EU Cloud Sovereignty Law: How Europe Is Deciding Which Cloud Providers Governments Can Use
The EU cloud sovereignty law is Europe’s attempt to take more control over where its most sensitive data is stored and who can touch it. The cloud means storing data and running software on the internet using someone else’s giant computers, instead of your own. Today, much of Europe’s government data sits on clouds run by big US companies. New EU rules aim to change that, at least for the most sensitive systems.
The framework sets clear levels that measure how “sovereign,” or independent, a cloud service really is. It then decides which providers governments are allowed to use for sensitive work. Here is how it works in plain words.
What “cloud sovereignty” means
Sovereignty here means control. A sovereign cloud is one where European law fully applies, and where outside countries cannot easily demand access to the data.
The worry is a US law called the CLOUD Act. It can let US authorities ask US companies for data, even data stored abroad. So Europe wants options where that risk is removed for its most critical records.
The Cloud Sovereignty Framework and its levels
In October 2025, the European Commission published its Cloud Sovereignty Framework. The European Commission is the EU’s main executive body, a bit like its central government office. The framework sets eight sovereignty goals, covering legal, operational, security, supply chain, and environmental factors.
To score providers, it uses levels called SEAL, short for Sovereignty Effectiveness Assurance Levels. They run from SEAL-0 to SEAL-4.
- SEAL-0: the provider shows a complete lack of sovereignty.
- SEAL-2: “data sovereignty,” where EU law applies and is enforceable, though some non-EU dependencies may remain.
- SEAL-4: the strictest, needing a full EU supply chain, from chips to software.
For the Commission’s own tender, SEAL-2 was set as the minimum to qualify. A tender is an official call for companies to bid for a contract.
Key facts
| Item | As reported |
|---|---|
| Framework published | October 2025, by the European Commission |
| Sovereignty goals | Eight objectives |
| Scoring levels | SEAL-0 to SEAL-4 |
| Minimum to qualify (Commission tender) | SEAL-2 (Data Sovereignty) |
| Sovereign cloud tender | Awarded April 2026, up to EUR 180 million over 6 years |
| Strictest tier impact | Levels 3 and 4 need EU ownership; US hyperscalers barred at top tier |
Which providers and governments are affected
The strictest rules apply mainly to public-sector bodies handling sensitive data, in areas like banking, healthcare, and judicial (court) records.
Levels 3 and 4 require EU ownership and full supply-chain control. Non-European technology cannot meet that under the CLOUD Act. So at the most sensitive tier, covering critical government systems, US cloud hyperscalers would be barred outright from competing. A hyperscaler is a very large cloud company like the biggest US providers.
In April 2026, the Commission awarded its Sovereign Cloud tender. Through it, EU institutions and agencies can buy sovereign cloud services for up to EUR 180 million over six years.
Why it matters (especially for India and founders)
This is part of a global trend: countries wanting control over their own data. India has its own data localisation debates, where some data must be stored inside the country. Europe’s model gives lawmakers a detailed template to study.
For founders, there is real opportunity. Local, sovereign cloud providers, data centres, and compliance tools could win business that once went only to global giants. If you build cloud or security products, “where is my data, and who can see it” is becoming a key selling point.
FAQ
What is the EU cloud sovereignty law trying to do?
It aims to give Europe more control over its sensitive data by scoring cloud providers and reserving the strictest government work for the most independent, EU-controlled options.
What are SEAL levels?
SEAL (Sovereignty Effectiveness Assurance Levels) score how independent a cloud service is, from SEAL-0 (no sovereignty) to SEAL-4 (a full EU supply chain).
Are US cloud companies banned?
Not everywhere. But at the strictest tier (Levels 3 and 4), which covers critical government systems, US hyperscalers would be barred because they cannot meet EU ownership rules under the CLOUD Act.
How much money is involved in the tender?
The April 2026 Sovereign Cloud tender lets EU institutions buy services for up to EUR 180 million over six years, as reported.
Takeaway
Europe is drawing a clear line: the more sensitive the data, the more local control it demands. The SEAL levels turn a fuzzy idea, “digital sovereignty,” into hard rules with real winners and losers. For the cloud industry, and for anyone watching how nations guard their data, this framework is a sign of where the world is heading.
Source: MediaNama
