By ByteBot
The European Commission awarded €180 million in sovereign cloud contracts to four European providers on April 17, 2026, introducing the SEAL framework (Sovereignty Effectiveness Assurance Levels) that quantifies cloud sovereignty from SEAL-0 (no sovereignty) to SEAL-4 (full EU supply chain). Three winners—Post Telecom (with OVHcloud and CleverCloud), STACKIT, and Scaleway—reached SEAL-3 (immunity from non-EU supply chain disruptions), while Proximus (partnering with S3NS, a Thales-Google Cloud joint venture) achieved SEAL-2. This marks the EU’s most concrete move yet to reduce dependence on AWS, Azure, and Google Cloud, which remain legally vulnerable to US government data requests under the CLOUD Act.
For developers and companies in the EU, this matters. Consequently, SEAL-3 providers offer legal protection from US jurisdiction plus immunity from geopolitical supply chain disruptions—critical for defense, banking, and critical infrastructure. The tender signals regulatory pressure will increase. Expect more EU agencies to mandate SEAL-2+ for procurement.
SEAL Framework Replaces Vague “Sovereignty” Talk With Concrete Standards
The Cloud Sovereignty Framework (published October 2025) defines SEAL levels with measurable criteria. SEAL-2 means data sovereignty: EU law is enforceable, no customer technical protections needed, but material non-EU dependencies remain. Moreover, SEAL-3 means digital resilience: immunity from non-EU supply chain disruptions. SEAL-4 is full digital sovereignty with a complete EU supply chain from semiconductors to software (no provider has achieved this yet).
Three providers reached SEAL-3. Post Telecom (with OVHcloud and CleverCloud), STACKIT, and Scaleway demonstrated their infrastructure is immune from US semiconductor shortages, cloud provider exits, or geopolitical disruptions. Furthermore, Proximus/S3NS hit SEAL-2. The EU Commission stated: “European providers are closing the gap with global competitors regarding technical quality and security certifications.”
This matters because EU procurement now has enforceable standards. If you’re bidding on EU government contracts or subject to NIS2 (critical infrastructure, energy, finance, healthcare), you’ll need SEAL-2 minimum, SEAL-3 for defense and banking. Additionally, no more vendor marketing about “European data centers.” SEAL levels are auditable.
Google Technology Under EU Law: The S3NS Paradox
Proximus partnered with S3NS, a Thales-Google Cloud joint venture, to reach SEAL-2. S3NS is majority-owned by Thales (~80%), with Google holding ~20%. It operates PREMI3NS on dedicated Google infrastructure separate from public GCP. S3NS passed SecNumCloud 3.2 qualification on December 17, 2025, meaning it’s legally subject only to EU law despite using Google technology. However, can Google tech truly be sovereign?
Legally, yes. PREMI3NS runs on entirely separate, dedicated Google infrastructure operated exclusively by S3NS under European jurisdiction. In fact, Thales has majority control. Google employees cannot access the infrastructure. However, skeptics question whether Google could pressure Thales or if the US government could target the partnership indirectly.
This reflects the EU’s pragmatic approach: leverage US technology (Google’s infrastructure) but under EU legal control. For companies, S3NS offers a middle path—Google Cloud capabilities with EU sovereignty. Nevertheless, the debate is real. Can Europe build competitive cloud tech independently, or must it adapt US infrastructure under EU law? The S3NS model suggests the latter is more realistic short-term.
Why the US CLOUD Act Makes AWS Frankfurt Non-Sovereign
The US CLOUD Act allows American law enforcement to demand access to data regardless of where it’s stored, as long as it’s held by a US-controlled entity. This creates a fundamental conflict with GDPR. Even if AWS Frankfurt or Azure Germany comply with GDPR on paper, US laws can override EU protections through extraterritorial reach. Therefore, SEAL-2+ providers are legally immune because they’re EU-owned and EU-operated, not US subsidiaries.
A think tank warned on April 17 (the same day as the tender announcement) that “Most EU defense systems rely on US cloud services,” creating a potential “US kill switch” risk. The irony is striking. On the same day the EU awards €180M to sovereign cloud providers, security analysts confirm EU defense infrastructure remains vulnerable to US legal jurisdiction.
For developers handling EU citizen data, defense contracts, or critical infrastructure, AWS/Azure/GCP create legal exposure. Consequently, the CLOUD Act means the US government can request data without EU oversight. SEAL-2+ providers eliminate this risk. This isn’t just regulatory compliance—it’s geopolitical risk management.
EU Sovereign Clouds Offer 4-14x Better Price-Performance
The four winners are Post Telecom/OVHcloud/CleverCloud (Luxembourg-French), STACKIT (Germany), Scaleway (France), and Proximus/S3NS (Belgian-French-Luxembourg). All are EU-based with no US ownership. Pricing is dramatically better than AWS. Moreover, Hetzner (not in the tender but a similar EU provider) delivers 14.3x value-per-compute-unit versus AWS. Scaleway delivers 4.8x value versus AWS with double single-core performance for a quarter of the price.
The ecosystem gap is real. European providers lack AWS’s 200+ managed services. No SageMaker, no Lambda equivalents, fewer managed services. However, for many workloads, the savings justify DIY infrastructure. If you’re running compute-heavy workloads (web servers, databases, CI/CD) without needing AWS’s full ecosystem, migrating to OVHcloud, Scaleway, or Hetzner can cut cloud bills 60-80%.
The smart strategy is multicloud segmentation by sensitivity, not all-or-nothing migration. Furthermore, put regulated/sensitive workloads on SEAL-3 providers (defense data, citizen records, financial transactions). Keep scale/AI workloads on US hyperscalers (machine learning, global CDN, serverless). This avoids vendor lock-in and leverages each provider’s strengths.
Key Takeaways
Here’s what developers and companies need to know:
- SEAL-2 minimum for EU procurement: SEAL-3 required for defense, banking, and critical infrastructure. Check tender requirements before bidding.
- AWS/Azure “EU regions” don’t meet SEAL standards: Physical location doesn’t equal sovereignty. The CLOUD Act applies regardless of data center location.
- S3NS shows pragmatic EU approach: Google technology under EU legal control (Thales majority ownership, separate infrastructure). Controversial but legally sound.
- Price-performance advantage is real: 4-14x better pricing than AWS, but ecosystem gap exists (no SageMaker, Lambda). Segment workloads by sensitivity.
- Multicloud segmentation, not all-or-nothing: Regulated workloads on EU clouds, AI/scale workloads on US clouds. Avoid vendor lock-in with Terraform, Kubernetes, S3-compatible APIs.
Regulatory pressure will increase. The EU Data Act became fully enforceable in January 2025. NIS2 enforcement is ramping up. More EU agencies will mandate SEAL-2+ for procurement. If you’re building for the EU market, understand SEAL levels now. The gap between “EU data center” and true sovereignty just became enforceable.
