| SOV-1 Strategic Sovereignty | SEAL-4 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-4 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-2 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | Safespring AB is 100% Swedish, owned by employees and board; HQ in Solna, Sweden. Entirely within the EU. (src: https://www.safespring.com/blogg/2025/2025-11-the-eu-just-defined-sovereign-cloud-here-is-our-score/) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | Employee/board ownership with no external or non-EU capital makes takeover/transfer to a non-EU sovereign entity very unlikely. |
| SOV-1.3 | Control over roadmap | 4. Full influence of EU actors | 125/125 | SEAL-4 | medium | Independent Swedish company controlling its own OpenStack-based roadmap; as an EU actor it has full influence over its product direction. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | high | No non-European capital dependencies; entirely EU-based (Swedish employee) funding per self-assessment and ownership facts. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | All operations, data centers, staff and revenue are in Sweden/Norway (EU/EEA); economic contribution fully in the EU. |
| SOV-1.6 | Participation in EU strategic programs | 3. Active participant in strategic projects | 63/125 | SEAL-4 | medium | Active participant in EU research/education cloud programs (OCRE 2024 via GEANT, EOSC) but not a named participant in IPCEI-CIS or Gaia-X. |
| SOV-1.7 | Alignment with EU industrial strategies | 2. Existing action plan | 42/125 | SEAL-4 | low | Open-source, sovereignty-focused positioning aligns with EU industrial strategy and the company published a CSF self-assessment, but no formal governance/measured-achievement program is evidenced. |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: vertically integrated EU provider running its own OpenStack/Ceph on owned EU/EEA infra with documented continuity; foreign chips are residual hardware only -> SOV-1.8 opt5 (full autonomy and continuity). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | Only Swedish and EU law governs contracts, services and operations; no exposure to legal systems outside the EU/EEA. (src: https://www.safespring.com/blogg/2025/2025-11-the-eu-just-defined-sovereign-cloud-here-is-our-score/) |
| SOV-2.2 | Extraterritorial laws exposure | 5. Verified legal immunity, non-EU laws unenforceable | 167/167 | SEAL-4 | medium | immunity rule (a): pure-EU entity (Safespring AB), no non-EU parent/subsidiary/operational nexus a foreign authority could compel; non-EU court orders invalid -> SOV-2.2 opt5 (verified legal immunity). |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | high | No foreign_parent: not subject to US CLOUD Act/FISA/PRC law; pure-EU entity commits to reject any non-EU compelled access -> SOV-2.3 opt5 (requests always rejected). (src: https://www.safespring.com/blogg/2025/2025-11-the-eu-just-defined-sovereign-cloud-here-is-our-score/) |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | medium | Swedish provider with EU/EEA-only operations and no non-EU control point; offer is shielded from export-control restrictions toward EU MSs and international orgs. |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Core platform IP (their OpenStack/Ceph integration, automation, operational tooling) is developed in Sweden; relies on global open-source upstreams so not fully EU-origin. |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | medium | Safespring's own IP and the company holding it are fully under Swedish/EU law. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 5. Customer exclusive control - provider cannot read data | 200/200 | SEAL-4 | high | Customers can use their own encryption with keys only they hold; Safespring states it does not see, log or use customer data, so it cannot read the data. (src: https://www.safespring.com/blogg/2025/2025-11-the-eu-just-defined-sovereign-cloud-here-is-our-score/) |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | medium | Provides customer-controlled logging/visibility and audit access; not evidenced as real-time independent auditability across all flows. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Standard cloud deletion per policy; no published independent proof-of-erasure mechanism found. |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | high | eu_exclusive: data stored and processed exclusively in Sweden/Norway (EU/EEA), contractually no third-country fallback -> SOV-3.4 opt5 (exclusively EU). (src: https://www.safespring.com/blogg/2025/2025-11-the-eu-just-defined-sovereign-cloud-here-is-our-score/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | low | EU-led AI on EU-controlled open-source infra with foreign accelerators (no EU-origin chips) -> SOV-3.5 opt4 (EU-led AI, foreign accelerators). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 5. Already deployed on sovereign infrastructure | 167/167 | SEAL-4 | high | Open OpenStack/Ceph/S3-compatible APIs and the platform can be deployed on-premise/at customer sites; effectively already sovereign infrastructure with strong portability. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | high | eu_ops: entire stack from hardware to Kubernetes operated by Safespring's own EU/EEA (Swedish/Norwegian) team -> SOV-4.2 opt5 (fully EU-based team). |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | All staff are stated to be EU/EES citizens working in Sweden/Norway; no evidence of formal security clearances for the full team. |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Support delivered by the Nordic (Sweden/Norway) team; all support staff in EU/EEA, no evidence of clearances. |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | medium | Documentation and knowledge held within the EU/EEA Nordic operation; no global/non-EU exposure indicated. