| SOV-1 Strategic Sovereignty | SEAL-3 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-4 | |
| SOV-3 Data & AI Sovereignty | SEAL-3 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-3 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-3 | |
| SOV-8 Environmental Sustainability | SEAL-3 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity (SysEleven GmbH Berlin, subsidiary of secunet Security Networks AG -> Giesecke+Devrient, all German) -> entity control entirely within the EU -> opt4. (src: https://www.secunet.com/en/about-us/press/article/compliance-fuer-souveraene-cloud-dienste-syseleven-und-secunet-jetzt-mit-it-grundschutz-iso-27001-und-c5) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | Parent secunet is 75% owned by Germany's Giesecke+Devrient and is the German federal government's leading IT-security partner; takeover by a non-EU sovereign entity is very unlikely given its national-security role. |
| SOV-1.3 | Control over roadmap | 3. Governance bodies exist with EU actors participation | 83/125 | SEAL-3 | medium | OpenStack/SCS-based stack with active community and Gaia-X governance participation; EU actors can meaningfully influence the roadmap via governance bodies -> opt3. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | high | Funded entirely via its German parent secunet/Giesecke+Devrient; no reliance on non-EU capital. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | All operations, staff (~170), and data centers are in Germany serving the DACH market; economic contribution is fully in the EU. |
| SOV-1.6 | Participation in EU strategic programs | 4. Strong participation | 94/125 | SEAL-4 | high | Day-1 Gaia-X member, SCS-certified, and provider of sovereign cloud for German critical infrastructure (DFS air traffic control); strong participation in EU/German strategic programs. |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Clear digital-sovereignty strategy with measured achievement (certification triad, SCS, sovereign cloud deployments) and dedicated governance via secunet -> opt3. |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack (open-source OpenStack/Kubernetes/SCS on owned German data centers; foreign chips are residual hardware only) + documented portability/continuity -> full autonomy and continuity -> opt5 (judgment-call lever per key). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | German GmbH with entirely German/EU operations and ownership; contract under EU/EEA member-state law only -> opt3. (src: https://www.syseleven.de/en/press-releases/syseleven-and-secunet-now-with-it-grundschutz-iso-27001-and-c5/) |
| SOV-2.2 | Extraterritorial laws exposure | 5. Verified legal immunity, non-EU laws unenforceable | 167/167 | SEAL-4 | medium | immunity gate (a): pure-EU entity, no non-EU parent/subsidiary/operational nexus a foreign authority could compel -> verified legal immunity -> opt5. (src: https://www.syseleven.de/en/press-releases/syseleven-and-secunet-now-with-it-grundschutz-iso-27001-and-c5/) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | medium | No foreign_parent, immunity holds: not subject to US CLOUD Act/FISA/PRC law; requests without an EU legal basis are rejected -> opt5. (src: https://www.syseleven.de/en/press-releases/syseleven-and-secunet-now-with-it-grundschutz-iso-27001-and-c5/) |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | medium | German-owned, EU-only revenue and operations; the sovereign offer is shielded from export-control restrictions targeting EU MSs and international orgs -> opt5. |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Core platform IP (MetaKube, SysEleven Stack integration) is developed in Germany on open-source OpenStack/Kubernetes; bulk of differentiating IP originates within the EU -> opt4. |
| SOV-2.6 | IP holder jurisdiction | 5. Fully under EU law | 167/167 | SEAL-4 | high | The IP-holding entity (SysEleven GmbH) is fully under German/EU law -> opt5. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | low | Customer-managed encryption keys give primary control, but standard IaaS allows provider-side data access absent confidential computing; no documented zero-access guarantee -> opt4. |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | low | OpenStack/MetaKube and C5 controls provide full customer-controlled log visibility, but real-time independent auditability of all data flows is not explicitly documented -> opt4. |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | medium | C5 (PI-03 secure deletion) + IT-Grundschutz + ISO 27001 mandate technical secure-deletion procedures evidenced with access logs as part of the audited sovereign offer -> deletion technically verified with logs -> opt4. |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | high | eu_exclusive: all solutions consist of open-source components hosted exclusively in German data centers (Berlin, Frankfurt, Hamburg, Dusseldorf), no third-country fallback -> opt5. (src: https://www.syseleven.de/en/press-releases/syseleven-and-secunet-now-with-it-grundschutz-iso-27001-and-c5/) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | AI/ML offered as open-source GPU compute (customers run their own auditable models); EU-led AI on foreign (NVIDIA) accelerators -> opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 5. Already deployed on sovereign infrastructure | 167/167 | SEAL-4 | high | Built on open-source OpenStack and CNCF Kubernetes with SCS certification enabling migration to/from other SCS providers; already deployed on sovereign infrastructure -> opt5. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | medium | eu_ops: entire stack operated by SysEleven's German team in German data centers; no critical operations delivered by non-EU teams -> opt5. |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Berlin-based company with ~170 staff in Germany; all skills EU-based, formal clearance of all staff not documented -> opt4. |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | medium | German company serving DACH with German-language support; all support staff EU-based, published clearance of all staff not confirmed -> opt4. |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | low | Documentation maintained in-house in Germany (German/English docs portal); EU-only primary repositories -> opt4. