Europe's efforts to reduce reliance on US hyperscalers is under fire from many of the local cloud providers it is designed to help.
CISPE (Cloud Infrastructure Service Providers in Europe), a trade association of 38 of the region's cloud providers has issued a withering criticism of the official EU Cloud Sovereignty Framework, saying it is drafted so vaguely it will likely favor incumbents over local operators.
Officials that represent the trading bloc need a clear definition of just what a sovereign cloud is, however, the framework [PDF] from the European Commission muddies the waters by inventing an opaque "sovereignty score" that dilutes meaningful standards.
The result? European cloud providers will likely score lower than foreign hyperscalers — an outcome CISPE suggests may be intentional to help public sector bodies avoid switching from their existing contracts with AWS, Microsoft Azure, and Google Cloud.
"CISPE's concern is that the Framework's criteria are so broad and weighted that they could allow a provider to tick enough boxes to get a high score without really delivering on the spirit of European sovereignty," a spokesperson told The Register.
"More fundamentally, we believe that you are either sovereign or you are not. Customers need a clear indicator. That's not to say that additional technological, legal or other safeguards can't deliver levels of control that are suitable for the cloud use-cases customers need, especially those who participate in global supply chains."
CISPE claims it is trying to create tools that are "transparent, workable, and useful in the real world."
We asked the European Commission for a response to these claims.
AWS, Microsoft and Google account for around 70 percent of cloud services revenues that are generated in Europe.
Sovereignty for cloud services has risen high up the agenda across the continent this year thanks to the volatile trading and political relationship with the Trump administration, and the realization of just how dependent businesses and governments in Europe are on AWS and Microsoft Azure.
In response, the cloud giants have added extra levels of control. Microsoft announced a five-point plan to reassure EU customers, while Google updated its sovereign cloud services in Europe, and AWS is forming a new EU-based cloud business unit that becomes operational by the end of 2025.
Despite this, a Microsoft executive admitted under oath in a French Senate inquiry in July that it cannot guarantee data sovereignty to European customers due to the CLOUD Act. The US legislation allows authorities stateside to demand access to any data held by American companies anywhere in the world.
Earlier this month, the European Commission announced a tender under the Cloud III Dynamic Purchasing System (Cloud III DPS) that will allow EU institutions and agencies to procure sovereign cloud services over six years.
Up to four providers are set to be awarded contracts based on the new Cloud Sovereignty Framework between December 2025 and February 2026, it said.
CISPE is working to develop labels that will distinguish Sovereign Cloud and Operationally Resilient Cloud services, something missing from the EU's procurement framework.
The first builds on Gaia-X Level 3 to guarantee immunity from foreign interference and full European control, according to CISPE, while the second offers customers – especially those in global supply chains – verifiable levels of operational and legal control over their data, even outside Europe. ®
Source: The register