| SOV-1 Strategic Sovereignty | SEAL-4 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-4 | |
| SOV-3 Data & AI Sovereignty | SEAL-3 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-3 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-3 | |
| SOV-8 Environmental Sustainability | SEAL-3 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity (T-Systems wholly owned by Deutsche Telekom AG, German EU company, no non-EU parent) -> SOV-1.1 opt4. The rated T Cloud Public/Open Sovereign Cloud is operated entirely within the EU. (src: https://www.t-systems.com/de/en/sovereign-cloud/solutions/open-sovereign-cloud) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | Deutsche Telekom is a large German strategic incumbent ~30% anchored by the German state (Federal Republic + KfW); a takeover transferring it to a non-EU sovereign entity is very unlikely. |
| SOV-1.3 | Control over roadmap | 4. Full influence of EU actors | 125/125 | SEAL-4 | medium | eu_entity controls the roadmap (Deutsche Telekom/T-Systems own R&D on OpenStack-based stack); EU actors have full influence -> SOV-1.3 opt4. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | high | Funding is EU-based: Deutsche Telekom is self-financing, German-state-anchored and EU-listed, no reliance on non-EU capital. |
| SOV-1.5 | EU economic contribution | 5. Fully in the EU | 125/125 | SEAL-4 | high | T-Systems/Deutsche Telekom is a major EU employer with data centers, R&D and operations concentrated in Germany and the EU. |
| SOV-1.6 | Participation in EU strategic programs | 5. Strategic projects depend on contractor's involvement | 125/125 | SEAL-4 | high | Deutsche Telekom is a founding member of Gaia-X and a central actor in European cloud/AI sovereignty programs. |
| SOV-1.7 | Alignment with EU industrial strategies | 4. Bold ambition and dedicated means | 125/125 | SEAL-4 | high | Dedicated sovereign-cloud line, Chief Sovereignty Officer (2025), Gaia-X leadership and EU sovereign AI factory - bold ambition with dedicated means -> SOV-1.7 opt4. |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack (T Cloud Public runs EU-maintained OpenStack/Kubernetes on EU-operated infrastructure in DE/NL; foreign chips residual hardware only) + documented continuity -> SOV-1.8 opt5 'Full autonomy and continuity'. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | The scoped sovereign offer is operated by a German entity under German/EU law exclusively; contracts and data centers are EU-jurisdiction -> SOV-2.1 opt3. (src: https://www.t-systems.com/de/en/sovereign-cloud/solutions/open-sovereign-cloud) |
| SOV-2.2 | Extraterritorial laws exposure | 5. Verified legal immunity, non-EU laws unenforceable | 167/167 | SEAL-4 | medium | immunity flag (a): pure-EU German entity, no non-EU parent/subsidiary/operational nexus a foreign authority could compel; offer explicitly positioned as CLOUD Act immune (all data incl. metadata processed/stored exclusively in certified EU data centers, access under US legislation such as the CLOUD Act not possible) -> SOV-2.2 opt5 'Verified legal immunity'. (src: https://www.t-systems.com/de/en/sovereign-cloud/solutions/open-sovereign-cloud) |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | high | No foreign_parent (German-HQ, no US nexus for the native cloud); immunity; provider states non-EU authority requests cannot be served and would be rejected -> SOV-2.3 opt5 'Requests always rejected'. (src: https://www.t-systems.com/de/en/sovereign-cloud/solutions/open-sovereign-cloud) |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | medium | German EU company with EU-majority revenues and EU-operated infrastructure; offer shielded from export-control restrictions toward EU member states and international orgs -> SOV-2.4 opt5. |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Core platform IP combines T-Systems engineering with open-source projects (OpenStack, Kubernetes, Terraform); operated/integrated IP is mostly EU-based. |
