| SOV-1 Strategic Sovereignty | SEAL-3 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-4 | |
| SOV-3 Data & AI Sovereignty | SEAL-3 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-3 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-3 | |
| SOV-8 Environmental Sustainability | SEAL-3 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity (French SAS, Paris HQ, 96% owned by French Iliad Group / Xavier Niel, no non-EU parent) -> entity control entirely within the EU, opt4 (src: https://www.scaleway.com/en/security-and-resilience/). |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | medium | Controlled by Iliad/Xavier Niel, a French founder-led group committed to European digital sovereignty; non-EU takeover very unlikely (kept per instruction). |
| SOV-1.3 | Control over roadmap | 3. Governance bodies exist with EU actors participation | 83/125 | SEAL-3 | medium | EU-controlled provider with public feature-request channels and EU customer/public-sector governance; EU actors participate but lack full formal control -> opt3. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | medium | Funded through the French Iliad Group's own capital; financing essentially EU-based with no material non-EU reliance (kept per instruction). |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | R&D, data centres, employment and revenue concentrated in France/EU within the Iliad Group; economic contribution overwhelmingly EU-based (kept per instruction). |
| SOV-1.6 | Participation in EU strategic programs | 4. Strong participation | 94/125 | SEAL-4 | medium | Active player in EU/French sovereignty initiatives; won the France Health Data Hub migration from Microsoft Azure; strong participation (kept per instruction). |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Demonstrable alignment with EU industrial/sovereignty strategy via SecNumCloud pursuit, public-sector wins and dedicated sovereign-cloud governance (kept per instruction). |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack (vertically integrated EU provider running its own EU data centres + internally developed software stack on open source) with a documented continuity/exit plan; residual foreign chips treated as hardware only -> Full autonomy and continuity, opt5 (judgment call 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | French company operating EU-only data centres under French/EU law; service governed exclusively by EU law -> opt3 (src: https://www.scaleway.com/en/security-and-resilience/). |
| SOV-2.2 | Extraterritorial laws exposure | 5. Verified legal immunity, non-EU laws unenforceable | 167/167 | SEAL-4 | low | immunity flag (a): pure-FR entity with no non-EU parent, subsidiary or operational nexus a foreign authority could compel; whole Scaleway Cloud offer in active SecNumCloud 3.2 qualification -> non-EU laws unenforceable, 'Verified legal immunity', opt5 (low confidence: SecNumCloud not yet awarded) (src: https://www.scaleway.com/en/news/scaleway-begins-the-secnumcloud-qualification-process/). |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent: not subject to US CLOUD Act/FISA or PRC law; pure-FR entity (immunity flag a) commits to reject non-EU compelled-access requests, responding only to EU/French legal process -> opt5 (src: https://www.scaleway.com/en/security-and-resilience/). |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | low | EU-based provider; offer not subject to non-EU export-control regimes affecting EU member states or international organisations -> opt5. |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Core cloud platform and IP developed in-house by EU teams, integrating open-source; IP origin mostly within the EU -> opt4 (kept per instruction). |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | medium | IP held by the French Scaleway/Iliad entities fully under EU/French law -> opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | medium | Customer-managed encryption and Key Manager give customer primary key control (BYOK), but managed services can still let the provider technically read data -> opt4 (seal 3). |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | low | Provides audit/activity/access logs giving full customer-controlled visibility; independent real-time external auditability not clearly established -> opt4 (seal 3). |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | low | Deletion technically verified with access/audit logs under the sovereign offer's SecNumCloud-grade data-lifecycle controls; no fully independent cryptographic proof-of-erasure -> opt4 (seal 3) per key 'technically verified w/ logs'. |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | high | eu_exclusive: all data centres in the EU (France, Netherlands, Poland, Italy); data stored and processed exclusively in EU with no third-country fallback -> opt5 (src: https://www.scaleway.com/en/security-and-resilience/). |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | AI/inference EU-operated, hosting open and EU-trained models (e.g. Mixtral trained on its own clusters) under EU jurisdiction, on foreign NVIDIA accelerators -> EU-led AI on foreign accelerators, opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | Standards-based APIs, Terraform/OpenTofu provider, Kubernetes (Kapsule) and documented export methods; formal migration support available -> opt4. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | medium | eu_ops: entire in-house stack operated by EU-based (primarily French) teams, no critical non-EU operating teams -> opt5. |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Engineering and operations staff EU-based (France); strong EU skill availability, but 100% staff security clearances not documented -> opt4 (seal 3). |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | Support delivered by EU-based teams in France; clearances for all support staff not specifically documented -> opt4 (seal 3). |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | low | Documentation and knowledge bases maintained primarily within the EU by EU teams; no mandated non-EU repositories -> EU-only primary repositories, opt4. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | medium | Key non-EU dependency is hardware/chips (NVIDIA, x86); can source alternatives or internalise, EU-controlled subcontractors dominate -> opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | low | Reasonable transparency on infrastructure/components, but underlying servers/chips are foreign-sourced with disclosure exceptions -> transparent with exceptions, opt3 (seal 3). |
