| SOV-1 Strategic Sovereignty | SEAL-4 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-4 | |
| SOV-3 Data & AI Sovereignty | SEAL-3 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-3 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-3 | |
| SOV-8 Environmental Sustainability | SEAL-3 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity (OVHcloud SA incorporated/HQ in Roubaix, France, Euronext Paris, no controlling non-EU parent) -> entity entirely within the EU, opt4 (src: https://corporate.ovhcloud.com/en/trusted-cloud/security-certifications/). |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | Founder Klaba family retains ~68-81% of capital and ~82% of voting rights, reinforced via buybacks, making a takeover/transfer to a non-EU sovereign entity very unlikely, opt5. |
| SOV-1.3 | Control over roadmap | 4. Full influence of EU actors | 125/125 | SEAL-4 | medium | EU-controlled vendor with own R&D and a Gaia-X board seat; EU actors have full influence over the roadmap with no non-EU party constraining it, opt4. |
| SOV-1.4 | Financial independence from non-EU capital | 4. Majority of funding is EU-based | 94/125 | SEAL-4 | medium | Majority EU-based funding: founder-family-controlled French listed company; free float includes some global institutional investors so majority rather than fully EU, opt4. |
| SOV-1.5 | EU economic contribution | 4. Majority in the EU | 94/125 | SEAL-4 | medium | R&D, server factory (Croix), datacentres and most headcount are EU (chiefly France); economic contribution majority-EU though it operates globally, opt4. |
| SOV-1.6 | Participation in EU strategic programs | 4. Strong participation | 94/125 | SEAL-4 | high | Founding member of Gaia-X (board vice-presidency) and IPCEI-CIS participant; strong participation in EU strategic programs, opt4. |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Markets a trusted/sovereign cloud strategy with SecNumCloud roadmap and dedicated governance; measured achievement aligned with EU industrial strategy, opt3. |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack (designs/builds own servers at Croix, runs own datacentres and OpenStack-based software stack, documented exit/continuity; only residual foreign-fabbed chips) -> full autonomy & continuity, opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | [CEIL] Sovereign offer contracts exclusively under French/EU law (US business handled by a separate US subsidiary); exclusively EU law, opt3 (src: https://www.ovhcloud.com/en/compliance/secnumcloud/). |
| SOV-2.2 | Extraterritorial laws exposure | 5. Verified legal immunity, non-EU laws unenforceable | 167/167 | SEAL-4 | medium | immunity (SecNumCloud 3.2 qualification, certified protection against extraterritorial access; pure-FR entity, no non-EU parent) -> verified legal immunity, opt5 (src: https://www.ovhcloud.com/en/compliance/secnumcloud/). |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | [CEIL,NO3] No foreign_parent; SecNumCloud 3.2 + French blocking statute mean not subject to US CLOUD Act/FISA, with commitment to reject/challenge non-EU compelled access -> requests always rejected, opt5 (src: https://www.ovhcloud.com/en/compliance/secnumcloud/). |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | medium | EU vendor whose sovereign offer is not subject to non-EU export controls toward EU Member States or international organisations, opt5. |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Software, server designs and water-cooling IP largely developed in-house in France; IP mostly within the EU, embedding foreign chip IP/open-source, opt4. |
| SOV-2.6 | IP holder jurisdiction | 4. EU law with exceptions | 125/167 | SEAL-4 | medium | OVHcloud's own IP held under French/EU law; some embedded third-party (chip/firmware) IP under non-EU law -> EU law with exceptions, opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 5. Customer exclusive control - provider cannot read data | 200/200 | SEAL-4 | high | KMS with BYOK/customer-managed keys, KMIP, plus dedicated Managed HSM enabling exclusive customer key control so the provider cannot read the data, opt5. |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | medium | Customer-controlled logging/audit via Logs Data Platform and IAM giving full customer-controlled visibility, though not guaranteed real-time independent oversight of all provider access, opt4. |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | medium | Under SecNumCloud/ISO 27001 controls deletion is technically verified with access logs for the sovereign offer; independent cryptographic proof not separately published, opt4. |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | high | eu_exclusive (SecNumCloud-qualified sovereign offer stores AND processes exclusively in EU, no third-country fallback) -> exclusively EU, opt5 (src: https://www.ovhcloud.com/en/compliance/secnumcloud/). |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | AI Endpoints serves open-source/EU-origin models (Mistral, Llama) on EU infrastructure with zero data retention, running on foreign NVIDIA accelerators -> EU-led AI, foreign accelerators, opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Built on open standards (OpenStack, Kubernetes, S3-compatible) with documented export/migration tooling and formal migration services available, opt4. |
| SOV-4.2 | Ability to operate without foreign dependencies | 4. Ops predominantly EU-based teams | 125/167 | SEAL-3 | medium | eu_ops (SecNumCloud sovereign offer operated/administered/supported exclusively by EU staff); predominantly EU-based teams across the platform, opt4. |
| SOV-4.3 | Skill availability in the EU | 3. Majority EU, escalation abroad | 84/167 | SEAL-3 | medium | Engineering/R&D workforce concentrated in France/EU with possible escalation abroad for general (non-sovereign) services -> majority EU, escalation abroad, opt3. |
| SOV-4.4 | Support channels | 3. Majority in EU, non-EU escalations | 84/167 | SEAL-3 | medium | Sovereign/SecNumCloud support handled by EU staff; broader global support exists -> majority in EU with non-EU escalation, opt3. |
