| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-0 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-1 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | iomart Group plc is headquartered in Glasgow, Scotland and incorporated in the UK, operating wholly-owned UK data centres only (no EU/EEA footprint); the UK is a third country (not EU/EEA), so the legal entity is entirely outside the EU -> SOV-1.1 opt1 (seal 1). (src: https://www.iomart.com/our-data-centres) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | medium | An LSE/AIM-listed independent plc could in principle be acquired, but there is no current evidence of an imminent non-EU sovereign takeover; takeover to a non-EU sovereign entity is unlikely rather than very unlikely. |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | low | As a commercial UK provider, roadmap influence is via standard customer feedback channels; no EU-actor governance bodies exist. |
| SOV-1.4 | Financial independence from non-EU capital | 3. Balanced mix of EU and non-EU funding | 63/125 | SEAL-4 | low | Funding comes from UK public-market equity and UK banking facilities (non-EU); investor base is global, so neither clearly EU- nor clearly non-EU-dominated. Treated as a balanced/indeterminate mix, but the funding is structurally non-EU. |
| SOV-1.5 | EU economic contribution | 1. Minimal | 0/125 | SEAL-4 | medium | iomart's operations, data centres, employment and revenue are concentrated in the UK with no EU footprint; EU economic contribution is minimal. |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | high | No evidence of participation in EU strategic programs such as Gaia-X or IPCEI-CIS. |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | high | A UK provider aligned with UK government targets shows no evidence of alignment with EU industrial strategies. |
| SOV-1.8 | Resilience to cut-off | 3. Can continue temporarily per contractual agreement | 63/125 | SEAL-2 | low | foreign_core (VMware/Microsoft/NVIDIA core, no own_stack): iomart owns its UK data centres and dark-fibre network so under contract workloads could continue temporarily, but the platform depends on non-EU VMware/Broadcom + Microsoft software supply chains -> not fully autonomous, SOV-1.8 opt3 (seal 2). Normalised with the VMware-core cluster members (Pulsant). (src: https://www.iomart.com/our-data-centres) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 1. Non-EU only | 0/167 | SEAL-1 | high | no EU jurisdiction: contract under UK (third-country) law only -> SOV-2.1 opt1 (seal 1); EU law does not exclusively govern the service. (src: https://www.iomart.com/about-us/our-accreditations) |
| SOV-2.2 | Extraterritorial laws exposure | 2. Mitigation clauses, exposure remains | 42/167 | SEAL-1 | medium | no immunity (UK entity, no SecNumCloud/EUCS-High, exposed to UK Investigatory Powers Act + India processing via Atech) -> SOV-2.2 opt2 (mitigation clauses, exposure remains, seal 1). |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | medium | no immunity: subject to non-EU compelled access under the UK Investigatory Powers Act (compelled access without notification in specific cases) -> SOV-2.3 opt2 (seal 1); cannot commit to always reject. Normalised across the UK cluster (all subject to UK IPA). |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | low | no eu_exclusive: as a non-EU (UK) provider with UK-majority revenue (<50% in the EU) the offer is not shielded from non-EU export controls affecting EU citizens/orgs; no EU-MS-specific restriction identified -> SOV-2.4 opt2 (seal 1). Normalised with the UK cluster. |
| SOV-2.5 | Origin of IP | 1. Entirely outside the EU | 0/167 | SEAL-4 | medium | Core platform IP is foreign: VMware Cloud Foundation (US/Broadcom), Microsoft Azure, NVIDIA; iomart's own IP is UK (non-EU). Origin of IP is entirely outside the EU. |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | medium | IP holders (Broadcom/VMware, Microsoft, NVIDIA in the US; iomart in the UK) are governed by non-EU law, predominantly a single country (US) plus UK. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | low | As a managed VMware/private-cloud provider, encryption is typically available with provider involvement; customer-managed keys are not the default and the provider generally retains override capability. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Enterprise managed-hosting provides access logs and reporting, but visibility is largely vendor-controlled and not real-time independently auditable by the customer. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | ISO 27001-certified operations imply documented deletion per policy, but no published independently verifiable proof-of-erasure mechanism. |
| SOV-3.4 | Data location strictly in EU/EEA | 2. Partly EU, significant third-country reliance | 50/200 | SEAL-0 | high | no eu_exclusive: data sits in UK data centres (third country vs EU/EEA) plus offshore Atech/India -> SOV-3.4 opt2 (partly EU, significant third-country reliance, seal 0). This is the decisive SEAL-0 gate. (src: https://www.iomart.com/our-data-centres) |
| SOV-3.5 | AI services sovereignty | 2. Mostly non-EU: licensed AI, chip dependency | 50/200 | SEAL-2 | medium | foreign AI stack: Private AI Cloud on VMware + NVIDIA (licensed models, foreign chips) -> SOV-3.5 opt2 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | low | Built on VMware/standard virtualization with documented data-export methods and managed-migration services typical of enterprise hosting. |
| SOV-4.2 | Ability to operate without foreign dependencies | 2. Ops partially sourced within EU | 42/167 | SEAL-1 | medium | Operations are predominantly UK-based (non-EU) with offshore delivery in India and Poland via Atech; from an EU perspective ops are only partially within the EU (Poland) and not EU-controlled. |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | medium | Engineering and support staff are mainly UK-based (non-EU) plus offshore India/Poland; the EU-resident skilled workforce is a minority. |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | medium | Support is UK-centric with offshore (India) escalation; the majority of support staff sit outside the EU/EEA. |
