| SOV-1 Strategic Sovereignty | SEAL-0 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-0 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | foreign_parent (CN): Tencent Cloud is the cloud arm of Tencent Holdings Ltd, HQ Shenzhen; entity control entirely outside the EU -> SOV-1.1 opt1. (src: https://en.wikipedia.org/wiki/Tencent_Cloud) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | medium | Kept per instruction (all-SEAL-4 factor): already controlled from China, transfer to a different non-EU sovereign very unlikely -> opt5. |
| SOV-1.3 | Control over roadmap | 1. No influence possible | 0/125 | SEAL-2 | medium | Roadmap set entirely by Tencent in China; no governance body giving EU actors meaningful influence -> SOV-1.3 opt1 (no immunity/eu_entity). |
| SOV-1.4 | Financial independence from non-EU capital | 1. Almost entirely relying on non-EU funding | 0/125 | SEAL-4 | high | Kept (all-SEAL-4 factor): funding overwhelmingly non-EU (Chinese parent, HK-listed) -> opt1. |
| SOV-1.5 | EU economic contribution | 1. Minimal | 0/125 | SEAL-4 | medium | Kept (all-SEAL-4 factor): economic activity, R&D, employment, tax base overwhelmingly in China -> opt1. |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | high | Kept (all-SEAL-4 factor): no participation in Gaia-X / IPCEI-CIS or other EU strategic programs -> opt1. |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | high | Kept (all-SEAL-4 factor): no evidence of alignment with EU industrial strategy; aligns with Chinese national policy -> opt1. |
| SOV-1.8 | Resilience to cut-off | 2. Service would stop, with delay for customer reaction | 31/125 | SEAL-0 | low | No own_stack: on geopolitical cut-off (sanctions/export controls) the service would stop with delay; no autonomy from Chinese parent -> SOV-1.8 opt2 (seal 0 gate). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | high | EU contract runs through the Frankfurt region under EU law, but the controlling group is governed by PRC law -> mixed EU/non-EU -> normalised to cluster answer SOV-2.1 opt2 (was opt1), consistent with Alibaba/Huawei who likewise operate EU regions. (src: https://www.datacenterdynamics.com/en/news/tencent-cloud-launches-availability-zone-in-franfurt-germany/) |
| SOV-2.2 | Extraterritorial laws exposure | 1. Fully exposed to non-EU laws | 0/167 | SEAL-1 | high | No immunity: fully exposed to extraterritorial PRC laws (National Intelligence, Data Security, Cybersecurity) -> SOV-2.2 opt1. (src: https://www.tencentcloud.com/services/compliance) |
| SOV-2.3 | Data access pathways for non-EU authorities | 1. Can compel access without customer notification | 0/167 | SEAL-1 | high | foreign_parent (PRC National Intelligence Law): Chinese firms can be compelled to provide data covertly with no right to refuse -> SOV-2.3 opt1 (SEAL-1 cap). (src: https://www.tencentcloud.com/services/compliance) |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | medium | No eu_exclusive shield: Chinese export-control/data-export regimes plus Western sanctions affect EU citizens/orgs; revenues not majority-EU -> SOV-2.4 opt2. |
| SOV-2.5 | Origin of IP | 1. Entirely outside the EU | 0/167 | SEAL-4 | high | Kept (all-SEAL-4 factor): core IP (platform, Hunyuan models, infra designs) originates entirely outside the EU -> opt1. |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | high | IP held by Tencent under non-EU (Chinese) law in a single country -> SOV-2.6 opt1. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | medium | KMS/customer-managed keys exist but provider retains override and can technically read; no provider-cannot-read guarantee against PRC compulsion -> SOV-3.1 opt3 (shared). |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | medium | CloudAudit/activity logs exist but vendor-controlled, not real-time independent auditability -> SOV-3.2 opt3. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion per internal policy/certs (ISO 27018) with confirmation; no independently verified proof of irreversible erasure -> SOV-3.3 opt3. |
| SOV-3.4 | Data location strictly in EU/EEA | 2. Partly EU, significant third-country reliance | 50/200 | SEAL-0 | medium | No eu_exclusive offer: global control plane, support and parent in China; Frankfurt region is partly-EU with significant third-country reliance -> SOV-3.4 opt2 (seal 0 gate). (src: https://www.datacenterdynamics.com/en/news/tencent-cloud-launches-availability-zone-in-franfurt-germany/) |
| SOV-3.5 | AI services sovereignty | 3. Mixed: auditable/open-source AI, foreign chips | 100/200 | SEAL-2 | medium | Hunyuan partly open/auditable but runs on foreign (Nvidia) accelerators and model origin is non-EU -> SOV-3.5 opt3 (mixed). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Standard documented data-export methods/APIs exist; not deployed on EU sovereign infrastructure -> SOV-4.1 opt3. |
| SOV-4.2 | Ability to operate without foreign dependencies | 1. Critical ops delivered by non-EU teams | 0/167 | SEAL-1 | high | No eu_ops: critical operations, platform engineering and control plane delivered by non-EU (Chinese) teams -> SOV-4.2 opt1. |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | medium | No eu_ops: engineering/skills concentrated in China with thin EU commercial team; majority of relevant staff outside EU -> SOV-4.3 opt2. |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | medium | Support global with escalation to China; majority of support engineering outside EU -> SOV-4.4 opt2. |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation global/English, no enforced EU-only knowledge repositories; EU residency optional -> SOV-4.5 opt2. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 2. Service would stop with delay | 42/167 | SEAL-2 | low | No own_stack: Frankfurt facilities leased from third parties and core deps non-EU; on supplier withdrawal service stops with delay -> SOV-4.6 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Limited public disclosure of physical component provenance for EU-served infra; partial disclosure -> SOV-5.1 opt2. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | medium | Hardware (self-developed servers plus Nvidia GPUs) foreign-origin with partial disclosure; not built/audited by EU teams -> SOV-5.2 opt2. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Kept (all-SEAL-4 factor): embedded firmware provenance largely undisclosed; partial disclosure -> opt2. |
