| SOV-1 Strategic Sovereignty | SEAL-3 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-2 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-2 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-3 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity (Qarnot Computing SAS, Montrouge FR; EU investors, no non-EU parent) -> entity entirely within the EU -> opt4 (src: https://qarnot.com/en). |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | medium | EU/French public+private ownership (ADEME, Caisse des Depots/Banque des Territoires, EIC, SG, Demeter, Data4, ENGIE); non-EU takeover unlikely though not impossible for an SME -> opt4. |
| SOV-1.3 | Control over roadmap | 3. Governance bodies exist with EU actors participation | 83/125 | SEAL-3 | medium | EU-controlled SME with public investors and EU strategic-program touchpoints give EU actors governance influence -> opt3. |
| SOV-1.4 | Financial independence from non-EU capital | 4. Majority of funding is EU-based | 94/125 | SEAL-4 | high | Funding overwhelmingly EU-based (ADEME, Caisse des Depots, Banque des Territoires, EIC, SG Ventures, Demeter, ENGIE, Data4) -> majority EU funding -> opt4. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | Operations, ~60 staff, data centres and heat-reuse deployments fully in the EU -> economic contribution fully in the EU -> opt5. |
| SOV-1.6 | Participation in EU strategic programs | 3. Active participant in strategic projects | 63/125 | SEAL-4 | medium | Active participant in EU/French strategic R&D programs (Eureka, Horizon/CORDIS, Inria PULSE, ADEME, Bpifrance SecNumCloud support) -> opt3. |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Measurable mission aligned with EU green/digital industrial strategy (waste-heat reuse, decarbonised HPC) with dedicated governance and public co-financing -> opt3. |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack (designs/operates own QBx digital-boiler hardware + own orchestration software in the EU, not on a non-EU hyperscaler; foreign chips residual only) + documented continuity -> full autonomy & continuity -> opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | France-incorporated SAS operating exclusively in Europe -> governed exclusively by EU/member-state law -> opt3 (src: https://qarnot.com/en). |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | medium | immunity is structural not certified: eu_entity with no non-EU parent/nexus shields from foreign law, but SecNumCloud is in progress not held (unlike the cluster's qualified members) -> legal structures shielding, not verified immunity -> opt4 (seal 2), a genuine differentiator preserved (src: https://www.larevuedudigital.com/les-ordinateurs-qarnot-sengagent-vers-la-qualification-secnumcloud/). |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent and no non-EU establishment -> not subject to US CLOUD Act/FISA/PRC law; lacks legal basis to honour non-EU access demands -> requests always rejected -> opt5 (src: https://qarnot.com/en). |
| SOV-2.4 | Export control restrictions | 4. Part of offer shielded from restrictions towards EU MSs | 125/167 | SEAL-3 | low | EU-exclusive offer toward EU member states is shielded; residual export-control exposure on US-designed chips limits full intl-org coverage -> opt4. |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Core IP (digital-boiler/QBx hardware, orchestration software, SDKs) developed in France/EU; foreign silicon designs are a dependency -> IP mostly within the EU -> opt4. |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | medium | Qarnot's proprietary IP is held by the French company under EU law -> fully under EU law -> opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 5. Customer exclusive control - provider cannot read data | 200/200 | SEAL-4 | medium | Data not persisted, one-client-per-machine isolation with per-project core reboot and end-to-end encryption -> customer retains exclusive control, provider cannot read workloads -> opt5. |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | low | ISO 27001/HDS-mandated access logging plus SDK/API job-level visibility give full customer-controlled visibility (not guaranteed real-time independent oversight) -> opt4 (seal 3), aligned with the cluster's ISO 27001/HDS evidence basis (src: https://qarnot.com/en). |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | low | Per-project core reboot and non-persistence plus HDS/ISO 27001-mandated documented, logged erasure give deletion technically verified with access logs -> opt4 (seal 3), aligned with the cluster's ISO 27001/HDS evidence basis; full independent cryptographic proof not published, so not opt5 (src: https://qarnot.com/en). |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | high | eu_exclusive: full control of IT infrastructure operated exclusively in Europe (France, Italy and other EU sites), no third-country fallback -> opt5 (src: https://qarnot.com/en/sustainability). |
| SOV-3.5 | AI services sovereignty | 3. Mixed: auditable/open-source AI, foreign chips | 100/200 | SEAL-2 | low | GPU-accelerated/simulation HPC on auditable/open tooling but acceleration relies on foreign (US-designed) GPUs; no EU-origin AI models -> mixed: auditable/open AI on foreign chips -> opt3 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Open Python/Node.js/C# SDKs, REST API, CLI and Packer-based BYOVM provide documented export/migration plus available migration support -> formal migration services -> opt4. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | medium | eu_ops: entire stack (hardware design, software, orchestration, operations) managed by Qarnot's EU team in France; infrastructure operated exclusively in Europe -> opt5. |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Engineering/ops staff based in France/EU; no evidence of formal security clearances across all staff -> all EU staff (not cleared) -> opt4 (seal 3). |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | low | Support provided by the EU-based team; no documented non-EU support centres, no evidenced clearances -> all support staff in EU -> opt4 (seal 3). |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | low | Documentation/SDKs/knowledge maintained by the EU team with primary repositories in the EU; no non-EU primary documentation ops -> EU-only primary repositories -> opt4. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Subcontractors largely EU (ENGIE, Data4); critical hardware suppliers non-EU but alternatives sourceable -> ability to source alternatives or internalise -> opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | medium | Discloses key components (AMD CPUs, GPUs, own QBx modules) but full EU-certified BOM provenance not evidenced -> transparent with exceptions -> opt3. |
