| SOV-1 Strategic Sovereignty | SEAL-2 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-3 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-2 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-3 | |
| SOV-8 Environmental Sustainability | SEAL-3 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | Operated by T-Systems, a wholly-owned subsidiary of Deutsche Telekom AG, a German (EU) incorporated company; the legal entity controlling the service is entirely within the EU. (src: https://www.open-telekom-cloud.com/en/products-services/core-services/certifications) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | Deutsche Telekom is a German blue-chip with the German federal government (via direct holding + KfW) as its largest shareholder at ~28%; takeover/transfer to a non-EU sovereign entity is very unlikely. |
| SOV-1.3 | Control over roadmap | 3. Governance bodies exist with EU actors participation | 83/125 | SEAL-3 | medium | Built on OpenStack/Kubernetes with EU governance, and Deutsche Telekom drives the roadmap including a planned 'Germany Stack'; EU actors participate in governance but the core OpenStack distribution is supplied by Huawei, limiting full control. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | high | Deutsche Telekom is EU-listed and EU-funded with the German state as anchor shareholder; financing is entirely EU-based. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | Operations, data centres (Biere/Magdeburg, Amsterdam), staff and revenue from the service are concentrated in the EU; economic contribution is fully in the EU. |
| SOV-1.6 | Participation in EU strategic programs | 3. Active participant in strategic projects | 63/125 | SEAL-4 | medium | Open Telekom Cloud is Gaia-X compliant and Deutsche Telekom is a member of Gaia-X and engaged in German sovereign-cloud initiatives; an active participant in EU strategic projects without strategic projects depending on it. |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Markets itself as 'from Europe for Europe' with measurable alignment (Gaia-X, sovereign public-administration cloud, Germany Stack ambition) and dedicated governance, but full bold means are still emerging. |
| SOV-1.8 | Resilience to cut-off | 4. Ability to source alternatives or internalise key functions | 94/125 | SEAL-2 | medium | No own_stack: the core OS is the Huawei FusionSphere/OpenStack distribution, a real non-EU operational dependency. As a German operator with EU data centres T-Systems could source alternatives or internalise key functions if cut off -> opt4 (seal 2), short of full autonomy. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | T-Systems is a German provider with data exclusively in Germany and the Netherlands, subject exclusively to EU/German law; no non-EU parent jurisdiction applies. (src: https://www.open-telekom-cloud.com/en/products-services/core-services/certifications) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | high | immunity is structural-not-certified: German-incorporated, no US parent, legal structures shielding from foreign law (e.g. CLOUD Act), but no SecNumCloud 3.2 / EUCS-High and a residual Huawei nexus in the core -> opt4 'Legal structures shielding' (seal 2), not verified statutory immunity. Genuine differentiator vs. the pure-DE anchors. |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent: German entity, no US/CN authority can compel access (Huawei has no production or customer-data access) -> opt5 'Requests always rejected' (seal 4). |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | low | Consistency with its operator T-Systems and the German cohort: a German EU operator with EU-based revenue/operations and no export-control restrictions toward EU member states or international orgs -> offer shielded toward EU MSs, opt5. |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | medium | Core platform IP is the Huawei OpenStack Distribution (non-EU/Chinese origin) layered on open-source OpenStack, with significant EU-developed operational tooling and integration; mixed within/outside the EU. |
| SOV-2.6 | IP holder jurisdiction | 3. Mixed law, some EU | 84/167 | SEAL-3 | low | Underlying Huawei-licensed software IP is held under non-EU (Chinese) law while operational and integration IP sits with Deutsche Telekom under EU law; mixed law with some EU. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 5. Customer exclusive control - provider cannot read data | 200/200 | SEAL-4 | high | Offers BYOK and HYOK (Hold Your Own Key) so customers can hold keys exclusively, rendering data unreadable to the provider; zero-access architecture is promoted. |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | low | Provides customer-controlled access logging and monitoring (Cloud Trace/audit services) with C5/SOC attestations, giving full customer visibility though not described as fully real-time independently auditable. |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | low | Deletion is technically verified with access/audit logs under BSI C5 Type 2 / ISO 27001 controls (Cloud Trace logs in EU DCs) -> opt4 (seal 3), consistent with peer C5/ISO-based offers; not independently cryptographically proven (opt5). |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | high | Data is stored exclusively in EU data centres (Germany and the Netherlands, both regions certified) with no third-country fallback per provider statements and C5 scope. (src: https://www.open-telekom-cloud.com/en/products-services/core-services/certifications) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | low | Consistency with T-Systems and the cohort: AI/ML services run on the EU-operated OpenStack platform using auditable/open-source frameworks; EU-led AI on foreign (non-EU) GPU accelerators -> opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Standards-based (OpenStack, Kubernetes, Terraform/OpenTofu) with documented export methods and formal migration support, easing portability away from lock-in. |
| SOV-4.2 | Ability to operate without foreign dependencies | 4. Ops predominantly EU-based teams | 125/167 | SEAL-3 | medium | Infrastructure operation, maintenance, hardware decommissioning and software installation are performed exclusively by T-Systems (EU) staff; Huawei has no production access and only provides 3rd-level video-conference advice, so ops are predominantly EU-based but a non-EU advisory dependency remains. |
| SOV-4.3 | Skill availability in the EU | 3. Majority EU, escalation abroad | 84/167 | SEAL-3 | medium | Engineering and operations skills are majority EU-based at T-Systems, with occasional escalation to Huawei third-level experts abroad. |
