| SOV-1 Strategic Sovereignty | SEAL-2 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity (LeaseWeb Global B.V. Amsterdam, owned by Dutch group OCOM/Dutch founders, no non-EU controlling parent) -> entirely within EU, opt4. (src: https://www.leaseweb.com/en/about-us) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | Privately held by its Dutch founders via OCOM with no external/PE investors; takeover by a non-EU sovereign entity very unlikely (all-SEAL-4 factor, kept). |
| SOV-1.3 | Control over roadmap | 3. Governance bodies exist with EU actors participation | 83/125 | SEAL-3 | medium | EU-controlled provider active in Gaia-X/IPCEI-CIS governance bodies; roadmap set internally by EU owner with EU-actor participation -> opt3. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | high | Self-funded, owned entirely by Dutch founders through OCOM, no disclosed non-EU capital -> entirely EU-based funding (all-SEAL-4 factor, kept). |
| SOV-1.5 | EU economic contribution | 4. Majority in the EU | 94/125 | SEAL-4 | medium | Headquartered and historically rooted in NL with major EU operations though substantial US/APAC revenue; majority of value in the EU (all-SEAL-4 factor, kept). |
| SOV-1.6 | Participation in EU strategic programs | 4. Strong participation | 94/125 | SEAL-4 | high | Member of Gaia-X AISBL and CISPE and the only Dutch provider in IPCEI-CIS sovereign-cloud programme; strong participation (all-SEAL-4 factor, kept). |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Runs a European Cloud Campus / Sovereignty-by-Design programme with measured IPCEI-CIS deliverables and dedicated governance (all-SEAL-4 factor, kept). |
| SOV-1.8 | Resilience to cut-off | 4. Ability to source alternatives or internalise key functions | 94/125 | SEAL-2 | medium | own_stack but with real non-EU operational dependency (NVIDIA/server silicon, US subsidiary); owns network/EU DCs and could source alternatives or internalise, not full autonomy -> opt4 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | high | Core entity under Dutch/EU law but group runs US (Leaseweb USA Inc.)/UK/Singapore/Hong Kong/Sydney subsidiaries and data centres; mixed EU/non-EU jurisdiction -> opt2 (CEIL, seal 1). Genuine non-EU footprint differentiator vs the pure-EU cluster peers. (src: https://www.datacentermap.com/c/leaseweb/) |
| SOV-2.2 | Extraterritorial laws exposure | 3. EU subsidiary with contractual protections | 84/167 | SEAL-1 | high | No immunity: EU HQ with GDPR/data-residency options but the US subsidiary (Leaseweb USA Inc.) is compellable via the parent under the CLOUD Act and no SecNumCloud/EUCS-High certification; EU entity with contractual protections only -> opt3 (seal 1). (src: https://www.datacentermap.com/c/leaseweb/) |
| SOV-2.3 | Data access pathways for non-EU authorities | 4. Requests disputed, sometimes accepted with notification | 125/167 | SEAL-1 | high | Disputes/scrutinises requests and publishes transparency reports, but the US subsidiary can be compelled under the CLOUD Act (no immunity) -> requests disputed/sometimes accepted, opt4 (CEIL/NO3, seal 1). (src: https://www.leaseweb.com/security-certifications) |
| SOV-2.4 | Export control restrictions | 3. Share of revenues >50% in the EU | 84/167 | SEAL-2 | low | Majority of revenue and operations in the EU but no specific export-control shielding of the offer toward EU Member States documented -> opt3 (seal 2). |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | low | Platform software/tooling developed in the EU but hardware/chip IP (NVIDIA, server silicon) and some third-party software originate outside the EU; mixed (all-SEAL-4 factor, kept). |
| SOV-2.6 | IP holder jurisdiction | 3. Mixed law, some EU | 84/167 | SEAL-3 | low | LeaseWeb's own software IP held by EU entities while underlying hardware/chip IP is held by non-EU vendors; mixed law with EU component -> opt3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | low | IaaS customers can deploy their own encryption but managed offerings typically involve provider-held/override keys; shared control -> opt3. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Logging/monitoring exist and transparency reports published, but no real-time independently-auditable customer oversight of all flows; vendor-controlled logs -> opt3. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | ISO 27001/PCI data-handling implies internal deletion per policy, but no independently verified proof-of-erasure documented -> opt3 (seal 1). |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | high | No eu_exclusive: EU sovereign cloud keeps data in EU by default but the global platform offers US/APAC regions (Washington DC, San Francisco, Singapore, Hong Kong, Sydney, etc.) in the same product; EU-default with controlled exceptions -> opt4 (CEIL/NO3, seal 1). (src: https://www.datacentermap.com/c/leaseweb/) |
| SOV-3.5 | AI services sovereignty | 3. Mixed: auditable/open-source AI, foreign chips | 100/200 | SEAL-2 | medium | AI/HPC runs on imported NVIDIA GPUs with customer-chosen/open models on EU-hostable infra; mixed/auditable AI on foreign chips -> opt3 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Standards-based IaaS with documented APIs, open-definition compute API, Terraform provider and formal migration support -> opt4 (seal 4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 3. Ops balanced EU/non-EU teams | 84/167 | SEAL-3 | medium | Ops/NOC centred in Amsterdam but group runs offices/operations across EU, Asia and North America; teams balanced EU/non-EU -> opt3 (seal 3). |
| SOV-4.3 | Skill availability in the EU | 3. Majority EU, escalation abroad | 84/167 | SEAL-3 | medium | Engineering/NOC skills concentrated in EU (Amsterdam) with escalation to global teams; majority EU with escalation abroad -> opt3 (seal 3). |
