| SOV-1 Strategic Sovereignty | SEAL-2 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity (netcup GmbH, Karlsruhe DE, owned by Anexia Holding GmbH, Austria; both EU, no non-EU parent) -> SOV-1.1 opt4. (src: https://www.netcup.com/en/about-netcup/certifications) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | medium | Privately held by the EU-based Anexia group (founder Alexander Windbichler, Austria) with no external/non-EU capital evident; a non-EU takeover is unlikely though, being part of an acquirable private group, slightly less certain than a founder-locked firm. |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | medium | Roadmap is set internally within the Anexia group with customer feedback channels (support, community), but there is no formal EU-actor co-governance body -> opt2 (key: no governance body). |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | medium | Funded internally within the privately held EU-based Anexia group with no evident external/non-EU investors; financing is entirely EU-based. |
| SOV-1.5 | EU economic contribution | 4. Majority in the EU | 94/125 | SEAL-4 | high | HQ, workforce and primary data centres are in Germany and Austria; the large majority of economic activity is in the EU though some revenue/colocation arises in the US and Singapore. |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | low | Positioned as a GDPR-compliant EU sovereign-hosting alternative but with no documented formal participation in Gaia-X or IPCEI-CIS strategic programs. |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | low | Markets an explicit 'digital sovereignty / European data protection' proposition consistent with EU industrial goals, amounting to an action plan rather than measured, governed achievement. |
| SOV-1.8 | Resilience to cut-off | 4. Ability to source alternatives or internalise key functions | 94/125 | SEAL-2 | medium | own_stack partial: EU-owned/Anexia data centres, EU staff and FOSS allow sourcing alternatives / internalising key functions, but no vertically-integrated full-autonomy claim and residual non-EU hardware -> opt4 (seal 2), not opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | German GmbH within an Austrian (EU) group, EU data centres for the core offering; service governed exclusively under EU/German law -> opt3. (src: https://www.netcup.com/en/about-netcup/certifications) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | Structural shielding (no US/non-EU parent) but immunity NOT certified (no SecNumCloud 3.2 / EUCS-High) and parent Anexia has US offices/data centres -> opt4 'legal structures shielding' (seal 2), not opt5 verified immunity. (src: https://www.netcup.com/en/about-netcup/certifications) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | high | No foreign_parent: netcup is German/Austrian (EU)-owned, not subject to US CLOUD Act/FISA/PRC law; commits to refuse foreign-authority access on its EU offer -> opt5. (src: https://www.netcup.com/en/about-netcup/certifications) |
| SOV-2.4 | Export control restrictions | 4. Part of offer shielded from restrictions towards EU MSs | 125/167 | SEAL-3 | low | EU (DE/AT) provider with no export-control restrictions toward EU member states or citizens; consistent with the pure-EU cluster, the offer is shielded from restrictions toward EU MSs -> opt4 (seal 3). |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Operational/control-plane software and IP are EU-controlled in-house; physical hardware/chip IP (AMD EPYC etc.) is foreign, so IP is mostly but not fully EU-origin. |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | high | The IP-holding entity is the German GmbH within an Austrian group, fully under EU law -> opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | low | Customers can self-encrypt with their own keys and have full root access; absent confidential-compute/HSM by default, the provider operating the infrastructure could technically read unencrypted data -> opt4. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Access/usage logs and audit records exist (ISO 27001/27701 scope) but oversight is vendor-controlled rather than real-time independently auditable by the customer -> opt3. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion follows documented ISO-certified policy validated internally/by TUV, but without per-request independently verified cryptographic proof of erasure -> opt3 (seal 1). |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | high | No eu_exclusive scoped offer: core is EU-default (Nuremberg, Vienna, Amsterdam) but Manassas (US) and Singapore are customer-selectable within the same product -> opt4 'EU by default, tightly controlled exceptions' (seal 1), not opt5. (src: https://www.netcup.com/en/about-netcup/server-locations) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | No black-box managed AI service; customers self-deploy open-source/auditable models EU-hosted on rented compute (EU-led/EU-hosted AI), with only the GPU/accelerator hardware being foreign -> opt4 'EU-led AI, foreign accelerators' (consistent with the cluster's open-model-on-foreign-GPU providers). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Standard documented data export plus full root/SSH/VNC access, KVM-based portable images and a public API/CLI with no proprietary lock-in formats; informal migration assistance available -> opt4. |
