EU debuts new digital sovereignty assessment tools

As Europe advances its digital sovereignty agenda, new assessment tools provide criteria organizations can use to benchmark cloud and AI providers.

Contributors:
William Simpson
AIGP, CIPP/US
Westin Fellow
IAPP
In line with EU strategic objectives, the European Commission has repeatedly emphasized tech sovereignty, which it defines as "Europe's ability to act independently in the digital world by developing and controlling key technologies, data, and infrastructure, while reducing reliance on non-EU providers."
One pillar of tech sovereignty is the acquisition of sovereign cloud. Under the Cloud III Dynamic Purchasing System — a public procurement program for adopting cloud services — the Commission tendered a 180 million euro contract for sovereign cloud to four European providers: Post Telecom, STACKIT, Scaleway and Proximus. The award was based on a set of criteria identified in the Cloud Sovereignty Framework.
After questions arose over how the Commission applied the Cloud Sovereignty Framework in making its selection, the body released an explainer and implementation guidance to the public. These documents not only offer transparency into the evaluation process undertaken by the Commission, but they also allow cloud providers and organizations in general benchmark their own digital operations against the EU's standards for tech sovereignty.
The EU's Cloud Sovereignty Framework
In designing the framework, the Commission drew upon European initiatives like Cigref's Trusted Cloud Referential v2 and the European Cybersecurity Certification Framework, national cloud sovereignty strategies and international practices in export controls, supply chain resilience and security auditability.
The framework measures cloud sovereignty across eight objectives: strategic, legal and jurisdictional, data and AI, operational, supply chain, technology, security and compliance and environmental sustainability. As such, the Commission states that the framework provides "a clear and standardised method to assess cloud services, moving away from abstract principles to concrete sovereignty metrics."
Contributors:
William Simpson
AIGP, CIPP/US
Westin Fellow
IAPP