EU's cloud sovereignty plan gives more points to efficiency than independence

The European Commission released a cloud sovereignty framework in October 2025 that critics say defeats its own purpose. The scoring system gives American cloud providers more points for operational efficiency than for being free from US government surveillance powers.

Entrepreneur Arnaud Bertrand called the framework "beyond parody" after analyzing how the math works. The 6-page document sets up eight categories to judge cloud providers. Supply chain gets 20% of the score. Legal independence from foreign governments gets only 10%.

This means a US company subject to American surveillance laws could beat a European provider simply by having better technology and operations. Microsoft, Amazon, and Google could theoretically score higher than European competitors like OVH or Scaleway, despite the fact that Microsoft executives admitted under oath they cannot protect European data from US government demands.

How the scoring actually works

The framework judges providers on eight factors. Here's what each one counts for in the final score:

Supply chain sovereignty gets 20%. This measures where hardware comes from and who controls it. Strategic sovereignty gets 15%. This checks if the company is controlled by European owners. Operational sovereignty receives 15%. This evaluates whether Europeans can run the systems independently. Technology sovereignty gets 15%. This examines whether the technology is open and auditable.

Legal jurisdiction receives just 10%. This supposedly measures protection from foreign government access. Security compliance gets 10%. This covers certifications and EU regulations. Data and AI sovereignty receives 10%. This addresses where data stays and who controls it. Environmental sustainability gets 5%. This measures energy efficiency and carbon impact.

Add up the operational categories—supply chain, operations, and technology—and you get 50% of the total score. Add up the sovereignty categories that actually protect against foreign government access—legal jurisdiction, strategic control, and data location—and you get 35%.

One analyst put it bluntly: "the weighting choice creates a system where operational excellence can mathematically compensate for foreign jurisdiction." Translation: American companies can win European government contracts by being good at their jobs, even though US courts can order them to hand over European data.

The US surveillance problem nobody wants to discuss

This matters because of what happened in June 2025. Anton Carniaux, Microsoft France's legal director, testified to the French Senate about data protection. Senators asked him directly: can you guarantee French citizen data will never be transmitted to US authorities without French authorization?

His answer: "No, I cannot guarantee it."

Carniaux explained that Microsoft has internal procedures to challenge unjustified requests. But he admitted that "a binding order from a U.S. court could prevail." This isn't theoretical. The US CLOUD Act gives American authorities the power to demand data from US companies no matter where that data is stored.

Microsoft's technical director tried to soften the blow. Pierre Lagarde emphasized that "since January 2025, under contractual guarantee, the data of our European clients does not leave the EU, whether at rest, in transit, or being processed." But data location is meaningless when American courts can order American companies to decrypt and deliver it anyway.

European regulators know this. The European Data Protection Supervisor closed its enforcement case against Microsoft in July 2025 despite the company's admission. They accepted contractual promises that Microsoft's own lawyers say cannot override US law.

Critics say the fix is in

The social media reaction to the framework revealed deep skepticism about how this system came to be. A former EU lobbyist explained the likely process: "A draft with a decent system was leaked, then the various tech lobbies jumped on it to water it down, followed by EU countries captured by the US."

Another commenter was more direct: "It's on purpose, the EU is fully infected with bureaucrats doing the US bidding on everything." One observer suggested renaming it because it functions "more of an operational capability framework and less of a cloud sovereignty framework."

The criticism focuses on a basic contradiction. The EU claims to want digital sovereignty—independence from foreign control of critical infrastructure. But the math in this framework rewards the opposite. Companies subject to foreign government surveillance powers can win contracts by excelling at the technical factors that make up half the score.

A systems analyst identified the core issue: "This produces procurement outcomes that preserve existing vendor relationships under a sovereignty framework." In other words, the system lets European governments claim they're prioritizing sovereignty while continuing to buy from the same American providers they've always used.

What Deutsche Telekom saw coming

T-Systems appointed Christine Knackfuß-Nikolic as Chief Sovereignty Officer on September 1, 2025, weeks before the framework's release. The Deutsche Telekom subsidiary created an entire executive position dedicated to sovereignty strategy. They saw a market opportunity.

European cloud providers have struggled to compete with Amazon Web Services, Microsoft Azure, and Google Cloud. The American hyperscalers offer more features, better performance, and lower prices. They've built ecosystems of tools and services that European alternatives cannot easily match.