| SOV-4.5 | Documentation & knowledge transfer | 1. Global/non-EU exposure | 0/167 | SEAL-0 | low | Documentation and knowledge are managed in the UK with global/offshore exposure; no EU-only knowledge-transfer guarantee. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 3. Continue temporarily per contractual agreement | 84/167 | SEAL-3 | low | iomart owns its facilities and could continue temporarily, but it depends on subcontracted suppliers (VMware/Broadcom, Microsoft) under contractual terms rather than full autonomy. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Hardware component provenance is only partially disclosed; servers and chips are foreign-sourced (e.g. NVIDIA, x86) with no EU-certified provenance. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Compute hardware is of foreign origin with limited disclosure; not built or designed by EU teams. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/embedded code provenance is at best partially disclosed and originates from foreign hardware vendors. |
| SOV-5.4 | Origin of software | 2. Foreign origin, partial disclosure | 36/143 | SEAL-2 | medium | foreign_core: core platform is licensed VMware Cloud Foundation + Microsoft Azure (US tech) with UK management layered on -> SOV-5.4 opt2 (foreign origin, partial disclosure, seal 2 ceiling). |
| SOV-5.5 | Software build/release jurisdiction | 2. EU control, non-EU execution | 36/143 | SEAL-1 | low | Software build/release of the underlying platform is controlled and executed by non-EU vendors (US); iomart's own UK builds are also non-EU. Best fit is non-EU control with limited EU execution. |
| SOV-5.6 | Single point of dependency | 2. Mostly non-EU, undocumented | 36/143 | SEAL-1 | medium | Critical services depend heavily on non-EU vendors (Broadcom/VMware, Microsoft, NVIDIA) with limited public documentation of mitigations; mostly non-EU dependency. |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some suppliers/certifications are auditable via ISO frameworks, but the full critical supply chain is not independently auditable. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 3. Mixed (partial openness) | 100/200 | SEAL-2 | low | VMware-based platform offers standard APIs and partial openness, but is not open-by-default; portability is partial. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Partial adoption of open/industry standards (VMware, common virtualization and storage formats) rather than a policy across all core services. |
| SOV-6.3 | Open source availability | 1. Fully closed-source, vendor-controlled | 0/200 | SEAL-2 | medium | foreign_core: core platform (VMware, Microsoft Azure) is closed-source vendor-controlled tech -> SOV-6.3 opt1 (fully closed-source, seal 2 ceiling); iomart is not open-source-centric. |
| SOV-6.4 | Service architecture transparency | 2. Insight accessible during audits | 50/200 | SEAL-2 | low | Architecture insight is provided mainly under audit/customer engagement (ISO-certified) rather than broadly published. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | medium | AI/HPC is EU-region-absent and built on foreign (NVIDIA) accelerators and VMware stack hosted in the UK; the closest fit is hosted-but-foreign-stack, noting hosting is UK not EU. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 2. EAL1 | 36/143 | SEAL-1 | medium | certs = ISO 27001 (+ISO 20000/9001/14001/50001, PCI DSS L1, Cyber Essentials), no SecNumCloud/EUCS/C5/ENS-High -> below the 'ISO 27001 + SOC 2 + C5 = EAL2' bar; maps to ISO-27001-only -> SOV-7.1 opt2 EAL1 (seal 1). (src: https://www.iomart.com/about-us/our-accreditations) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | Strong compliance posture (ISO 27001, PCI DSS L1, UK GDPR) but as a UK entity it is not within the EU NIS2/DORA regime; partial compliance to most EU regulations. |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | low | SOC and incident handling are UK-based with offshore (India) security operations via Atech; hybrid EU/non-EU at best, and UK is non-EU. |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get monitoring portals/reports typical of managed hosting, but logs are stored in UK (non-EU) and control is partly provider-retained. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | Incident disclosure aligns with UK GDPR / ISO 27001 breach-notification practices (GDPR/NIS2-aligned in substance) without real-time CSIRT sharing. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | As operator of its own infrastructure iomart has moderate maintenance autonomy (scheduled with notice/testing), though dependent on vendor patch cycles for VMware/Microsoft. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | no audit_rights (no sovereign-tender commitment): auditability only via ISO/PCI certification bodies, not full audit by the contracting authority or independent EU bodies -> SOV-7.7 opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 2. PUE < 3 | 63/250 | SEAL-1 | high | Reported average PUE is around 1.9 across sites, which is below 3 but well above the 1.5 efficiency threshold -> SOV-8.1 opt2 (seal 1). (src: https://www.iomart.com/katrick-technologies) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | ISO 14001/50001 certified with carbon-reduction plan implies a documented hardware lifecycle/recycling program, but not an EU-certified circular-economy program. |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | medium | iomart publishes a Carbon Reduction Plan and ESG reporting annually; not audited to a detailed EU methodology. |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | medium | Data centres run on 100% REGO-certified renewable energy plus onsite solar, but the supply is UK (non-EU); treated as a traceable mix of EU/non-EU supplies since the high-renewable EU-only options do not apply to a UK grid. (src: https://www.iomart.com/katrick-technologies) |