| SOV-4.4 | Support channels | 3. Majority in EU, non-EU escalations | 84/167 | SEAL-3 | medium | First and second level support handled exclusively by T-Systems in the EU, with non-EU (Huawei) third-level escalation by video conference only. |
| SOV-4.5 | Documentation & knowledge transfer | 3. EU primary with non-EU fallback | 84/167 | SEAL-4 | low | Primary documentation and knowledge sit with EU-based T-Systems, with the Huawei-supplied platform implying some non-EU fallback for deep platform knowledge. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 3. Continue temporarily per contractual agreement | 84/167 | SEAL-3 | low | Critical software supplier (Huawei) and some hardware are non-EU, but contractual partnership terms and EU-only operations would allow temporary continuation; alternatives sourcing is feasible but not immediate. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | medium | Hardware suppliers (incl. Huawei) are disclosed; component sourcing is transparent with exceptions under the sovereign offer / C5 scope -> opt3 (seal 3), consistent with peer providers using foreign components. |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | medium | Mixed sourcing of foreign-origin hardware with EU audit rights under BSI C5/ISO controls -> opt3 (seal 3). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/embedded code on foreign (Huawei and other) hardware is only partially disclosed. |
| SOV-5.4 | Origin of software | 2. Foreign origin, partial disclosure | 36/143 | SEAL-2 | high | foreign_core: the core cloud OS is the Huawei OpenStack/FusionSphere distribution (licensed Chinese tech) with partial disclosure, not EU-maintained -> opt2 (seal 2). This is the SEAL-2 ceiling and the genuine differentiator vs. the own-stack German cohort. (src: https://www.huawei.com/en/news/2016/10/deutsche-telekom-cloud-openstack-interoperability-tests) |
| SOV-5.5 | Software build/release jurisdiction | 3. Non-EU control, EU execution | 72/143 | SEAL-3 | low | The platform software is built/released under the Huawei (non-EU) partnership while deployment, integration and operation execution sit with EU-based T-Systems; non-EU control with EU execution. |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | medium | Huawei is a documented non-EU single point of dependency in a critical service (core OpenStack distribution and part of hardware), creating a critical non-EU dependency that is at least documented. |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Critical suppliers are subject to audit under BSI C5/ISO 27001 controls, but full supply-chain auditability is not demonstrated. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | high | Standards-based and broadly compatible via OpenStack and Kubernetes APIs, enabling interoperability and portability. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Open standards (OpenStack, Kubernetes, Terraform/OpenTofu) are adopted as policy across most core services. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | medium | foreign_core: although built on upstream open-source OpenStack/Kubernetes, the production platform is the Huawei FusionSphere distribution under centralised non-EU vendor governance (source-available, not independently/EU-governed) -> opt2 (seal 2). SEAL-2 ceiling alongside SOV-5.4. (src: https://www.huawei.com/en/news/2016/10/deutsche-telekom-cloud-openstack-interoperability-tests) |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Provides public documentation and OpenStack-based transparency, with deeper insight available during audits; some public architectural insight. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | HPC/GPU capacity is EU-hosted but runs on a foreign hardware/software stack (foreign accelerators and Huawei-derived platform). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | certs: holds BSI C5 Type 2 (since 2018) + ENS High + SOC 1/2/3 + TISAX. Per the answer-key cert->EAL map, BSI C5 (and ENS-High) is a high-assurance EU/national cloud certification mapping to EAL3 (opt4 'EAL3', seal 3); no SecNumCloud/EUCS-High to reach opt5. (src: https://www.open-telekom-cloud.com/en/blog/benefits/open-telekom-cloud-certified-according-to-bsi-c5-2020-and-and-soc-1-soc-2-soc-3) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 5. Fully compliant to all, independently audited | 143/143 | SEAL-4 | high | Holds BSI C5 Type 2, ISO 27001/27017/27018/27701, SOC 1/2/3, TISAX and the EU Cloud Code of Conduct, demonstrating independently audited GDPR/NIS2-aligned compliance. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | medium | Security operations and incident handling are run by EU-based T-Systems teams within German/EU data centres; full lifecycle by EU teams, ENISA-specific sharing not explicitly evidenced. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | medium | Customers get direct access to monitoring/audit logging (Cloud Trace) with logs stored in EU data centres. |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | medium | Incident disclosure follows GDPR/NIS2 obligations with monitored flows and SLAs as a German telecom operator; real-time CSIRT sharing not specifically documented. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Maintenance and patching are performed by T-Systems with notice/testing windows, giving moderate autonomy; some dependence on the Huawei platform vendor for deep fixes remains. |
| SOV-7.7 | Auditability | 5. Full independent audit by any entity | 143/143 | SEAL-4 | low | audit_rights: the sovereign public-sector offer (ENS-High, C5, German federal procurement) binds full audit by the contracting authority and independent EU bodies -> opt5 (seal 4), consistent with peer sovereign offers. Tender-grade commitment, low confidence. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 4. PUE < 1.3 | 188/250 | SEAL-4 | medium | Consistency with operator T-Systems (same Deutsche Telekom Biere/Amsterdam DCs): published PUE ~1.3 (Biere) with the Biere site holding the EU Code of Conduct energy-efficiency award -> opt4 'PUE < 1.3'. (src: https://www.open-telekom-cloud.com/en/benefits/sustainability) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Deutsche Telekom runs documented hardware reuse and recycling/circular programs as part of its sustainability strategy. |
| SOV-8.3 | Environmental impact reporting | 4. Detailed EU methodology | 188/250 | SEAL-3 | medium | Consistency with operator T-Systems: Deutsche Telekom publishes detailed sustainability/environmental reporting under EU methodology covering data-centre energy and emissions -> opt4 (detailed EU methodology). |
| SOV-8.4 | Energy supplies | 4. Only EU energy supplies (high renewable) | 188/250 | SEAL-4 | high | Open Telekom Cloud data centres are powered by 100% renewable energy, sourced within the EU. (src: https://www.open-telekom-cloud.com/en/benefits/sustainability) |