| SOV-1 Strategic Sovereignty | SEAL-4 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-3 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-3 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity: IONOS Group SE / IONOS SE incorporated and HQ'd in Montabaur/Karlsruhe, Germany, listed on Frankfurt; controlling entity entirely within the EU -> SOV-1.1 opt4. (src: https://www.ionos-group.com/investor-relations/newsroom/new-cloud-data-centre-in-frankfurt-ionos-sets-an-example-for-digital-sovereignty-in-europe.html) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | Controlled (~63.8%) by German parent United Internet AG; US PE firm Warburg Pincus fully exited in March 2025 (final tranche sold 27 March 2025), removing the prior non-EU stake, so transfer to a non-EU sovereign entity is very unlikely -> SOV-1.2 opt5 (all options seal 4). (src: https://www.marketscreener.com/quote/stock/IONOS-GROUP-SE-150152108/news/Financial-investor-Warburg-Pincus-exits-Ionos-share-price-down-49462521/) |
| SOV-1.3 | Control over roadmap | 4. Full influence of EU actors | 125/125 | SEAL-4 | medium | EU-controlled vendor with own R&D and a Gaia-X/Sovereign-X governance role; EU actors have full influence over the roadmap with no non-EU party constraining it -> SOV-1.3 opt4. |
| SOV-1.4 | Financial independence from non-EU capital | 4. Majority of funding is EU-based | 94/125 | SEAL-4 | high | Majority EU funding: German parent United Internet AG ~63.8% plus Frankfurt free float; Warburg Pincus (US PE) fully exited March 2025, so majority/largely-EU funding -> SOV-1.4 opt4 (all options seal 4). |
| SOV-1.5 | EU economic contribution | 4. Majority in the EU | 94/125 | SEAL-4 | medium | R&D, server-hardware engineering, owned datacentres and the bulk of the workforce are in the EU (chiefly Germany); economic contribution majority-EU, though it operates some US/UK datacentres -> SOV-1.5 opt4 (all options seal 4). |
| SOV-1.6 | Participation in EU strategic programs | 4. Strong participation | 94/125 | SEAL-4 | high | One of the largest members of Gaia-X and Sovereign-X and a flagship for European digital sovereignty; strong participation in EU strategic programs -> SOV-1.6 opt4 (all options seal 4). |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Markets a sovereign-cloud strategy with German/EU data residency and a published Climate Strategy 2030; measured achievement and dedicated governance aligned with EU industrial strategy -> SOV-1.7 opt3 (all options seal 4). |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: designs/builds own server hardware, owns/operates its datacentres and runs its own in-house software stack; vertically integrated EU provider with continuity not dependent on any non-EU vendor (residual foreign chips only) -> SOV-1.8 opt5 'Full autonomy and continuity' (seal 4) per the own_stack judgment call. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | For EU customers the contracting entity is IONOS SE / IONOS Cloud under German law; the Germany-only/Karlsruhe region guarantees data, metadata and database logs never leave German jurisdiction (a separate IONOS Cloud Inc. handles US business). Core EU contract exclusively under EU law -> SOV-2.1 opt3 (seal 4). (src: https://www.ionos.com/digitalguide/server/security/cloud-computing-compliance-criteria-catalogue/) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | eu_entity with structural separation but no certified immunity: German company with no non-EU parent, publishing a CLOUD Act white paper arguing its German entity is outside US reach, BUT it holds no SecNumCloud 3.2 / EUCS-High and runs a US subsidiary/datacentres (operational nexus). Legal structures shielding, not verified immunity -> SOV-2.2 opt4 (seal 2). [SEAL-2 ceiling] |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | high | No foreign_parent (controlled by German United Internet AG; Warburg Pincus exited); German contracting entity not subject to US CLOUD Act/FISA and commits its German/EU data is beyond foreign-authority reach -> requests rejected as unenforceable -> SOV-2.3 opt5 (seal 4). |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | medium | EU vendor with EU-majority revenue; offer not subject to non-EU export controls restricting service to EU Member States or international organisations -> part of offer shielded toward EU MSs and intl orgs -> SOV-2.4 opt5. |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Cloud software, control plane (ProfitBricks heritage) and server designs largely developed in-house in Germany; IP mostly within the EU, though it embeds foreign hardware/chip IP and open-source upstreams -> SOV-2.5 opt4 (all options seal 4). |