European providers like OVH and Scaleway argue they offer something the Americans cannot: genuine protection from foreign surveillance. They're not subject to the US CLOUD Act. French courts cannot order them to hand over data to American intelligence agencies. But if the procurement scoring system gives twice as much weight to supply chain management as to legal independence, that advantage disappears.

France's SREN law requires sensitive government data to move to SecNumCloud-certified providers. Implementation has been slow. Agencies find it easier to keep using Microsoft and Amazon services they already know. The new EU framework might make it mathematically justifiable to do exactly that.

The minimum standards loophole

The framework does include minimum requirements. Providers must reach certain "Sovereignty Effectiveness Assurance Levels" for each category. There are five levels, from SEAL-0 to SEAL-4.

SEAL-0 means no sovereignty—complete foreign control. SEAL-1 means EU law technically applies but cannot be enforced. SEAL-2 means EU law works but major foreign dependencies remain. SEAL-3 means EU actors have meaningful influence but not full control. SEAL-4 means complete European control with no foreign dependencies.

Tender documents specify minimum SEAL levels for each category. Providers who don't meet the minimums get disqualified. This theoretically prevents companies with SEAL-0 or SEAL-1 ratings from winning contracts no matter how high they score elsewhere.

But here's the problem. The framework doesn't define what minimum SEAL level procurement officers must require. A provider could meet SEAL-2 minimums across all categories—meaning they still have "material non-EU dependencies" and operate under "indirect control of non-EU third parties"—and then compete on the weighted scoring formula.

If they excel at supply chain management, operational capabilities, and technology openness, they could beat a European provider with SEAL-4 full sovereignty. The system permits exactly the outcome it supposedly prevents.

Why marketing technology platforms should pay attention

This framework affects more than just government cloud contracts. It establishes how European authorities think about digital sovereignty. Those principles flow into other regulations.

The European Data Protection Board released guidelines in September 2025 about how the Digital Services Act intersects with GDPR. Marketing platforms processing personal data must comply with both frameworks. The approach to sovereignty in procurement decisions signals regulatory priorities.

GDPR enforcement statistics show that only 1.3% of cases between 2018 and 2023 resulted in fines. But Ireland, where American tech companies base their European operations, imposed €475 million in annual average fines. Luxembourg averaged €124 million. The countries that host foreign providers also regulate them most aggressively.

The sovereignty framework's approach to legal jurisdiction—acknowledging the problem while giving it minimal scoring weight—mirrors how regulators handled Microsoft's data protection failures. They closed enforcement cases despite admitted inability to prevent foreign government access.

Marketing platforms built on American cloud infrastructure inherit these vulnerabilities. If an advertiser stores customer data in Microsoft Azure, that data becomes accessible to US intelligence agencies regardless of contractual promises. The procurement framework's weighted scoring approach suggests European authorities consider this an acceptable tradeoff for operational efficiency.

The real question nobody's answering

The framework draws on multiple European initiatives. CIGREF's Trusted Cloud Referential. Gaia-X policy rules. The European Cybersecurity Certification Framework covering ENISA, NIS2, and DORA. National strategies like France's Cloud de Confiance and Germany's Souveräner Cloud.

All these programs share a common goal: reducing European dependence on foreign technology. Yet the actual implementation keeps choosing foreign providers. French government contracts worth €74-152 million went to Microsoft for educational software despite European alternatives. The French Senate hearing revealed that procurement decisions "consistently favor non-EU solutions for critical infrastructure projects."

One commenter asked the obvious question: "Is there any EU cloud provider?" The answer is yes—OVH, Scaleway, and others exist. But they lack the scale and features of American hyperscalers. Building comparable infrastructure requires sustained investment that European markets haven't delivered.

The framework acknowledges this reality in its weighted scoring. Supply chain, operations, and technology together represent 50% of the evaluation because these factors determine whether systems actually work. A sovereignty solution that doesn't function is worthless. But giving operational factors twice the weight of legal independence suggests the Commission believes European alternatives cannot compete on technical merit.

This creates a self-fulfilling prophecy. European providers struggle to win contracts against American competitors. Without contract revenue, they cannot invest in matching American capabilities. The scoring system then continues to favor American providers based on their superior operational performance.

What the framework actually accomplishes

The framework provides political cover for decisions already made. European procurement officers want to use Microsoft, Amazon, and Google because these providers offer better services. But sovereignty concerns make it politically difficult to justify those choices.