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | medium | Open-source stack and owned data centers let SysEleven source alternative subcontractors or internalise functions; subcontractors predominantly EU-based -> opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | low | Standard server hardware of international origin; transparency exists for the open-source stack but physical component provenance is disclosed only with exceptions -> opt3. |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | low | Servers/chips foreign-manufactured (x86/NVIDIA) but assembled and operated under EU audit rights (C5/ISO scope) in German data centers; mixed sourcing -> opt3. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode in commodity hardware (BIOS, NICs, GPUs) is foreign and only partially disclosed -> opt2 (all options seal 4). |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | No foreign_core: software stack is open-source (OpenStack, Kubernetes) with the large majority of integration/operation (MetaKube, SysEleven Stack) maintained by SysEleven's EU team -> opt4. |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | medium | Build/release of platform components controlled and executed in Germany; EU control and EU execution, formal EU policy gates not documented -> opt4. |
| SOV-5.6 | Single point of dependency | 4. Few non-EU in non-critical services, documented | 107/143 | SEAL-3 | low | Consistency with the own-stack German cohort (STACKIT anchor): the only non-EU dependency is substitutable commodity silicon/GPUs as non-critical hardware inputs; the EU-maintained open-source software and German DCs carry no non-EU vendor lock-in -> opt4 (few non-EU in non-critical, documented). (src: https://www.syseleven.de/en/press-releases/syseleven-and-secunet-now-with-it-grundschutz-iso-27001-and-c5/) |
| SOV-5.7 | Supply chain transparency | 4. Most suppliers auditable | 107/143 | SEAL-3 | low | Consistency with the own-stack German cohort: running its own German DCs under the C5 + IT-Grundschutz + ISO 27001 triad, most suppliers are auditable beyond just the critical ones -> opt4 (most suppliers auditable). (src: https://www.syseleven.de/en/press-releases/syseleven-and-secunet-now-with-it-grundschutz-iso-27001-and-c5/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 5. Open-by-default with portability | 200/200 | SEAL-4 | high | Open-by-default OpenStack and CNCF Kubernetes APIs with SCS-certified portability -> opt5. |
| SOV-6.2 | Open standards compliance | 5. Policy for all core services | 200/200 | SEAL-4 | high | Core services built on open standards (OpenStack APIs, Kubernetes/CNCF, S3-compatible object storage) across the platform -> opt5. |
| SOV-6.3 | Open source availability | 4. Open source, significant EU contributions, restricted governance | 150/200 | SEAL-4 | high | No foreign_core: stack is 100% open-source with significant EU contributions and SCS/Gaia-X participation, though MetaKube product governance remains company-led -> opt4. |
| SOV-6.4 | Service architecture transparency | 4. Large corpus of public insight | 150/200 | SEAL-3 | medium | Large public documentation corpus plus open-source codebase gives substantial public insight into the architecture -> opt4. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | GPU/HPC-class compute is EU-hosted in German data centers but runs on a foreign (NVIDIA/x86) hardware and accelerator stack -> opt2 (EU-hosted, foreign stack; seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | certs: holds the full triad BSI C5 + BSI IT-Grundschutz (ISO 27001 based on IT baseline protection) + ISO 27001/27017/27018 (one of only two German sovereign providers with the complete triad); maps to high-assurance EU cloud cert / EAL3-equivalent per key -> opt4 (EAL3). (src: https://www.syseleven.de/en/press-releases/syseleven-and-secunet-now-with-it-grundschutz-iso-27001-and-c5/) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 5. Fully compliant to all, independently audited | 143/143 | SEAL-4 | high | GDPR-aligned with the full independently audited certification triad (BSI IT-Grundschutz, BSI C5, ISO 27001/27017/27018), supporting NIS2/DORA obligations -> opt5. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | medium | Backed by secunet (Germany's leading security firm); security operations and incident handling run by German/EU teams with German threat intel; explicit ENISA CSIRT sharing not documented -> opt4. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | low | Customers get full direct access to monitoring/logging via the OpenStack/Kubernetes platform with logs stored in German data centers; tamper-proof immutability not explicitly published -> opt4. |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | medium | C5/ISO and GDPR/NIS2 obligations drive monitored incident-disclosure flows with SLAs; full real-time CSIRT sharing not documented -> opt4. |
| SOV-7.6 | Maintenance autonomy | 4. High autonomy (deploy independently, no checks) | 107/143 | SEAL-4 | medium | As operator of its own open-source stack, SysEleven deploys patches independently without dependence on a foreign vendor's schedule -> opt4. |
| SOV-7.7 | Auditability | 5. Full independent audit by any entity | 143/143 | SEAL-4 | medium | audit_rights: open-source stack plus C5/ISO/IT-Grundschutz audits and sovereign-offer/KRITIS customer audit provisions enable full independent auditability -> opt5. (src: https://www.syseleven.de/en/press-releases/syseleven-and-secunet-now-with-it-grundschutz-iso-27001-and-c5/) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 4. PUE < 1.3 | 188/250 | SEAL-4 | high | SysEleven publishes a PUE below 1.3 for its German data centers -> opt4. |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Modular, resource-efficient data-center design with documented circular/sustainability practices, but no published EU-certified lifecycle program -> opt3. |
| SOV-8.3 | Environmental impact reporting | 4. Detailed EU methodology | 188/250 | SEAL-3 | low | Consistency with the German cohort: backed by the Giesecke+Devrient/secunet group, sustainability is reported under EU methodology (climate-neutral DCs, green electricity, cooling efficiency) at detailed-methodology level -> opt4 (detailed EU methodology). |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | high | Data centers operated with 100% green electricity from the German/EU grid; only green EU energy supplies -> opt5. |