| SOV-2.6 | IP holder jurisdiction | 4. EU law with exceptions | 125/167 | SEAL-4 | medium | IONOS's own IP held under German/EU law; some embedded third-party (chip/firmware/open-source) IP under non-EU law -> EU law with exceptions -> SOV-2.6 opt4 (seal 4). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 5. Customer exclusive control - provider cannot read data | 200/200 | SEAL-4 | medium | IONOS Cloud offers customer-managed encryption keys (BYOK via API) so customers hold exclusive key control and the provider cannot read the encrypted data -> SOV-3.1 opt5 (seal 4). |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | medium | Customer-accessible activity/audit logging and monitoring via cloud API/portal give full customer-controlled visibility, but independently auditable real-time oversight of all provider access is not guaranteed -> SOV-3.2 opt4 (seal 3). |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | low | Consistency with the German C5 cohort (STACKIT/SysEleven/T-Systems): under BSI C5 Type 2 / ISO 27001 secure-deletion controls deletion is technically verified with access logs in German DCs (no independent cryptographic proof of erasure for opt5) -> SOV-3.3 opt4 (seal 3). (src: https://www.ionos-group.com/investor-relations/publications/announcements/ionos-receives-c5-certification-for-compute-engine-cloud-cubes-and-s3-object-storage.html) |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | high | No eu_exclusive contractually-isolated offer (real differentiator vs. STACKIT/SysEleven/T-Systems): the Germany-only/Karlsruhe option keeps data, metadata and logs in German jurisdiction, but the same IONOS Cloud product family also offers US/UK regions, so EU-by-default with tightly controlled per-region opt-in exceptions rather than exclusively-EU with no third-country fallback -> SOV-3.4 opt4 (seal 1). [SEAL-1 gate] (src: https://www.ionos-group.com/investor-relations/newsroom/new-cloud-data-centre-in-frankfurt-ionos-sets-an-example-for-digital-sovereignty-in-europe.html) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | IONOS AI Model Hub serves open-source models (Mistral, Llama) hosted exclusively in German datacentres but runs on foreign NVIDIA GPUs (H200) -> EU-led AI on foreign accelerators -> SOV-3.5 opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Standards-based, S3-compatible and OpenAI-compatible APIs with documented export and migration support; portability against lock-in on sovereign EU infrastructure -> SOV-4.1 opt4 (seal 4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 4. Ops predominantly EU-based teams | 125/167 | SEAL-3 | medium | eu_ops mostly: EU cloud operations predominantly run by EU-based teams; IONOS also runs a US subsidiary/datacentre with its own ops, so predominantly rather than entirely EU -> SOV-4.2 opt4 (seal 3). |
| SOV-4.3 | Skill availability in the EU | 3. Majority EU, escalation abroad | 84/167 | SEAL-3 | medium | Engineering/R&D concentrated in Germany/EU (Karlsruhe, Berlin) but IONOS operates globally incl. the US, so majority EU skills with possible escalation abroad -> SOV-4.3 opt3 (seal 3). |
| SOV-4.4 | Support channels | 3. Majority in EU, non-EU escalations | 84/167 | SEAL-3 | medium | Support for the EU cloud largely EU/Germany-based, but global support operations (US, UK) exist -> majority in EU with non-EU escalation -> SOV-4.4 opt3 (seal 3). |
| SOV-4.5 | Documentation & knowledge transfer | 3. EU primary with non-EU fallback | 84/167 | SEAL-4 | low | Documentation primarily EU-produced (German/English) but IONOS is a global company with non-EU regional doc operations -> EU-primary with non-EU fallback -> SOV-4.5 opt3 (seal 4). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | medium | own_stack vertical integration (own hardware, owned datacentres, in-house software) lets it source alternatives or internalise subcontracted functions; main irreplaceable dependency is foreign-fabbed silicon -> SOV-4.6 opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | medium | Transparent about building its own server hardware, but the origin of underlying chips/disks is foreign and only partially disclosed -> transparent with exceptions -> SOV-5.1 opt3 (seal 3). |
| SOV-5.2 | Manufacturing location | 4. Built by EU teams on foreign design | 107/143 | SEAL-3 | medium | Servers assembled/integrated by IONOS's own EU teams on its own designs in German facilities, but the silicon is foreign-designed and fabricated -> built by EU teams on foreign-component design -> SOV-5.2 opt4 (seal 3). |
| SOV-5.3 | Embedded code/firmware provenance | 3. Transparent with exceptions | 72/143 | SEAL-4 | low | Controls own server integration and discloses much hardware, but CPU/GPU microcode and component firmware come from foreign vendors and are not fully disclosed -> transparent with exceptions -> SOV-5.3 opt3 (all options seal 4). |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | No foreign_core: cloud control plane and management software designed and maintained in-house by EU (German) teams atop open-source components (not licensed Google/MS/AWS tech); large majority EU-maintained -> SOV-5.4 opt4 (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Software build/release pipelines controlled and executed by IONOS's German engineering organisation; EU control and execution, no distinct certified EU policy-gate evidenced for opt5 -> SOV-5.5 opt4 (seal 3). |
| SOV-5.6 | Single point of dependency | 4. Few non-EU in non-critical services, documented | 107/143 | SEAL-3 | medium | Consistency with the own-stack German cohort (STACKIT anchor): the in-house EU control plane and owned DCs mean the only non-EU dependency is substitutable commodity silicon (Intel/AMD/NVIDIA) as a non-critical hardware input, documented -> SOV-5.6 opt4 (few non-EU in non-critical, documented). |