| SOV-4.5 | Documentation & knowledge transfer | 3. EU primary with non-EU fallback | 84/167 | SEAL-4 | low | Documentation/knowledge bases primarily EU-produced and hosted with non-EU regional fallback -> EU primary with non-EU fallback, opt3. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | medium | Vertical integration (own factories, datacentres, software) lets OVHcloud source alternatives or internalise subcontracted functions; main irreplaceable dependency is foreign silicon, opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | medium | Transparent about building its own servers/components at Croix, but origin of underlying chips/disks is foreign and only partially disclosed -> transparent with exceptions, opt3. |
| SOV-5.2 | Manufacturing location | 4. Built by EU teams on foreign design | 107/143 | SEAL-3 | high | Servers assembled and cooling hardware built by OVHcloud's own EU teams in Croix on its own designs, with silicon foreign-designed -> built by EU teams on foreign-component design, opt4. |
| SOV-5.3 | Embedded code/firmware provenance | 3. Transparent with exceptions | 72/143 | SEAL-4 | low | Controls own server/BMC integration and discloses much hardware, but CPU/GPU microcode and component firmware come from foreign vendors not fully disclosed -> transparent with exceptions, opt3. |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | No foreign_core: control-plane/management software designed and maintained in-house by EU teams on open-source (OpenStack/KVM/Ceph); large majority EU-maintained, opt4. |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Software development and release pipelines controlled and executed by OVHcloud's EU engineering organisation -> EU control & execution, opt4. |
| SOV-5.6 | Single point of dependency | 4. Few non-EU in non-critical services, documented | 107/143 | SEAL-3 | medium | own_stack: vertically integrated (own factory/datacentres/software); only residual non-EU dependency is documented foreign silicon, treated as residual hardware (consistent with SOV-1.8) -> few non-EU, non-critical, documented, opt4. |
| SOV-5.7 | Supply chain transparency | 4. Most suppliers auditable | 107/143 | SEAL-3 | medium | Under SecNumCloud 3.2's 2,000+ criteria supply-chain audit and ISO controls, most suppliers are auditable end-to-end -> most suppliers auditable, opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based, broadly compatible interfaces (OpenStack APIs, S3-compatible storage, Kubernetes) promoting interoperability and reversibility, opt4. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Clear policy of building most core services on open standards (OpenStack, Kubernetes, S3, OpenID) -> policy for most core services, opt4. |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | Relies heavily on open source (OpenStack, KVM, Ceph, Kubernetes) and contributes upstream, but the integrated platform governance remains vendor-centralised -> open source, centralised governance, opt3. |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | medium | Publishes substantial public technical insight (blogs, docs, open-source repos) but customers cannot directly co-develop core services -> some public insight, opt3. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | medium | HPC/GPU compute EU-hosted on OVHcloud's own EU infrastructure but on a foreign accelerator stack (NVIDIA) -> EU-hosted, foreign stack (seal 3), opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Holds SecNumCloud 3.2 (Bare Metal Pod, Hosted Private Cloud) plus C5 and ENS; per key SecNumCloud 3.2 / C5+ENS-High maps to EAL3-equivalent, opt4 (src: https://corporate.ovhcloud.com/en/trusted-cloud/security-certifications/). |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 5. Fully compliant to all, independently audited | 143/143 | SEAL-4 | high | Holds SecNumCloud, ISO 27001/27017/27018/27701, HDS, SOC 1/2 Type 2, C5, ENS, CSA STAR; GDPR/NIS2/DORA aligned -> fully compliant and independently audited, opt5. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | medium | SecNumCloud services operated/monitored 24/7 exclusively by EU staff with EU incident handling -> entire lifecycle by EU teams, EU threat intel, opt4. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | medium | Customers get full direct access to security logs via Logs Data Platform with logs stored in the EU; immutable tamper-proof default for opt5 not clearly documented, opt4. |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | medium | As an EU operator under NIS2/DORA with SecNumCloud incident processes, partial compliance with monitored flow and SLAs -> opt4. |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | medium | As an IaaS provider with its own stack, high autonomy to schedule and deploy maintenance/patches independently of any foreign vendor, opt4. |
| SOV-7.7 | Auditability | 5. Full independent audit by any entity | 143/143 | SEAL-4 | medium | audit_rights (SecNumCloud sovereign offer grants full audit rights to the contracting authority and independent EU bodies) -> full independent audit by any entity, opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | medium | Proprietary water-cooling AC-free datacentres deliver PUE ~1.2-1.4 with a published improvement roadmap -> PUE < 1.5 + roadmap, opt3 (seal 4) (src: https://corporate.ovhcloud.com/en/sustainability/environment/). |
| SOV-8.2 | Hardware reuse & recycling | 4. Circular economy, EU-aligned | 188/250 | SEAL-4 | medium | Strong circular-economy model: refurbishes/reuses servers and components in its own factories with documented recycling, aligned with EU circular-economy goals, opt4. |
| SOV-8.3 | Environmental impact reporting | 4. Detailed EU methodology | 188/250 | SEAL-3 | high | Publishes detailed environmental data (PUE, WUE, REF, CUE) and an Environmental Impact Tracker with a detailed methodology, not stated as independently EU-audited -> detailed EU methodology, opt4. |
| SOV-8.4 | Energy supplies | 4. Only EU energy supplies (high renewable) | 188/250 | SEAL-4 | medium | Renewable Energy Factor ~77% targeting 100%, EU-sourced energy supplies -> only EU energy supplies with high renewable share, opt4 (src: https://corporate.ovhcloud.com/en/sustainability/environment/). |