hat/open-source (OpenShift, RHEL) with published source, the core is licensed non-EU tech -> key 'foreign_core w/ partial disclosure -> opt2 (2)'. |
| SOV-5.5 | Software build/release jurisdiction | 1. Non-EU control & execution | 0/143 | SEAL-1 | medium | Software build and release of the IBM Cloud platform are controlled and executed primarily by IBM in the US; non-EU control and non-EU execution for the standard offering. |
| SOV-5.6 | Single point of dependency | 1. Only non-EU vendors/facilities | 0/143 | SEAL-1 | high | Critical services depend on IBM itself as a non-EU vendor plus non-EU facilities and silicon; the dependency on a single non-EU vendor (IBM) for the whole stack is fundamental. |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | medium | IBM's audit/attestation programs expose some supplier and control information to auditors, but the broad supply chain is not openly auditable by customers; some suppliers auditable. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 3. Mixed (partial openness) | 100/200 | SEAL-2 | medium | IBM Cloud exposes many standards-based and open APIs (Kubernetes, OpenShift, S3-compatible object storage) but retains proprietary managed-service interfaces; mixed/partial openness. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | medium | IBM adopts open standards across many core services via Red Hat/Kubernetes/SQL/object-storage APIs but has no blanket policy mandating open standards for all services; partial core adoption. |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | IBM Cloud relies heavily on open-source (Red Hat OpenShift, RHEL, Kubernetes) and IBM open-sources Granite models, but the cloud platform substrate itself is governed centrally by IBM/Red Hat; open source with centralised governance best fits. |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | medium | IBM publishes extensive architecture, security and compliance documentation and open-source code giving substantial public insight, though the deepest platform internals are revealed only under audit; some-to-large public insight. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | IBM offers HPC/GPU capacity in EU regions but the HPC stack (accelerators, schedulers) is foreign-designed and foreign-fabbed; EU-hosted with a foreign HPC stack. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Cert->EAL mapping (SOV-7.1 opt4 = EAL3, seal 3): IBM Cloud holds C5 (Germany) and ENS-High (Spain) plus ISO 27001/SOC 2 for the platform; per the key 'C5 / ENS-High -> EAL3 (opt4)'. No SecNumCloud/EUCS-High; the FIPS 140-2 L4 / CC-evaluated HSM is a single module, not platform-wide, so opt5 is not warranted for the offer as a whole. (src: https://www.ibm.com/products/cloud/compliance/c5) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | high | IBM Cloud supports GDPR (DPA, EU Model Clauses), NIS2 and DORA frameworks and is independently audited, but full end-to-end compliance to all three is shared-responsibility and not absolute; partial compliance to most. |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | medium | IBM security operations and incident response run as a global organisation with EU presence but US-centred threat intelligence and escalation; hybrid EU/non-EU SOC for the standard offering. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | medium | Customers get full direct access to security logs (Activity Tracker, monitoring) and can store them in EU regions, though tamper-proof immutability depends on customer configuration; full direct access with EU log storage. |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | medium | IBM provides GDPR/NIS2/DORA-aligned breach and incident notification to customers with contractual monitored SLAs, though not standard real-time CSIRT-network sharing -> partial compliance, monitored flow, SLAs, opt4 (seal 3). Normalised across the cluster. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | medium | Customers have moderate maintenance autonomy over their workloads (maintenance windows, advance notice and testing) while IBM controls underlying platform maintenance, except for emergency/zero-day fixes. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | medium | No audit_rights (SOV-7.7 opt2, seal 1): independent audit is limited to IBM-defined attestation programs (ISO, SOC, C5, ENS) under NDA; customers/independent EU bodies cannot freely audit IBM infrastructure -> key 'audits only via provider certification bodies -> seal 1'. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | high | IBM reports a weighted-average data centre PUE of 1.46 (2023, improved from 1.55 in 2019) with an active cooling-efficiency improvement roadmap; this falls in the 'PUE < 1.5 + roadmap' tier (opt3, seal 4). (src: https://www.ibm.com/sustainability/environmental/energy-climate) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | medium | IBM runs a documented hardware reuse, refurbishment and recycling program reported in its corporate responsibility disclosures; documented program. |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | high | IBM publishes a detailed annual ESG/sustainability report with energy, PUE and emissions metrics, but it is self-reported rather than independently EU-methodology-audited; annual report. |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | medium | IBM sources ~74% renewable electricity globally (2023; target 75% by 2025, 90% by 2030) drawn from a mix of EU and non-EU energy supplies rather than exclusively EU or exclusively green-EU sources; mix of EU and non-EU supplies. (src: https://www.ibm.com/sustainability/environmental/energy-climate) |