| SOV-4.4 | Support channels | 3. Majority in EU, non-EU escalations | 84/167 | SEAL-3 | medium | 24/7 support from a global org (EU/Asia/NA) with NOC escalation on Amsterdam time; treated as majority-EU with non-EU escalations -> opt3 (seal 3). |
| SOV-4.5 | Documentation & knowledge transfer | 3. EU primary with non-EU fallback | 84/167 | SEAL-4 | low | Documentation/knowledge bases EU-managed but global org has non-EU exposure; EU primary with non-EU fallback -> opt3 (seal 4). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 3. Continue temporarily per contractual agreement | 84/167 | SEAL-3 | low | Owns its own network/datacenters and has contractual supplier arrangements; could continue temporarily and source alternatives -> opt3 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Server/GPU hardware sourced from non-EU OEMs with only partial public disclosure of component provenance -> opt2 (seal 1). |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Compute hardware manufactured abroad (Asia/US OEMs) with limited disclosure; foreign origin, partial transparency -> opt2 (seal 1). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/embedded code in servers and accelerators comes from foreign OEMs with only partial disclosure (all-SEAL-4 factor, kept). |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | medium | No foreign_core: core cloud-platform software (compute API, networking overlay, tooling) is developed and maintained by EU teams on open-source; core/essential parts EU-maintained -> opt3 (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Software controlled and built by LeaseWeb's EU engineering org; EU control and execution without documented formal EU policy gates -> opt4 (seal 3). |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | low | A few critical dependencies are non-EU (NVIDIA GPUs, server silicon) but documented; not solely reliant on non-EU vendors -> opt3 (seal 2). |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Critical suppliers auditable under its ISO 27001/PCI regime, but full end-to-end supply-chain auditability not evidenced -> opt3 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based APIs, open-definition compute API and Terraform provider enabling broad compatibility and portability -> opt4 (seal 3). |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | medium | Uses open standards (S3-compatible storage, OpenStack-style/Terraform tooling) across core services but not a documented all-services policy -> opt3 (seal 2). |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | Builds on open source and contributes many projects, but commercial-platform governance is centralised within LeaseWeb (no foreign_core) -> open source, centralised governance, opt3 (seal 3). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Public documentation, blogs and open APIs give some public insight into architecture beyond audit-only access -> opt3 (seal 3). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | HPC/AI compute EU-hosted but built on imported NVIDIA accelerators and a foreign hardware stack; EU-hosted, foreign stack -> opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 3. EAL2 | 72/143 | SEAL-2 | medium | Holds ISO 27001:2022 (EY CertifyPoint) + SOC 1 Type II + PCI DSS + NEN 7510 but no C5/ENS-High and no Common Criteria EAL; ISO+SOC maps to EAL2 -> opt3 (seal 2). (src: https://www.leaseweb.com/security-certifications) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | GDPR-committed (CISPE Code of Conduct), ISO 27001:2022, PCI DSS, SOC 1 Type II and DSA reporting; partial-to-strong compliance without a single full independently-audited attestation (all-SEAL-4 factor, kept). |
| SOV-7.3 | EU-based SOC & incident handling | 3. Primary SOC in EU, escalations non-EU | 72/143 | SEAL-1 | low | Security monitoring/NOC centred in EU (Amsterdam) with escalation to global teams; primary SOC in EU with non-EU escalation -> opt3 (seal 1). |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get a monitoring portal and reports, but full direct customer access to immutable EU-stored security logs is not demonstrated -> opt3 (seal 1). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | Discloses incidents in line with GDPR/NIS2 expectations and publishes transparency reports; GDPR/NIS2-aligned disclosure -> opt3 (seal 2). |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | As infrastructure owner has moderate maintenance autonomy with notice/testing windows, dependent on OEM firmware/patch cycles -> opt3 (seal 4). |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights: independent audits occur via certification bodies (EY CertifyPoint) only, no full audit by any entity -> opt2 (CEIL/NO3, seal 1). (src: https://www.leaseweb.com/security-certifications) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Selects low-PUE facilities, Climate Neutral Data Centre Pact certified (NL+DE) and ISO 14001:2015 with adiabatic-cooling efficiency roadmap, but no verified PUE below 1.3; PUE<1.5 with roadmap -> opt3 (seal 4). (src: https://www.leaseweb.com/en/about-us/our-story/corporate-social-responsibility) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Documented hardware recycling and circular-practice programme with a green team and 90% recycled-materials goal -> documented program, opt3 (seal 3). |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | low | Publishes sustainability commitments and reports annually, but not a detailed EU-methodology or independently-audited environmental report -> annual report, opt3 (seal 2). |
| SOV-8.4 | Energy supplies | 4. Only EU energy supplies (high renewable) | 188/250 | SEAL-4 | medium | NL datacenters on 100% renewable energy and Montreal on hydro; EU footprint on EU green energy though global mix includes non-EU (all-SEAL-4 factor, kept). (src: https://www.leaseweb.com/en/about-us/our-story/corporate-social-responsibility) |