| SOV-5.4 | Origin of software | 1. Fully foreign origin, black box | 0/143 | SEAL-0 | high | Core platform software (Tencent Cloud control plane, managed services) is fully foreign-origin (Chinese), China-maintained and a black box to EU customers; open-sourcing some peripheral Hunyuan models/tools does not disclose the core -> normalised to cluster answer SOV-5.4 opt1 (seal 0 gate; was opt2), consistent with Alibaba/Huawei/Baidu black-box cores. |
| SOV-5.5 | Software build/release jurisdiction | 1. Non-EU control & execution | 0/143 | SEAL-1 | medium | Software build/release controlled and executed in China (non-EU control and execution) -> SOV-5.5 opt1. |
| SOV-5.6 | Single point of dependency | 2. Mostly non-EU, undocumented | 36/143 | SEAL-1 | medium | Critical services depend on non-EU vendors/facilities (Chinese parent, Nvidia, leased non-EU-controlled colo), little EU-facing documentation -> SOV-5.6 opt2. |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some suppliers auditable via cert regimes, but supply chain not comprehensively auditable by EU customers -> SOV-5.7 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 3. Mixed (partial openness) | 100/200 | SEAL-2 | medium | Mix of proprietary APIs and some standards-based interfaces (e.g. S3-compatible storage); partial openness -> SOV-6.1 opt3. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | medium | Partial adoption of open standards across core services, not a comprehensive policy -> SOV-6.2 opt3. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | medium | foreign_core: the IaaS/PaaS core platform is closed-source and vendor-controlled (some Hunyuan models open, but core governance centralised under Tencent in China) -> normalised to cluster answer SOV-6.3 opt2 (seal 2; was opt3), consistent with Alibaba/Huawei/Baidu foreign_core. |
| SOV-6.4 | Service architecture transparency | 2. Insight accessible during audits | 50/200 | SEAL-2 | low | Architecture insight mainly under audit/NDA via cert evidence; limited public deep insight -> SOV-6.4 opt2. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | HPC/AI compute can be EU-hosted in the Frankfurt region but runs a foreign (Nvidia-based) stack with no EU processor IP -> EU-hosted, foreign stack -> normalised to cluster answer SOV-6.5 opt2 (seal 3; was opt1), consistent with Alibaba/Huawei who also EU-host foreign-stack accelerated compute. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 3. EAL2 | 72/143 | SEAL-2 | medium | No BSI C5 / SecNumCloud / EUCS confirmed, but holds ISO 27001 + SOC 1/2/3 + CSA STAR; per gating_key ISO 27001 + SOC 2 maps to EAL2 -> SOV-7.1 opt3 (seal 2; was opt1). Lower than Alibaba/Huawei because no C5 confirmed (genuine cert difference). (src: https://www.tencentcloud.com/services/compliance) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 3. Moderate compliance | 72/143 | SEAL-4 | medium | Kept (all-SEAL-4 factor): broad certs (ISO 27001/27017/27018/27701, SOC, CSA STAR, PCI DSS) and GDPR features, but no full audited NIS2/DORA -> opt3 (moderate). |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | low | Security operations/IR hybrid with primary capability and escalation in China; not EU-only SOC lifecycle -> SOV-7.3 opt2. |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get monitoring/logging portal (Cloud Monitor, CloudAudit) but not full direct control with guaranteed immutable EU log storage -> SOV-7.4 opt3. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | Incident disclosure broadly GDPR/contract-aligned for the EU region; moderate, not real-time CSIRT sharing -> SOV-7.5 opt3. |
| SOV-7.6 | Maintenance autonomy | 2. Limited autonomy (vendor schedules) | 36/143 | SEAL-1 | low | Maintenance follows vendor schedules; limited customer autonomy over managed-platform patching -> SOV-7.6 opt2. |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights: independent audit access limited to certification audits; customers/third parties cannot freely audit -> SOV-7.7 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | Tencent's data centres reach PUE ~1.2-1.25 (Gen4) with a carbon-neutral-2030 roadmap; EU services run in efficient Frankfurt colo, no EU-verified figure -> PUE<1.5 + roadmap -> SOV-8.1 opt3 (seal 4; was opt2), consistent with Huawei's evidence-based treatment. (src: https://www.tencentcloud.com/global-infrastructure/sustainability) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | ESG reporting describes hardware lifecycle/circular practices; documented program exists but not EU-certified -> SOV-8.2 opt3. (src: https://static.www.tencent.com/uploads/2025/04/08/00ef711d9596ce09344c0260b14cda7e.pdf) |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | medium | Publishes annual ESG/sustainability report with environmental metrics; not EU-methodology specific or EU-audited -> SOV-8.3 opt3. (src: https://static.www.tencent.com/uploads/2025/04/08/00ef711d9596ce09344c0260b14cda7e.pdf) |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | low | Kept (all-SEAL-4 factor): Frankfurt draws on German/EU grid mix while broader footprint mixes EU and non-EU supplies -> opt3. (src: https://www.tencent.com/en-us/esg/environment/policy.html) |