| SOV-2.6 | IP holder jurisdiction | 4. EU law with exceptions | 125/167 | SEAL-4 | medium | IP holders are predominantly under EU law (Deutsche Telekom and EU-governed open-source foundations), with some internationally-governed upstream exceptions -> SOV-2.6 opt4 'EU law with exceptions'. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 5. Customer exclusive control - provider cannot read data | 200/200 | SEAL-4 | high | BYOK/HYOK with own KMS storing keys in HSMs and a zero-access/confidential-computing architecture; customer exclusive control, provider cannot read data -> SOV-3.1 opt5. |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | medium | Full customer-controlled visibility into data flows and access logs via console/monitoring, though independent real-time third-party auditability is not clearly evidenced -> SOV-3.2 opt4. |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | medium | Tenant-controlled deletion on OpenStack with access logs, under C5-audited secure-deletion controls; technically verifiable with logs (no independent cryptographic proof of erasure) -> SOV-3.3 opt4 'Deletion technically verified with access logs' (seal 3). |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | medium | eu_exclusive: the scoped EU offer stores and processes exclusively in DE/NL EU data centers strictly protected against third-country access (both regions certified) -> SOV-3.4 opt5 'Exclusively EU'. (src: https://www.open-telekom-cloud.com/en/products-services/core-services/certifications) |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | AI is EU-led/operated (sovereign AI on OTC, open frameworks, EU-governed Industrial AI Cloud) but runs on foreign accelerators (NVIDIA GPUs) -> SOV-3.5 opt4 'EU-led AI, foreign accelerators'. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | high | Built on open standards (OpenStack, Kubernetes, Terraform/OpenTofu) with documented export and formal migration services -> SOV-4.1 opt4. |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | medium | eu_ops: the native T Cloud Public stack is managed end-to-end by EU-based T-Systems teams -> SOV-4.2 opt5 'Entire stack managed by fully EU-based team'. |
| SOV-4.3 | Skill availability in the EU | 3. Majority EU, escalation abroad | 84/167 | SEAL-3 | medium | Large EU/German cloud workforce; majority-EU skills with possible escalation abroad in the wider group -> SOV-4.3 opt3 'Majority EU, escalation abroad'. |
| SOV-4.4 | Support channels | 3. Majority in EU, non-EU escalations | 84/167 | SEAL-3 | high | 24/7 support for the native cloud provided in Europe (German +49 phone, email, chat); non-EU escalation cannot be fully excluded -> SOV-4.4 opt3 'Majority in EU, non-EU escalations'. |
| SOV-4.5 | Documentation & knowledge transfer | 3. EU primary with non-EU fallback | 84/167 | SEAL-4 | low | Documentation is EU-primary for the sovereign offering with non-EU fallback from the global Deutsche Telekom group -> SOV-4.5 opt3 'EU primary with non-EU fallback' (seal 4). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | medium | Critical operations rest on EU-operated infrastructure and EU subcontractors; T-Systems can source alternatives or internalise, hardware/GPU suppliers non-EU -> SOV-4.6 opt4. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | medium | Component sourcing (servers, NVIDIA GPUs) is foreign but documented and auditable within the C5/ISO supplier-management framework with EU audit rights -> SOV-5.1 opt3 'Transparent with exceptions' (seal 3). |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | medium | Server/GPU hardware manufactured abroad on foreign design but sourced under EU audit rights and documented supplier management (not a black box) -> SOV-5.2 opt3 'Mixed sourcing, EU audit rights' (seal 3). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/embedded code in servers and accelerators supplied by foreign vendors with only partial disclosure -> SOV-5.3 opt2 (seal 4 by rubric). |
| SOV-5.4 | Origin of software | 4. Large majority maintained by EU teams | 107/143 | SEAL-3 | medium | No foreign_core: platform software is open-source (OpenStack, Kubernetes, Terraform) maintained/integrated by a large majority of EU teams at T-Systems -> SOV-5.4 opt4 'Large majority maintained by EU teams'. |
| SOV-5.5 | Software build/release jurisdiction | 4. EU control & execution | 107/143 | SEAL-3 | low | Software integration, build and release for the native cloud are controlled and executed by EU-based T-Systems teams -> SOV-5.5 opt4 'EU control & execution'. |
| SOV-5.6 | Single point of dependency | 4. Few non-EU in non-critical services, documented | 107/143 | SEAL-3 | medium | Consistency with the own-stack German cohort (STACKIT anchor): the core platform is EU-operated open source (OpenStack/Kubernetes) and the only non-EU dependency is substitutable commodity silicon/GPUs as non-critical hardware inputs, documented -> SOV-5.6 opt4 (few non-EU in non-critical, documented). |
