EUR 180 Million for Sovereign Cloud: What the EU’s First Sovereignty-Scored Procurement Means for Swiss Organisations

On April 17, 2026, the European Commission awarded EUR 180 million in cloud contracts to four European providers – Post Telecom Luxembourg, STACKIT, Scaleway, and Proximus. For the first time, providers were scored on sovereignty using a formal framework with eight measurable dimensions. Hyperscaler involvement cost one consortium a lower score. Here is what this means for Swiss organizations choosing cloud providers.

The EU now scores sovereignty

The Commission’s Cloud Sovereignty Framework (v1.2.1, October 2025) defines eight Sovereignty Objectives and five assurance levels (SEAL-0 to SEAL-4). Providers bidding for these contracts were evaluated on:

• Strategic sovereignty – EU ownership and anchoring, resilience against foreign interference
• Legal & jurisdictional sovereignty – insulation from extraterritorial laws such as the US CLOUD Act
• Data & AI sovereignty – where data is stored, who holds encryption keys, independence of AI services
• Operational sovereignty – can EU-based teams operate the service independently?
• Supply chain sovereignty – geographic origin of components and sub-suppliers (highest weight: 20%)
• Technology sovereignty – open source, open standards, no proprietary lock-in
• Security & compliance sovereignty – certifications, independent patching, EU-based SOC
• Environmental sustainability – energy efficiency, renewable energy, carbon disclosure

Each objective carries a defined weight. Supply chain sovereignty is the highest at 20%, followed by strategic, operational, and technology sovereignty at 15% each.

What the results tell us

Three of the four winners achieved SEAL-3 (“Digital Resilience”), meaning EU actors exercise meaningful control with only marginal non-EU influence:

The Proximus consortium – which includes S3NS, a joint venture between Thales and Google Cloud – achieved only SEAL-2 (“Data Sovereignty”), where EU law is enforceable but material non-EU dependencies remain.

The message is clear: involving a US hyperscaler – even through a European joint venture with a defense contractor – measurably reduces your sovereignty score. The framework does not ban hyperscaler partnerships, but it scores them lower.

Why Swiss organizations should pay attention

Although this procurement targets EU institutions, the framework will cascade:

• EU member states will adopt similar criteria for national cloud procurement, following France’s “Cloud de Confiance” and Germany’s “Souveräner Cloud” strategies that the framework explicitly references.
• Regulated industries (banking, insurance, healthcare) already face FINMA, DORA, and NIS2 requirements that overlap with these sovereignty objectives – particularly legal jurisdiction, data sovereignty, and security compliance.
• Swiss public sector procurement increasingly references EU standards. Organizations evaluating cloud providers now have a structured vocabulary to compare sovereignty claims instead of relying on marketing.

Eight dimensions, not just “data stays in Switzerland.”

Most sovereignty marketing stops at data residency. The EU framework goes much further – and so should your evaluation criteria:

Where VSHN stands: self-assessment against the framework

We applied the EU’s eight sovereignty objectives to our own services. This is a self-assessment – VSHN has not been formally scored by the European Commission – but we believe transparency is more useful than vague claims. The full assessment with references is available on request.

Overall: SEAL-3 equivalent – the same level achieved by the three strongest providers in the EU’s own tender. No provider achieved SEAL-4.

Why not SEAL-4?

SEAL-4 (“Full Sovereignty”) requires complete EU/EEA control with no non-EU dependencies. No provider achieved it – not even in the EU’s own EUR 180M procurement. The gaps are structural, not provider-specific:

• Switzerland is not an EU/EEA member but participates in the single market through bilateral agreements, is Schengen-associated, and has an EU adequacy decision for data protection. The gap is formal, not substantive.
• Hardware supply chains are global: semiconductors, networking equipment, and storage are manufactured in Asia and the US. This applies to every cloud provider, including the SEAL-3 winners.
• Open-source foundations are US-based: the Linux Foundation, CNCF, and the Apache Foundation are US entities. Open-source licensing mitigates this (code is forkable and auditable), but strict SEAL-4 interpretation could flag it.

VSHN operates at the practical maximum. The remaining gaps in SEAL-4 are shared by every cloud provider worldwide.

Sovereignty is a bridge, not a bunker

It’s tempting to frame sovereignty as a defensive exercise — protecting data, avoiding foreign law, ticking compliance boxes. But that misses the point.

As Stefan van Oirschot argues, infrastructure should be a bridge that enables agility, not a bunker that constrains it. The distinction matters: organizations on proprietary platforms ask their vendor for permission to innovate. Organizations on sovereign, open-source platforms grant themselves permission.

The invisible taxes of lock-in: Proprietary platforms carry two hidden costs that don’t appear on invoices. First, implementation debt: migrating working solutions to a vendor’s proprietary framework burns capital and frustrates engineering talent. Second, compliance reset: regulations like DORA and NIS2 increasingly require credible exit strategies. An infrastructure that can’t be migrated creates audit risk — what van Oirschot calls “regulatory deadlock.”

The sovereignty dividend: Open-source infrastructure — Linux, Kubernetes, PostgreSQL, OpenBao, Crossplane — transfers ownership from vendors to the organizations using it. Vendors become partners, not landlords. When your infrastructure is built on standards rather than rented land, you can change providers, add clouds, or adopt new technology without rebuilding from scratch.

AI readiness requires sovereign infrastructure: The next wave of enterprise technology, agentic AI, RAG pipelines, and private LLM inference demands infrastructure that you control. Running AI workloads on a platform where a foreign vendor holds the keys to your data, your models, and your compute is the opposite of self-determination. Sovereign infrastructure is the prerequisite for sovereign AI. This is why VSHN operates managed LLM inference on customers’ infrastructure, so that organizations deploying AI keep control of their data and their models.

The EU framework scores eight technical dimensions. But the strategic question is simpler: does your infrastructure let you move faster, or does it slow you down?

The bottom line

The EU Cloud Sovereignty Framework confirms what VSHN has built over the past decade: sovereign cloud operations are not just about where data is stored. They require European ownership, independent operational capability, open-source technology, transparent supply chains, and jurisdictional insulation from foreign law.

Sovereignty is not a cost center; it is the foundation for agility, compliance, and AI readiness. Organizations that treat it as a checkbox will find themselves asking their vendor for permission. Organizations that build on sovereign infrastructure will already be shipping.

For Swiss organizations evaluating cloud providers, the question is no longer “Do you host in Switzerland?” but “How do you score across all eight sovereignty dimensions, and does your infrastructure enable or constrain your next move?”

For product-specific sovereignty assessments, see GitLab, Keycloak, OpenShift, OpenBao, and our full service catalog.

Sources:

• Commission awards EUR 180 million tender for sovereign cloud to four European providers – European Commission, April 17, 2026
• Cloud Sovereignty Framework v1.2.1 – European Commission, October 2025
• EU Cloud Sovereignty Framework analysis – Sovereign Cloud Stack
• Stefan van Oirschot: Is your infrastructure a bunker or a bridge?