| SOV-1 Strategic Sovereignty | SEAL-2 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-2 | |
| SOV-3 Data & AI Sovereignty | SEAL-2 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-2 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-3 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | S3NS is a French-law company controlled by Thales (France) in a strategic partnership with Google Cloud; Google's stake is capped well below control. Legal entity is entirely within the EU -> opt4. (src: https://www.s3ns.io/en/news/premi3ns-secnumcloud-qualification) |
| SOV-1.2 | Change of control risk | 4. Unlikely takeover/transfer to non-EU sovereign entity | 94/125 | SEAL-4 | medium | Thales majority control plus SecNumCloud share-cap rules legally block any non-EU takeover; transfer to a non-EU sovereign entity is unlikely while the SecNumCloud structure stands, though Google's strategic stake creates some residual exposure. |
| SOV-1.3 | Control over roadmap | 3. Governance bodies exist with EU actors participation | 83/125 | SEAL-3 | medium | S3NS controls operations and validates all updates, but the underlying technology roadmap (e.g. timing of Gemini/Vertex availability) is set by Google; governance bodies with EU/Thales participation exist but EU does not have full roadmap control. |
| SOV-1.4 | Financial independence from non-EU capital | 4. Majority of funding is EU-based | 94/125 | SEAL-4 | medium | Funding is predominantly EU-based via Thales as majority shareholder; Google holds a minority capped stake, so the majority of capital is EU-based. |
| SOV-1.5 | EU economic contribution | 4. Majority in the EU | 94/125 | SEAL-4 | high | Nearly 200 employees in France, three French data centres, French operations and revenue concentrated in France/EU; economic contribution is majority in the EU. |
| SOV-1.6 | Participation in EU strategic programs | 3. Active participant in strategic projects | 63/125 | SEAL-4 | medium | S3NS is an active player in French/EU sovereign cloud strategy (Trusted Cloud / Cloud au Centre doctrine) and was a winner in EU sovereign cloud tenders, an active participant in strategic projects. |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Strong alignment with France's sovereign cloud doctrine with measurable achievement (SecNumCloud 3.2 qualification) and dedicated governance, though it is not an independent foundational-technology champion. |
| SOV-1.8 | Resilience to cut-off | 4. Ability to source alternatives or internalise key functions | 94/125 | SEAL-2 | low | SecNumCloud requires reversibility and continuity provisions; updates are quarantined and validated by S3NS so the platform can run on the licensed snapshot, giving ability to operate temporarily and source alternatives, but full autonomy is limited by Google technology dependence. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | S3NS operates exclusively under French/EU law as a SecNumCloud 3.2 qualified provider (ANSSI, Dec 2025); the offering is structured to be governed solely by EU law -> opt3. (src: https://www.s3ns.io/en/news/premi3ns-secnumcloud-qualification) |
| SOV-2.2 | Extraterritorial laws exposure | 4. Legal structures shielding from foreign law | 125/167 | SEAL-2 | high | immunity is structural-not-certified-as-absolute: Thales-control + SecNumCloud share caps shield from foreign law, but the core platform is licensed Google tech so the key rates S3NS as legal structures shielding (opt4, seal 2), not verified immunity -> SOV-2.2 opt4. (src: https://www.s3ns.io/en/news/premi3ns-secnumcloud-qualification) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | high | S3NS states extraterritorial requests would be rejected; there is no technical mechanism for Google to access data and Google staff cannot access the infrastructure, so foreign-authority requests are always rejected by the provider -> opt5. (src: https://www.s3ns.io/en/news/premi3ns-secnumcloud-qualification) |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | medium | Operated exclusively under French jurisdiction by French staff; the offering is structured to be shielded from non-EU export restrictions affecting EU member states and international organisations. |
| SOV-2.5 | Origin of IP | 2. Mostly outside the EU | 42/167 | SEAL-4 | high | Core platform software, AI stack and GCP technology IP originate from Google (US); only the operational/security layer IP is Thales/S3NS, so IP origin is mostly outside the EU. |
| SOV-2.6 | IP holder jurisdiction | 3. Mixed law, some EU | 84/167 | SEAL-3 | medium | Underlying GCP technology IP is held under US law while operational and security IP sits with Thales/S3NS under French law, a mixed situation with some EU holding. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 5. Customer exclusive control - provider cannot read data | 200/200 | SEAL-4 | high | PREMI3NS provides externalised customer-controlled encryption keys; with key management held by the customer and no Google access path, the provider cannot read the data. |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | medium | SecNumCloud mandates comprehensive access logging available to customers and auditors, giving full customer-controlled visibility, though not necessarily real-time independent auditability. |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | low | SecNumCloud 3.2 requires secure deletion practices with logging; deletion is technically verified with access logs, but independent proof-of-erasure attestation is not clearly evidenced. |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | high | Data is hosted exclusively in S3NS data centres in France under SecNumCloud 3.2 with no third-country fallback; Google cannot access the infrastructure -> opt5. (src: https://www.s3ns.io/en/news/premi3ns-secnumcloud-qualification) |