| SOV-5.2 | Manufacturing location | 4. Built by EU teams on foreign design | 107/143 | SEAL-3 | low | Data centres designed, built and operated by EU teams (notably its own DC5) while underlying hardware design originates abroad -> built by EU teams on foreign design, opt4 (seal 3). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/embedded code in servers, GPUs and network gear comes from foreign vendors (NVIDIA, Intel/AMD); only partial provenance disclosure realistic -> opt2 (seal 4) (kept per instruction). |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | No foreign_core: control plane and platform software designed and maintained by EU teams using open-source; large majority EU-maintained -> opt4 (seal 3). |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Software controlled and built by EU-based engineering teams in France; EU control and execution, formal policy gates not documented -> opt4 (seal 3). |
| SOV-5.6 | Single point of dependency | 4. Few non-EU in non-critical services, documented | 107/143 | SEAL-3 | low | Only non-EU dependency is residual hardware (NVIDIA GPUs, x86 CPUs), documented; treated as non-critical-service dependency for a vertically integrated EU provider that runs its own DCs/software and can source alternatives (per key judgment-call-1 'foreign chips as residual hardware only') -> few non-EU in non-critical services, opt4 (seal 3). |
| SOV-5.7 | Supply chain transparency | 4. Most suppliers auditable | 107/143 | SEAL-3 | low | Whole-offer SecNumCloud 3.2 qualification + ISO 27001 supplier-management extend audit obligations to most suppliers, not just the critical few -> most suppliers auditable, opt4 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based, broadly compatible interfaces (S3-compatible storage, Kubernetes, Terraform provider, open APIs) -> opt4 (seal 3). |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Adopts open standards (S3 API, Kubernetes, OCI containers, Terraform/OpenTofu) as policy across most core services -> opt4 (seal 3). |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | No foreign_core: 128+ open-source repositories (SDKs, Terraform provider, tooling) with EU-centralised governance; core platform itself not fully open-sourced -> open source, centralised governance, opt3 (seal 3). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Public documentation, architecture references and a trust center giving meaningful public insight, short of customer co-adaptation -> some public insight, opt3 (seal 3). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | medium | HPC/AI clusters (Jeroboam/Nabuchodonosor, France) EU-hosted but built on foreign NVIDIA DGX H100 stack -> EU-hosted, foreign stack, opt2 (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | low | Holds ISO 27001:2022 + HDS and is in active SecNumCloud 3.2 qualification (J0 passed Jan 2025) for the whole Scaleway Cloud offer; per key cert->EAL mapping SecNumCloud-grade ~ EAL3 -> opt4 (seal 3). Confidence low: SecNumCloud not yet awarded (src: https://www.scaleway.com/en/security-and-resilience/). |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | high | Strong GDPR alignment, ISO 27001:2022, HDS, SecNumCloud in progress; partial-to-strong compliance across GDPR/NIS2/DORA, not yet fully independently audited against all three (kept per instruction). |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | low | Security operations and incident response handled by EU-based teams in France with EU threat intel -> entire lifecycle by EU teams, opt4 (seal 3); full ENISA/CSIRT sharing not documented. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | Customers get full direct access to logs/monitoring (audit logs, Cockpit) stored within the EU; immutable tamper-proof guarantees not clearly published -> opt4 (seal 3). |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | low | Incident disclosure aligns with GDPR/NIS2 with monitored notification flows and SLAs -> partial compliance, monitored flow, SLAs, opt4 (seal 3). |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | low | Operator of its own EU stack with high maintenance autonomy; can deploy patches independently on its own schedule -> opt4. |
| SOV-7.7 | Auditability | 5. Full independent audit by any entity | 143/143 | SEAL-4 | low | audit_rights: sovereign offer + SecNumCloud-grade qualification imply full audit rights for the contracting authority and independent EU bodies -> opt5 (tender-grade commitment, low confidence per key note 4). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 4. PUE < 1.3 | 188/250 | SEAL-4 | high | Average fleet PUE 1.38 (2024), flagship DC5 at 1.25, documented efficiency roadmap; best sites well below 1.3 -> opt4 (src: https://www.scaleway.com/en/security-and-resilience/). |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Documented hardware lifecycle and circular practices, but no EU-certified circular-economy lifecycle certification -> documented program, opt3 (seal 3). |
| SOV-8.3 | Environmental impact reporting | 4. Detailed EU methodology | 188/250 | SEAL-3 | medium | Detailed environmental footprint reporting and a public footprint calculator with defined methodology; not yet fully EU third-party audited -> detailed EU methodology, opt4 (seal 3). |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | high | Powered by 100% renewable energy since 2017, mainly EU hydropower; only green EU energy supplies -> opt5 (kept per instruction) (src: https://www.scaleway.com/en/security-and-resilience/). |