| SOV-5.7 | Supply chain transparency | 4. Most suppliers auditable | 107/143 | SEAL-3 | low | Consistency with the own-stack German cohort: under ISO 27001/C5/IT-Grundschutz supply-chain controls in its owned DCs, most suppliers are auditable beyond just the critical ones -> SOV-5.7 opt4 (most suppliers auditable). (src: https://www.ionos-group.com/investor-relations/publications/announcements/ionos-receives-c5-certification-for-compute-engine-cloud-cubes-and-s3-object-storage.html) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based, broadly compatible interfaces (S3-compatible object storage, OpenAI-compatible AI API, Kubernetes) promoting interoperability and reversibility -> SOV-6.1 opt4 (seal 3). |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | medium | Open standards adopted for core services (S3, Kubernetes, OpenAI-compatible API) but no published commitment that all core services follow open standards -> partial core adoption -> SOV-6.2 opt3 (seal 2). |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | low | No foreign_core: builds on and offers open-source (open AI models, OpenStack-style stack, Kubernetes) but integrated platform governance remains vendor-centralised -> open source with centralised governance -> SOV-6.3 opt3 (seal 3). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Publishes public technical documentation and developer guides giving some public insight into its architecture, but customers cannot directly co-develop core services -> SOV-6.4 opt3 (seal 3). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | medium | GPU/HPC compute EU-hosted on IONOS's own German infrastructure but runs on a foreign accelerator stack (NVIDIA H200) -> EU-hosted, foreign stack -> SOV-6.5 opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Holds BSI C5 (Compute Engine, Cloud Cubes, S3 Object Storage) + ISO 27001 + BSI IT-Grundschutz. Per the answer-key cert->EAL map, BSI C5 is a high-assurance EU/national cloud certification mapping to EAL3 (opt4 'EAL3', seal 3); applied identically to the German cohort (STACKIT anchor scored opt4 on BSI C5) -> SOV-7.1 opt4. (src: https://www.ionos-group.com/investor-relations/publications/announcements/ionos-receives-c5-certification-for-compute-engine-cloud-cubes-and-s3-object-storage.html) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | high | Holds BSI C5, ISO 27001 and BSI IT-Grundschutz (first cloud provider with both) and adheres to the EU Cloud Code of Conduct with GDPR/NIS2/DORA alignment; lacking full DORA/NIS2 audited coverage -> partial compliance to most -> SOV-7.2 opt4 (all options seal 4). |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | medium | Security operations and incident handling for the German cloud run by EU/Germany-based teams under BSI C5/IT-Grundschutz; full lifecycle by EU teams, formal ENISA/CSIRT sharing (opt5) not clearly evidenced -> SOV-7.3 opt4 (seal 3). |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | medium | Customers get full direct access to monitoring/logging via portal/API with logs stored in EU datacentres; immutable tamper-proof logs as a guaranteed default (opt5) not clearly documented -> SOV-7.4 opt4 (seal 3). |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | medium | Consistency with the German cohort: as a German NIS2/DORA-scoped operator IONOS runs monitored incident-disclosure flows with SLAs -> SOV-7.5 opt4 (NIS2/DORA monitored SLAs); full real-time CSIRT sharing (opt5) not established. |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | medium | As an IaaS provider running its own stack and hardware, IONOS has high autonomy to schedule and deploy maintenance/patches independently of any foreign vendor -> SOV-7.6 opt4 (seal 4). |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No tender-grade audit_rights evidenced (real differentiator vs. the awarded sovereign offers): independent auditing available to certification bodies (BSI C5, ISO, IT-Grundschutz) but not unrestricted full audit by the contracting authority/any EU body -> limited independent access -> SOV-7.7 opt2 (seal 1). [SEAL-1 gate] (src: https://www.ionos-group.com/investor-relations/publications/announcements/ionos-receives-c5-certification-for-compute-engine-cloud-cubes-and-s3-object-storage.html) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | high | Fleet-weighted PUE ~1.41 (2024) with a published Climate Strategy 2030 roadmap -> PUE < 1.5 with roadmap -> SOV-8.1 opt3 (seal 4). (src: https://www.ionos-group.com/sustainability.html) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Documented sustainability/circular program with ISO 14001 coverage, but no evidence of a full EU-certified circular-economy hardware lifecycle (opt4-5) -> documented program -> SOV-8.2 opt3 (seal 3). |
| SOV-8.3 | Environmental impact reporting | 4. Detailed EU methodology | 188/250 | SEAL-3 | high | Publishes a detailed annual Sustainability Report (2023, 2024) with PUE, emissions, ISO 50001/14001 coverage and methodology; not stated as independently EU-audited -> detailed EU methodology -> SOV-8.3 opt4 (seal 3). |
| SOV-8.4 | Energy supplies | 4. Only EU energy supplies (high renewable) | 188/250 | SEAL-4 | high | All European datacentres run on 100% renewable electricity with 100% ISO 50001 energy-management coverage and on-site solar plans -> EU-sourced high-renewable supply (not certified exclusively green group-wide) -> SOV-8.4 opt4 (all options seal 4). (src: https://www.ionos-group.com/sustainability.html) |