| SOV-5.7 | Supply chain transparency | 4. Most suppliers auditable | 107/143 | SEAL-3 | low | Consistency with the own-stack German cohort: under T-Systems' ISO 27001/C5 supplier-management framework with EU audit rights, most suppliers are auditable beyond just the critical ones -> SOV-5.7 opt4 (most suppliers auditable). (src: https://www.open-telekom-cloud.com/en/products-services/core-services/certifications) |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 5. Open-by-default with portability | 200/200 | SEAL-4 | high | Open-by-default architecture on OpenStack, Kubernetes and interoperable APIs with explicit portability commitments -> SOV-6.1 opt5. |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | high | Open standards (OpenStack, Kubernetes, Terraform/OpenTofu, standard APIs) are policy across most core services -> SOV-6.2 opt4. |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | medium | Core platform built on open-source projects under centralised foundation governance; T-Systems' own service layer not fully open-sourced (no foreign_core) -> SOV-6.3 opt3 'Open source, centralised governance' (seal 3). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | medium | Substantial public insight into the architecture (open-source basis, docs, certifications); deep customer co-design limited -> SOV-6.4 opt3 'Some public insight'. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | medium | HPC/AI is EU-hosted (DE/NL data centers, Industrial AI Cloud) but runs on a foreign stack of imported NVIDIA accelerators -> SOV-6.5 opt2 'EU-hosted, foreign stack' (seal 3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Certs held: BSI C5 Type 2 + ISO 27001/27017/27018 + SOC 1/2/3 + TISAX. Per the answer-key cert->EAL map, BSI C5 is a high-assurance EU/national cloud certification mapping to EAL3 (opt4 'EAL3', seal 3); applied identically to the German cohort (STACKIT anchor scored opt4 on BSI C5) -> SOV-7.1 opt4. (src: https://www.open-telekom-cloud.com/en/products-services/core-services/certifications) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 5. Fully compliant to all, independently audited | 143/143 | SEAL-4 | high | Fully compliant and independently audited against GDPR, with BSI C5:2020 Type 2, ISO 27001/27017/27018/27701, SOC 1/2/3, TISAX and DORA alignment -> SOV-7.2 opt5. |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | medium | EU-based SOC and incident handling with EU threat intelligence (Telekom Security); full lifecycle by EU teams -> SOV-7.3 opt4. |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | medium | Customers have full direct access to monitoring/logging via the console with logs stored in EU data centers; tamper-proof immutability not explicitly guaranteed -> SOV-7.4 opt4. |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | medium | Incident disclosure follows GDPR/NIS2-aligned processes with monitored flow and SLAs; full real-time CSIRT sharing not explicitly evidenced -> SOV-7.5 opt4. |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | low | Customers can deploy/test patches with maintenance windows and notice for the IaaS/PaaS layer (except emergency zero-day) -> SOV-7.6 opt3 (seal 4 by rubric). |
| SOV-7.7 | Auditability | 5. Full independent audit by any entity | 143/143 | SEAL-4 | medium | audit_rights: DPA grants the controller contractual full audit rights of processing activities plus C5/ISO independent certification audits -> SOV-7.7 opt5 'Full independent audit by any entity'. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 4. PUE < 1.3 | 188/250 | SEAL-4 | high | Published PUE ~1.25-1.32 (Amsterdam) and ~1.3 (Biere), i.e. around/below 1.3, with the Biere DC holding the EU Code of Conduct energy-efficiency award -> SOV-8.1 opt4 'PUE < 1.3'. (src: https://www.open-telekom-cloud.com/en/benefits/sustainability) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Deutsche Telekom has documented circular-economy and hardware-recycling programs; no EU-certified lifecycle confirmed -> SOV-8.2 opt3 'Documented program' (seal 3). |
| SOV-8.3 | Environmental impact reporting | 4. Detailed EU methodology | 188/250 | SEAL-3 | medium | Deutsche Telekom publishes detailed sustainability reporting following EU methodologies as a listed company, climate-neutral-by-2040 targets -> SOV-8.3 opt4 'Detailed EU methodology'. |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | high | Since 2021 Deutsche Telekom sources 100% renewable electricity group-wide; the EU data centers (e.g. Biere) run entirely on green energy -> SOV-8.4 opt5. (src: https://www.open-telekom-cloud.com/en/benefits/sustainability) |