The Cloud Sovereignty Framework: a first step toward assessing sovereignty

Let’s look at this initiative with three questions posed to Pierre-Louis Mauratille, Director of Operations at HarfangLab.

What does the Cloud Sovereignty Framework contain? 

Pierre-Louis Mauratille: The Cloud Sovereignty Framework is a concise 6-page document that establishes a set of criteria enabling bidders for European public tenders to assess the level of sovereignty of a cloud service. It builds on other European initiatives such as the trusted cloud in France, the Souveräner Cloud in Germany, and the ENISA, NIS 2, and DORA standards.

This framework takes into account different aspects of sovereignty, with objectives for each: strategic, legal and judicial, operational, technical, supply chain, data and AI systems, security and compliance, and environmental sustainability. The achievement of the various objectives is measured by the Sovereignty Effectiveness Assurance Level (SEAL) on a scale from 0 to 4. The framework also provides a sovereignty score calculated from the results obtained on the various criteria.

This approach, which includes multiple dimensions of sovereignty, allows market players to assess it according to their own context and needs. Sovereignty issues are, after all, different for a company than for a public institution or a critical industry.

What guarantees does the Cloud Sovereignty Framework provide for cloud service sovereignty? 

Pierre-Louis Mauratille: The advantage of this framework is that it is not intended to impose constraints, but rather to indicate levels of sovereignty for the various dimensions of a cloud service. Based on this data, the contracting authority can select the desired level of sovereignty for the different aspects of the service, according to its priorities. 

This approach takes into account the complexity of sovereignty. Today, services are rarely monolithic; instead, they are composed of different blocks or even third-party services, and an assessment of sovereignty’s different dimensions is more appropriate.

A cloud service relies on different components, which is one of the reasons why it is important to remain open – even if sovereignty is a priority. Sovereignty and consistency across the entire value chain are both crucial. But for a solution provider, the door must remain open to allow for the best technological choices while ensuring strategic autonomy and data confidentiality. Just as an organization chooses a provider based on performance criteria, the provider itself must be able to build the most effective solution by meeting sovereignty requirements, without these becoming counterproductive.
 

The Cloud Sovereignty Framework has also been criticized. Why? 

Pierre-Louis Mauratille: The Cloud Sovereignty Framework has been challenged by CISPE (Cloud Infrastructure Service Providers in Europe), which points out that it is too vague to be truly binding in terms of sovereignty. CISPE also questions the calculation of the sovereignty score, which would be disadvantageous to European players.

Today, American providers still largely dominate the market. Microsoft Azure, Amazon Cloud Services, and Google Cloud account for 70% of the revenue generated by cloud services in Europe. This trend raises another question beyond data sovereignty: what happens to the availability of services if our commercial allies today are no longer our allies tomorrow? The creation of a sovereign European ecosystem also aims to ensure our strategic autonomy. This is why we have chosen to work with OVH, a trusted and long-standing partner, for the cloud version of our platform.

Nevertheless, the European Commission could not ignore the current context in the development of this framework, at the risk of it being unenforceable as it stands. It is up to us to consolidate this sovereignty by choosing European players to build a framework that can actually be applied by more stakeholders in the market.

Cybersecurity and sovereignty:  
what are the challenges and how can you choose the right solution?