| SOV-1 Strategic Sovereignty | SEAL-2 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity: plusserver GmbH is incorporated and headquartered in Cologne, Germany (HRB 84977), operating entirely within the EU -> opt4. (src: https://www.plusserver.com/en/company/) |
| SOV-1.2 | Change of control risk | 3. Somewhat likely takeover/transfer to non-EU sovereign entity | 63/125 | SEAL-4 | medium | Owned by UK-based PE firm BC Partners (non-EU) since 2017 and actively shopped for sale (Jefferies mandate, loan maturity); a transfer to a non-EU sovereign owner is a realistic possibility -> opt3. |
| SOV-1.3 | Control over roadmap | 3. Governance bodies exist with EU actors participation | 83/125 | SEAL-3 | medium | Founding member of Gaia-X and SCS contributor with open governance via the Sovereign Cloud Stack community; EU actors participate in roadmap governance bodies -> opt3. |
| SOV-1.4 | Financial independence from non-EU capital | 3. Balanced mix of EU and non-EU funding | 63/125 | SEAL-4 | medium | Financial sponsor is UK PE firm BC Partners (non-EU), while operating business, revenues and reinvestment are German; effectively a balanced mix of EU and non-EU capital -> opt3. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | Operations, data centers, employees and revenue base are fully in Germany; economic contribution is overwhelmingly within the EU -> opt5. |
| SOV-1.6 | Participation in EU strategic programs | 4. Strong participation | 94/125 | SEAL-4 | high | Founding member of Gaia-X and delivered the first Gaia-X-compatible cloud (pluscloud open) on the Sovereign Cloud Stack; strong participation in EU strategic programs -> opt4. |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Clear, sustained alignment with EU digital-sovereignty industrial strategy (Gaia-X, SCS, 'made in Germany' sovereign cloud) with dedicated governance and measured delivery -> opt3. |
| SOV-1.8 | Resilience to cut-off | 4. Ability to source alternatives or internalise key functions | 94/125 | SEAL-2 | medium | own_stack partial: German-operated, built on open-source SCS/OpenStack so plusserver can source alternatives or internalise functions, but a real non-EU hardware dependency prevents full autonomy -> opt4 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | A German GmbH with German data centers operating fully in the German legal space; contractual and operational jurisdiction is exclusively EU law -> opt3. (src: https://www.plusserver.com/en/company/data-centers/) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | eu_entity with structural shielding (German GmbH, German DCs) but no certified immunity (no SecNumCloud/EUCS-High) and a non-EU UK parent owner -> legal structures shielding, opt4 (seal 2). |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No US/CN parent; not subject to CLOUD Act/FISA/PRC law (UK PE owner cannot compel German-held data); plusserver states data is not subject to the CLOUD Act and responds only under EU/German legal process -> opt5. (src: https://www.plusserver.com/en/company/certificates-and-attestations/) |
| SOV-2.4 | Export control restrictions | 4. Part of offer shielded from restrictions towards EU MSs | 125/167 | SEAL-3 | low | German provider with the large majority of revenue in the EU and no evident export-control restrictions toward EU member states; sovereign offer shielded toward EU MSs -> opt4. |
| SOV-2.5 | Origin of IP | 3. Mixed within/outside the EU | 84/167 | SEAL-4 | medium | Core platform leans on open-source software (OpenStack, Kubernetes, SCS) with EU contributions, but underlying hardware and some component IP originate outside the EU; mixed within/outside -> opt3. |
| SOV-2.6 | IP holder jurisdiction | 3. Mixed law, some EU | 84/167 | SEAL-3 | low | Software stack is largely open-source/community-governed and operated under German law, but foreign hardware/firmware IP sits under non-EU jurisdictions; mixed law with some EU -> opt3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | low | OpenStack-based platform supports customer-managed keys (Barbican/KMS) giving customers primary control, but as managed infrastructure the provider can technically still reach data; no end-to-end zero-access guarantee -> opt4. |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | low | OpenStack and BSI C5 controls provide customer-accessible logging and audit evidence, but real-time independent auditability of all provider data flows is not documented -> opt4. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | BSI C5 and ISO 27001 mandate documented deletion procedures validated by policy, but no published cryptographic proof-of-erasure offered to customers -> opt3. |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | high | No eu_exclusive guarantee: data resides by default in four certified German data centers (GDPR-compliant) but this is EU-by-default with tightly controlled exceptions, not a contractual no-third-country-fallback exclusivity -> opt4 (seal 1). (src: https://www.plusserver.com/en/company/data-centers/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | plusAI is an open-source, German-hosted sovereign AI platform under German law, but it runs on foreign accelerators (Nvidia/AMD GPUs); EU-led AI on foreign accelerators -> opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Built on open standards (OpenStack APIs, Kubernetes) with documented export methods, and plusserver markets migration/onboarding services reducing lock-in -> opt4. |
| SOV-4.2 | Ability to operate without foreign dependencies | 4. Ops predominantly EU-based teams | 125/167 | SEAL-3 | medium | eu_ops: operations are predominantly delivered by German/EU teams from German data centers; foreign hardware vendors remain a dependency but not for day-to-day operation -> opt4. |
| SOV-4.3 | Skill availability in the EU | 3. Majority EU, escalation abroad | 84/167 | SEAL-3 | low | Engineering and operations skills are based in Germany (majority EU), with foreign-vendor escalation for hardware-specific issues; no published security-clearance regime -> opt3. |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Support is delivered from Germany via German phone lines and German-language support; effectively all support staff in the EU, no published clearance program -> opt4. |