| SOV-3.5 | AI services sovereignty | 2. Mostly non-EU: licensed AI, chip dependency | 50/200 | SEAL-2 | medium | AI services are licensed Google/Vertex technology (initially open models, Gemini later) running on NVIDIA H100 (A3) accelerators, so the AI stack and chips are non-EU with licensed models and chip dependency. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Built on GCP-compatible APIs with standard export methods and SecNumCloud-mandated reversibility; formal migration support is available, though lock-in to GCP semantics limits true portability. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | high | The entire stack is operated and administered exclusively by S3NS employees in France; Google staff cannot access the infrastructure, so operations are run by a fully EU-based team. |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | S3NS staff are based in France with required vetting under SecNumCloud; all operational staff are EU-based, though full named security-clearance regime is not documented for every role. |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Support is delivered by S3NS in France under SecNumCloud requirements, with all support staff in the EU. |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | low | SecNumCloud requires documentation and knowledge held within the qualified perimeter in France, implying EU-only primary repositories. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Critical operations are internalised by S3NS and updates are quarantined; in a cut-off the platform can continue on validated snapshots and S3NS can internalise key functions, though deep Google technology dependence caps full autonomy. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | low | Hardware runs on dedicated Google infrastructure operated by S3NS within the SecNumCloud 3.2 perimeter audited by ANSSI; component provenance is transparent with exceptions (audit rights inside the qualified perimeter) -> SOV-5.1 opt3. |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | medium | Servers/accelerators are foreign-designed (Google/NVIDIA) but sourced and operated under the SecNumCloud 3.2 perimeter with ANSSI audit rights -> mixed sourcing with EU audit rights, SOV-5.2 opt3. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/embedded code on the underlying Google and NVIDIA hardware is foreign with only partial disclosure to S3NS. |
| SOV-5.4 | Origin of software | 2. Foreign origin, partial disclosure | 36/143 | SEAL-2 | high | foreign_core: core cloud software and AI components are Google-origin licensed technology; S3NS operates and validates but does not develop the core stack, so software origin is foreign with partial disclosure -> opt2 (seal 2 ceiling). (src: https://www.s3ns.io/en/news/premi3ns-secnumcloud-qualification) |
| SOV-5.5 | Software build/release jurisdiction | 3. Non-EU control, EU execution | 72/143 | SEAL-3 | medium | Google controls the upstream build/release of the technology while S3NS quarantines, analyses and validates updates and executes deployment in France: non-EU control with EU execution and EU policy gating. |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | high | Google is a single critical non-EU technology dependency for the core platform and AI; this is documented and the SecNumCloud structure mitigates access risk, but the dependency on one non-EU vendor for critical services remains. |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Critical suppliers are auditable within the SecNumCloud qualification perimeter audited by ANSSI, though the full upstream Google/NVIDIA supply chain is not openly auditable by any party. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Built on GCP APIs that are broadly standards-based and widely compatible, supporting interoperability, though core interfaces remain Google-defined rather than open-by-default. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Partial adoption of open standards through Kubernetes/GKE and standard cloud interfaces across core services. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | medium | foreign_core: core platform is Google proprietary technology; some source is available for review/validation by S3NS under strict rights but it is not open source with EU governance -> opt2 (seal 2 ceiling). Initial AI offering favours open models but the platform itself is vendor-controlled. (src: https://www.s3ns.io/en/news/premi3ns-secnumcloud-qualification) |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | S3NS publishes some architecture/sovereignty insight and the design is auditable by ANSSI; some public insight exists into how the service is built and isolated. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | medium | HPC/AI acceleration uses NVIDIA H100 (A3) hardware hosted in France but running a foreign (Google/NVIDIA) stack: EU-hosted, foreign stack. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | cert mapping: SecNumCloud 3.2 qualification (ANSSI, Dec 17 2025, covering IaaS+CaaS+PaaS, 20+ services) maps to EAL3-equivalent per the key -> SOV-7.1 opt4 (seal 3). (src: https://www.s3ns.io/en/news/premi3ns-secnumcloud-qualification) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 5. Fully compliant to all, independently audited | 143/143 | SEAL-4 | high | SecNumCloud 3.2 qualification by ANSSI plus French/EU regulatory alignment (GDPR, NIS2, DORA) constitutes full, independently audited EU regulatory compliance. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | medium | Security operations and incident handling are performed by S3NS teams in France under SecNumCloud, covering the full lifecycle with EU threat intelligence. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | medium | SecNumCloud requires customer access to monitoring/logging with logs stored in France/EU, giving full direct access with EU-stored logs. |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | medium | Incident disclosure follows GDPR/NIS2 with monitored flows and SLAs under the SecNumCloud regime; partial compliance with monitored flow and SLAs. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | medium | S3NS quarantines and validates all updates before deployment with notice and testing, giving moderate maintenance autonomy except for zero-day situations. |
| SOV-7.7 | Auditability | 5. Full independent audit by any entity | 143/143 | SEAL-4 | medium | SecNumCloud 3.2 qualification entails full independent audit by ANSSI and accredited auditors of the qualified perimeter -> opt5. (src: https://www.s3ns.io/en/news/premi3ns-secnumcloud-qualification) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Modern French data centres in the Paris region with efficiency commitments suggest PUE under 1.5 with a roadmap, though no specific verified PUE figure is published for S3NS. |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Hardware lifecycle/recycling is expected to follow a documented program consistent with Thales/data-centre operator practices, but no S3NS-specific certified program is evidenced. |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | low | Environmental reporting is expected at least annually consistent with Thales group sustainability reporting, but no detailed S3NS-specific EU-methodology report is published. |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | low | French grid power is largely low-carbon EU energy; without a published S3NS-specific 100% renewable commitment, treated as a mix of EU supplies. |