| SOV-5.2 | Manufacturing location | 4. Built by EU teams on foreign design | 107/143 | SEAL-3 | medium | Designs/assembles proprietary QBx digital-boiler racks with EU teams; chips inside are foreign-designed/fabricated -> built by EU teams on foreign design -> opt4 (seal 3). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | AMD CPU/GPU firmware/microcode is proprietary non-EU; Qarnot discloses own software but component firmware provenance only partially disclosed -> opt2. |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | No foreign_core: orchestration platform and SDKs designed/maintained by Qarnot's EU team (several SDKs open source) -> large majority maintained by EU teams -> opt4 (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Software controlled and built by Qarnot's France-based team; no evidence of non-EU build/release execution -> EU control & execution -> opt4 (seal 3). |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | medium | Critical compute silicon (AMD CPUs, GPUs) from non-EU vendors is a documented dependency in a critical service despite EU facilities/ops -> few non-EU in critical services -> opt3 (seal 2). |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Critical suppliers auditable under ISO 27001/HDS supplier-management, but full supply-chain auditability not evidenced -> critical suppliers auditable -> opt3 (seal 2). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based REST APIs, multi-language open SDKs, CLI and BYOVM/Packer image support -> standards-based and broadly compatible -> opt4. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Open standards adopted for core HPC workloads (container/VM images, standard simulation software, REST) but no published all-services policy -> partial core adoption -> opt3 (seal 2). |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | No foreign_core: client SDKs/tools open-sourced on GitHub; core orchestration not fully open -> open source with centralised governance -> opt3 (seal 3). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Meaningful public insight into architecture (digital boiler, QBx, SDK docs, sustainability methodology) -> some public insight -> opt3. |
| SOV-6.5 | HPC sovereignty | 3. Co-designed or integrated in EU | 100/200 | SEAL-3 | medium | Integrates and co-designs HPC in the EU (own QBx modules, EU-built racks) but uses foreign-fabricated processors/accelerators -> co-designed/integrated in EU -> opt3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 3. EAL2 | 72/143 | SEAL-2 | medium | SecNumCloud in progress not held (so no EAL3 like the cluster's qualified members); holds ISO 27001 plus HDS (a substantive French health-data hosting certification), i.e. ISO 27001 + a second cloud certification -> EAL2-equivalent per key -> opt3 EAL2 (seal 2), a genuine cap below the qualified peers (src: https://www.larevuedudigital.com/les-ordinateurs-qarnot-sengagent-vers-la-qualification-secnumcloud/). |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | GDPR-aligned, ISO 27001 and HDS certified, pursuing SecNumCloud; partial compliance with most of GDPR/NIS2/DORA, not yet independently audited against all three -> opt4. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | Security operations/incident handling run by Qarnot's EU teams with EU threat context (ISO 27001/HDS scope); no evidenced ENISA/CSIRT sharing -> entire lifecycle by EU teams -> opt4 (seal 3). |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | ISO 27001/HDS imply EU-stored logs with customer access to security information; no immutable tamper-proof customer logging evidenced -> full direct access, logs in EU -> opt4 (seal 3). |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | low | EU operator bound by NIS2/GDPR/HDS breach-notification with monitored disclosure flows and SLAs -> partial compliance, monitored flow, SLAs, opt4 (seal 3), aligned with the cluster's NIS2-bound members; full real-time CSIRT sharing not evidenced (src: https://qarnot.com/en). |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | low | Operates its own stack and can deploy maintenance independently across self-operated infrastructure -> high maintenance autonomy -> opt4. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights: SecNumCloud not held; only accredited third-party audits via ISO 27001/HDS bodies, no full independent audit by any entity -> limited independent access -> opt2 (seal 1), a genuine differentiator vs the cluster's SecNumCloud-qualified members preserved (src: https://www.larevuedudigital.com/les-ordinateurs-qarnot-sengagent-vers-la-qualification-secnumcloud/). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 5. PUE < 1.2, EU verified | 250/250 | SEAL-4 | medium | Reuses ~95% of server heat and eliminates traditional cooling -> effective PUE under 1.2 with European operations and verified ESG metrics -> opt5 (src: https://qarnot.com/en/sustainability). |
| SOV-8.2 | Hardware reuse & recycling | 4. Circular economy, EU-aligned | 188/250 | SEAL-4 | low | Eco-design (distributed digital boilers, modular reusable hardware, EU-aligned circularity, PULSE/ADEME programs) reflects EU-aligned circular economy -> opt4. |
| SOV-8.3 | Environmental impact reporting | 4. Detailed EU methodology | 188/250 | SEAL-3 | medium | Detailed environmental reporting with real-time ESG metrics and EU/ADEME-aligned methodology (carbon reductions up to 80%), not described as fully EU-audited -> detailed EU methodology -> opt4 (seal 3). |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | medium | Operating in France/EU with low-carbon waste-heat-reuse model and EU green-energy partners (ENGIE) -> only green EU energy supplies -> opt5 (src: https://qarnot.com/en/sustainability). |