| SOV-4.5 | Documentation & knowledge transfer | 3. EU primary with non-EU fallback | 84/167 | SEAL-4 | low | Documentation (docs.plusserver.com) is German/EU-primary, with some upstream open-source/vendor materials hosted abroad; EU-primary with non-EU fallback -> opt3. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Open-source stack and EU operations mean plusserver can source alternatives or internalise critical functions if a non-EU supplier is cut off, though hardware substitution would take time -> opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | medium | Hardware vendors (HPE, NetApp, Intel, Nvidia, AMD, Juniper) are disclosed at a high level, but detailed component provenance is only partially disclosed -> opt2. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | medium | Servers, storage, networking and chips are manufactured by non-EU OEMs (US/Asian origin); German assembly/operation does not change the foreign manufacturing origin -> opt2. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode for the foreign hardware (BIOS, NIC, GPU, storage controllers) is vendor-controlled with only partial disclosure -> opt2. |
| SOV-5.4 | Origin of software | 3. Core/essential parts maintained by EU teams | 72/143 | SEAL-3 | medium | No foreign_core: core platform software is open-source (OpenStack, Kubernetes, SCS) with plusserver/EU teams maintaining and integrating the essential parts -> opt3 (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | low | As a German operator deploying the SCS/OpenStack stack, build and release of the operated platform are controlled and executed within the EU, though upstream open-source releases originate globally -> opt4. |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | medium | A few non-EU vendors (chip/server OEMs) sit in critical infrastructure paths; dependencies are documented but cannot be fully removed -> opt3. |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | BSI C5 and ISO 27001 audits cover critical suppliers, providing audit rights over the most important parts of the supply chain, but not all suppliers -> opt3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 5. Open-by-default with portability | 200/200 | SEAL-4 | high | pluscloud open is open-by-default on OpenStack/Kubernetes/SCS standard APIs, explicitly designed for portability and avoiding vendor lock-in -> opt5. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | high | Open standards (OpenStack, Kubernetes, S3-compatible, SCS reference standards) underpin most core services as a deliberate policy -> opt4. |
| SOV-6.3 | Open source availability | 5. Fully open-source, independent/EU governance | 200/200 | SEAL-4 | high | No foreign_core: pluscloud open is fully open source on the community-governed Sovereign Cloud Stack with a public GitHub (pluscloudopen) and EU/independent governance -> opt5. |
| SOV-6.4 | Service architecture transparency | 4. Large corpus of public insight | 150/200 | SEAL-3 | medium | Open-source codebase, public documentation and SCS reference architecture provide a large corpus of public insight into the service architecture -> opt4. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | Any HPC/GPU capacity is EU-hosted in German data centers but runs on foreign (Nvidia/AMD/Intel) hardware and stack; EU-hosted foreign stack -> opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Certs held are BSI C5 Type II + ISO 27001 + ISAE 3000/IDW PS 9.860.1; per the key, BSI C5 is a high-assurance EU/national cloud certification mapping to EAL3 -> opt4 (seal 3). (src: https://www.plusserver.com/en/company/certificates-and-attestations/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | Demonstrably GDPR-compliant with BSI C5 Type II, ISO 27001 and ISAE 3000/IDW PS 9.860.1 attestations; as an EU critical provider subject to NIS2, though full DORA conformance is not separately evidenced -> opt4. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | Security operations and incident handling are run by German teams from German data centers under EU regulation; EU lifecycle, though formal ENISA/CSIRT real-time sharing is not explicitly documented -> opt4. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | BSI C5/ISO 27001 controls give customers direct access to monitoring and logs stored in German (EU) data centers; tamper-proof immutability not explicitly published -> opt4. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | Incident disclosure aligns with GDPR and NIS2 obligations applicable to the German entity; moderate GDPR/NIS2-aligned -> opt3. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Operating an open-source stack in its own data centers, plusserver has moderate maintenance autonomy with notice and testing windows, constrained by upstream/vendor patches -> opt3 (seal 4). |
| SOV-7.7 | Auditability | 3. Partial independent control | 72/143 | SEAL-1 | low | No tender-grade audit_rights: independent audits exist via BSI C5/ISO 27001 bodies and customers get partial independent control, but full audit by any entity is not offered (no SecNumCloud) -> opt3 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Modern certified German data centers with an energy-efficiency program (DIN EN 16247 audit) indicate PUE below ~1.5 with an improvement roadmap, though no audited sub-1.3 figure is published -> opt3. (src: https://www.plusserver.com/en/perspektiven/nachhaltige-it) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Sustainability program implies a documented hardware reuse/recycling approach, but no EU-certified circular-economy lifecycle is evidenced -> opt3. |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | low | plusserver publishes sustainability/environmental information (CO2 savings, energy audits) consistent with regular reporting, but not independently EU-audited per a detailed methodology -> opt3. |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | high | plusserver states it relies 100% on renewable (green) electricity in its German data centers, saving ~8,000 tons of CO2 per year -> opt5. (src: https://www.plusserver.com/en/perspektiven/nachhaltige-it) |