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | medium | Open-source stack on commodity hardware lets Safespring source alternatives or internalise functions if a non-EU supplier is cut off; hardware vendors are foreign. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | medium | Self-assessment discloses server hardware uses Chinese, Korean and American components; provenance transparent but with non-EU exceptions. |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | medium | Hardware is of foreign origin/design but deployed and operated by EU teams in EU/EEA data centers with audit rights; mixed sourcing. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Server/firmware embedded code originates from foreign hardware vendors with only partial disclosure; not EU-certified provenance. |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | No foreign_core: core platform is open-source OpenStack/Ceph maintained/integrated by Safespring's EU team (not licensed Google/MS/AWS) -> large majority maintained by EU teams -> SOV-5.4 opt4 (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Build/release and deployment of their platform is controlled and executed by the EU-based team. |
| SOV-5.6 | Single point of dependency | 3. Few non-EU in critical services / documented | 72/143 | SEAL-2 | medium | Few critical non-EU dependencies remain (server hardware vendors, chips) and are documented in their self-assessment. |
| SOV-5.7 | Supply chain transparency | 3. Critical suppliers auditable | 72/143 | SEAL-2 | low | Critical suppliers (hardware, data center operators) are identifiable/auditable, but full end-to-end supplier auditability is not evidenced. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 5. Open-by-default with portability | 200/200 | SEAL-4 | high | Open-by-default OpenStack/Ceph with S3-compatible and standard APIs; portable and deployable at customer sites. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | high | Built on open standards (OpenStack APIs, S3, Kubernetes) across core services as a deliberate policy. |
| SOV-6.3 | Open source availability | 5. Fully open-source, independent/EU governance | 200/200 | SEAL-4 | high | Services based exclusively on open-source software (OpenStack, Ceph) with independent/community governance; Safespring is an OpenInfra supporting member. |
| SOV-6.4 | Service architecture transparency | 4. Large corpus of public insight | 150/200 | SEAL-3 | medium | Open-source architecture is publicly documented and transparent; large corpus of public insight via OpenStack/Ceph and Safespring docs. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | Any HPC/compute is EU-hosted on a foreign hardware/accelerator stack; no EU-designed processors. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 2. EAL1 | 36/143 | SEAL-1 | medium | Certs held: FR2000 + ISO 27001 (forthcoming); no SecNumCloud/EUCS-High/C5/ENS-High/EAL product cert. Key: ISO 27001 only -> opt2 (EAL1, seal 1). This is the gating cap -> overall SEAL-1. (src: https://www.safespring.com/blogg/2025/2025-11-the-eu-just-defined-sovereign-cloud-here-is-our-score/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | Compliant with GDPR and NIS2 with transparent audit access; FR2000 and ISO 27001 listed, but not all (e.g., DORA) independently audited as fully compliant. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | medium | Security operations and incident handling run by the in-house EU/EEA Nordic team; no evidence of formal ENISA/CSIRT threat-intel sharing. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | medium | Customers get direct access to monitoring/logs stored in Sweden/Norway (EU/EEA); not evidenced as immutable tamper-proof. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | Incident disclosure aligned with GDPR/NIS2 obligations; no evidence of full real-time CSIRT sharing with SLAs. |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | medium | Operating its own open-source stack, Safespring can deploy patches/maintenance independently on its own schedule with high autonomy. |
| SOV-7.7 | Auditability | 5. Full independent audit by any entity | 143/143 | SEAL-4 | medium | audit_rights: customers can audit datacenters, operations and compliance; sovereign-offer terms imply full audit by the contracting authority and independent EU bodies -> SOV-7.7 opt5 (full independent audit). (src: https://www.safespring.com/blogg/2025/2025-11-the-eu-just-defined-sovereign-cloud-here-is-our-score/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 5. PUE < 1.2, EU verified | 250/250 | SEAL-4 | high | Data center designed for >90% efficiency with PUE of 1.1, below the EU-verifiable 1.2 threshold. (src: https://www.safespring.com/blogg/2025/2025-11-the-eu-just-defined-sovereign-cloud-here-is-our-score/) |
| SOV-8.2 | Hardware reuse & recycling | 4. Circular economy, EU-aligned | 188/250 | SEAL-4 | medium | Responsible hardware recycling and reuse aligned with circular-economy practices per the environmental self-assessment. |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | low | Environmental performance reported (PUE, renewables, heat reuse) but no evidence of EU-audited reporting; treated as annual reporting. |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | high | 100% renewable electricity: Oslo on hydropower, Stockholm Norr on green energy since 2012 with heat recovery to district heating; only green EU/EEA energy. (src: https://www.safespring.com/blogg/2025/2025-11-the-eu-just-defined-sovereign-cloud-here-is-our-score/) |