Enter the framework. Now procurement officers can document their sovereignty analysis. They can show they evaluated eight different factors using a rigorous mathematical formula. They can point to minimum SEAL requirements that providers must meet. And they can justify choosing American providers because those companies scored higher on operational excellence.

The system transforms a political problem into a technical solution. Instead of confronting the policy question—should European governments depend on American technology infrastructure subject to US surveillance powers—the framework converts it into a scoring exercise that permits the desired outcome.

A critic described this as "improving the efficiency with which Washington can manage its vassals." That's harsh but captures the frustration. The EU spent resources developing a sovereignty framework that mathematically favors non-sovereign solutions. One observer characterized it as Europe's "strive of being the first world producer of empty meaningless policies."

The environmental sustainability distraction

Environmental sustainability receives 5% of the scoring—half the weight of legal jurisdiction. This measures energy efficiency, carbon emissions, circular economy practices for hardware disposal, and renewable energy usage.

These factors matter for climate policy. But including them in a sovereignty framework while giving them minimal weight suggests priorities. If protecting European data from foreign government access merits only 10%, and environmental practices merit 5%, what does that say about the Commission's actual concerns?

The framework states that environmental sustainability "assesses autonomy and resilience of cloud services over the long term in relation to energy usage, dependency and raw material scarcity." This connects sustainability to sovereignty through resource independence. But the connection is tenuous compared to the direct sovereignty issues around legal jurisdiction.

Including environmental factors looks like box-checking. The Commission can claim it considered climate impact. The 5% weight ensures sustainability factors cannot determine outcomes. American cloud providers can point to their renewable energy investments and earn those points while maintaining surveillance vulnerabilities that the framework treats as less important.

What happens next

The framework takes effect immediately for EU procurement procedures. Contracting authorities must apply the weighted scoring formula and minimum SEAL requirements when evaluating cloud service proposals. Results may be used during contract performance to determine what types of systems can be deployed with specific providers.

T-Systems' new Chief Sovereignty Officer will attempt to position the Deutsche Telekom subsidiary for contracts under these rules. European providers will emphasize their SEAL-4 full sovereignty credentials. They'll argue their legal independence from foreign governments justifies premium pricing despite operational gaps.

American providers will highlight their operational excellence, supply chain transparency, and technology openness. They'll meet minimum SEAL requirements—probably SEAL-2 or SEAL-3—and then compete on the 50% of scoring tied to performance factors. They'll win contracts by being better at the things that count most in the weighted formula.

European authorities will approve these outcomes because the framework provides justification. They'll tell citizens they prioritized sovereignty by requiring comprehensive assessments across eight factors. They'll explain that winning providers met all minimum requirements and scored highest on the objective mathematical formula.

And European data will continue flowing through infrastructure subject to American surveillance powers that Microsoft executives admit they cannot resist.

Timeline

• October 2025: Commission releases Cloud Sovereignty Framework version 1.2.1 with weighted scoring favoring operational factors
• October 30, 2025: Arnaud Bertrand calls framework "beyond parody," criticism spreads through technology policy circles
• September 1, 2025: T-Systems creates Chief Sovereignty Officer position anticipating sovereignty-focused procurement
• September 11, 2025: European Data Protection Board releases DSA-GDPR guidelines for marketing platforms
• August 5, 2025: European Data Protection Supervisor closes Microsoft enforcement case despite ongoing legal challenges
• July 18, 2025: Microsoft legal director tells French Senate he cannot guarantee data protection from US government
• June 10, 2025: French Senate investigates why procurement decisions favor foreign providers despite sovereignty goals

Summary

Who: European Commission's digital services directorate created the framework affecting government procurement across 27 member states, with immediate criticism from entrepreneurs and policy analysts who examined the weighted scoring mathematics.

What: Scoring system assigns 20% weight to supply chain, 15% each to strategic control, operations, and technology, but only 10% to legal jurisdiction, allowing providers subject to foreign government surveillance to outscore European alternatives through operational excellence.

When: Released October 2025 for immediate implementation in procurement procedures, following development based on French and German national sovereignty strategies that have struggled with similar tradeoffs between independence and capability.

Where: Brussels headquarters issued framework for implementation across European Union, affecting government cloud contracts, sensitive data infrastructure, and procurement decisions that critics say continue favoring American providers despite sovereignty rhetoric.

Why: Framework attempts to balance sovereignty goals with operational requirements but critics argue weighted scoring undermines independence objectives, creating mathematical justification for outcomes that preserve existing dependencies on foreign infrastructure subject to extraterritorial surveillance powers.