| SOV-4.2 | Ability to operate without foreign dependencies | 4. Ops predominantly EU-based teams | 125/167 | SEAL-3 | medium | eu_ops: infrastructure operated by netcup's own German/Austrian teams; ops predominantly EU-based though the Anexia group maintains some non-EU (US) offices -> opt4 (seal 3). |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Engineering and operations skills are concentrated in Germany and Austria; the majority of staff are EU-based with minor non-EU presence within the group -> opt4 (seal 3). |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Support is delivered by netcup's own German/Austrian-based staff in German and English; no documented security clearances -> opt4 (seal 3). |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | low | Documentation and help-centre/knowledge repositories are maintained in-house within the EU (Germany/Austria), primarily EU-only -> opt4. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Core suppliers/facilities for the EU offering are EU-based; non-EU colocation is non-critical to the EU service and the group can source alternatives or internalise functions -> opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | medium | Server components rely on foreign chips/parts (AMD EPYC, branded hardware) with only partial public disclosure of component origin -> opt2. |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | low | Branded server hardware integrated by EU teams on foreign chip designs, with EU audit rights via ISO-certified data centres; not documented as building servers fully in-house -> opt3 (seal 3). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode in CPUs, NICs and BMCs comes from foreign vendors (AMD etc.) with only partial provenance disclosure -> opt2. |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | No foreign_core: control/management plane is developed and maintained in-house by the EU-based group with heavy FOSS use; large majority of the stack is EU-maintained -> opt4 (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Software is developed, built and released under EU control and execution from Germany/Austria -> opt4 (seal 3). |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | medium | A few non-EU dependencies are critical (chip vendor AMD with no EU substitute) within an otherwise EU-controlled and documented stack -> opt3 (seal 2). |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some suppliers are auditable via the ISO 27001 scope, but full critical-supply-chain auditability (especially chip vendors) is not demonstrated -> opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based, broadly compatible interfaces: public API/CLI, KVM-based portable images and standard Linux OS choice with full customer control -> opt4 (seal 3). |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | medium | Adopts common open standards/protocols (KVM, standard Linux images, SSH/VNC, DNS) across core services but no all-core policy -> opt3 (seal 2). |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | low | Heavy FOSS use and customers can run open source, but netcup's own control/management platform is proprietary and not open-sourced (not foreign_core) -> opt2 (seal 2). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Some public architecture insight via extensive help-centre/docs and status pages, but the core platform internals are kept private -> opt3 (seal 3). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | No dedicated sovereign HPC offering; no in-scope HPC -> opt2 (EU-hosted/foreign-stack treated as seal 3 per key, not the imported black-box seal-0 option). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 2. EAL1 | 36/143 | SEAL-1 | high | Certs held are ISO 27001 (since 2023, annual TUV Nord audit) + ISO 27701 + ISO 9001 + ISO 14001 only; no SecNumCloud/C5/EUCS/Common Criteria EAL -> ISO-only maps to opt2 'EAL1' (seal 1). (src: https://www.netcup.com/en/about-netcup/certifications) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | high | GDPR-compliant with Art. 28 DPAs and certified to ISO 9001, ISO/IEC 27001 (annual TUV Nord audit) and ISO 27701; aligns with most EU requirements without explicit full NIS2/DORA attestation -> opt4. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | Security operations and incident response are handled by netcup's own EU-based (Germany/Austria) teams; no documented ENISA/CSIRT real-time sharing -> opt4 (seal 3). |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | Customers get direct access to their own monitoring/logs with infrastructure logs stored in EU data centres; no claim of immutable tamper-proof customer logging -> opt4 (seal 3). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | As a GDPR processor it follows GDPR/NIS2-aligned breach-disclosure obligations; not documented as full real-time CSIRT sharing with SLAs -> opt3 (seal 2). |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | low | netcup controls its own maintenance and can deploy patches independently on its own stack without third-party vendor scheduling -> opt4. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | medium | No audit_rights: independent assurance exists only via ISO 27001/27701/9001 TUV certification bodies; no full independent audit of the proprietary platform by any entity -> opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Emphasises energy-efficient hardware and optimised cooling and is ISO 14001 certified, but no specific PUE figure is published; treated as efficient (<1.5) with a roadmap -> opt3. (src: https://www.netcup.com/en/about-netcup/green-electricity-energy-efficiency) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Documented environmental/efficiency practices including hardware reuse under ISO 14001, amounting to a documented program rather than an EU-certified circular lifecycle -> opt3 (seal 3). |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | low | Publishes sustainability/green-energy information at roughly annual-report level under ISO 14001, but not an independently EU-audited environmental methodology -> opt3 (seal 2). |
| SOV-8.4 | Energy supplies | 4. Only EU energy supplies (high renewable) | 188/250 | SEAL-4 | medium | Powered by renewable EU energy with own generation (Austrian hydropower covering ~1/3 of the Vienna DC plus ~1 MW solar at Jaidhof); high renewable share from EU supplies -> opt4. (src: https://www.netcup.com/en/about-netcup/green-electricity-energy-efficiency) |