Europe frequently debates “digital sovereignty”, but too often, the debate stops at data location or GDPR compliance. Hosting in Frankfurt is presented as “sovereign” and an EU subsidiary is treated as “European.” Often, it is topped off with a marketing page with blue stars.
Today, we launch the eurotechguide Sovereignty Index: a structured, transparent and evidence-based model to assess the real sovereignty of cloud and digital services.
You can explore the full index here:
https://eurotechguide.com/eurotechguide-sovereignty-index/
Why: sovereignty should be measurable, but it hasn’t been so far
Europe’s digital infrastructure depends largely on non-European providers, while it is increasingly important to use European solutions. So far, there was no standardized way to measure sovereignty which made the debate subjective or reduced to specific elements like GDPR compliance or location of the data. However, last year, the European Commission introduced a Cloud Sovereignty Framework (v1.2.1, October 2025), which is used by the EU in tenders to assess how sovereign a solution really is. This framework is exceptionally fit for assessing sovereignty, but so far hasn’t been used outside of the context of the EU as an institution itself. For policymakers and buyers: the index makes it easier to specify, compare and justify sovereign choices in tenders. For providers of digital services, it clarifies where your structural dependencies are and where you can invest to improve. Last, but certainly not least, for European consumers who want to choose European products, this index provides transparency on how European a digital service really is.
What: an index which shows how sovereign digital services really are
The eurotechguide Sovereignty Index is a comparative scoring index that assesses and visualises the structural sovereignty of digital services. This operationalises the European Commission’s Cloud Sovereignty Framework into a comparative scoring model. At launch, the index includes 65 digital services, mostly cloud-based providers. More services will be added in the coming period.
The index shows:
- How exposed a service is to non-EU jurisdiction
- How ownership and governance affect strategic control
- Where infrastructure dependencies exist
- How supply chain realities constrain sovereignty
- How operational and technical control are structured
Each service receives:
- Scores across eight sovereignty dimensions
- A weighted overall sovereignty score
- A documented rationale explaining the structural assessment
The purpose is not to certify or label providers, but to make structural dependency visible and comparable.
Example scorecards, where a score for each dimension is shown, can be viewed on individual solution pages, such as:
The index reveals that sovereignty is not binary. It exists on a spectrum shaped by layered legal, strategic and technical factors. Note that this is explicitly not a political ranking, but it is a risk visibility framework. US and Chinese technology providers offer excellent solutions that may be fully suitable for many use cases. However, it is important to understand the structural risks and consequences that come with that choice. This is precisely what this index aims to make visible.
How: methodology and framework
The methodology of the index is grounded in the Cloud Sovereignty Framework of the European Commission, using Sovereignty Objectives (SOV) and their scoring system Sovereignty Effectiveness Assurance Level (SEAL).
Sovereignty Objectives (SOV)
Services are assessed across eight dimensions:
| SOV Dimension | Name | Explanation |
|---|---|---|
| SOV-1 | Strategic | Assesses ownership stability, governance influence and alignment with EU autonomy objectives. Who makes the strategic decisions, and under which jurisdiction? |
| SOV-2 | Legal | Evaluates exposure to non-EU legislation and extraterritorial laws. Which legal regimes can compel access or influence? |
| SOV-3 | Data | Examines data residency, data access control, and enforceability of EU data protection safeguards. |
| SOV-4 | Operations | Reviews operational autonomy: who operates the infrastructure, who has administrative access and where control is exercised. |
| SOV-5 | Supply Chain | Assesses hardware, software, semiconductor, firmware and infrastructure dependencies on non-EU sourcing. |
| SOV-6 | Technology | Evaluates control over core technologies, software stacks, intellectual property and reliance on non-EU ecosystems. |
| SOV-7 | Security | Examines technical and organisational security controls, including encryption ownership and key management sovereignty. |
| SOV-8 | Sustainability | Assesses long-term structural resilience, including economic durability, ecosystem independence and continuity risks. |
Sovereignty Effectiveness Assurance Level
The framework also includes a method for scoring each of the dimensions according to SEAL (Sovereignty Effectiveness Assurance Level):
| SEAL Level | Meaning | Explanation (from the framework) |
|---|---|---|
| SEAL-0 | No Sovereignty | Service, technology or operations under exclusive control of non-EU third parties, governed entirely in non-EU jurisdictions. |
| SEAL-1 | Jurisdictional Sovereignty | EU law formally applies with limited practical enforceability; service, technology or operations under exclusive control of non-EU third parties. |
| SEAL-2 | Data Sovereignty | EU law applicable and enforceable, with material non-EU dependencies remaining; service, technology or operations under indirect control of non-EU third parties. |
| SEAL-3 | Digital Resilience | EU law applicable and enforceable, EU actors exercising meaningful but not full influence; service, technology or operations under marginal control of non-EU third parties. |
| SEAL-4 | Full Digital Sovereignty | Technology and operations under complete EU control, subject only to EU law, with no critical non-EU dependencies. |
A higher SEAL score indicates a higher sovereignty assurance level. Scoring is based on publicly available evidence, including ownership disclosures, corporate structure, infrastructure documentation and regulatory filings. Each dimension score is accompanied by rationale to ensure transparency, including hyperlinks to verifiable sources where available.
What Is already visible in the data
Even with the current dataset, clear patterns emerge:
- Supply chain is the weakest link: only 7 of 65 services exceed SEAL‑2 on Supply Chain, reflecting deep global hardware and chip dependencies. The average SEAL level for SOV-5 is only 1.7 – the lowest of all average SEAL levels.
- EU hosting ≠ EU sovereignty: many ‘EU‑hosted’ services remain structurally exposed to non‑EU law.
- Non-EU ownership materially affects legal exposure.
- Sovereign‑branded clouds still score lower on Legal and Strategic dimensions when parent control remains outside the EU.
The data in the index makes visible what is often obscured in marketing narratives.
Contributions and challenges are welcome
The index is transparent by design. If you disagree with a score, have additional evidence or want to assess a service yourself, you’re very welcome. See this page for more information.
Digital sovereignty deserves analysis grounded in structure, not slogans. The eurotechguide Sovereignty Index is intended as a practical, evidence-based foundation for that conversation.
Feel free to comment below or provide feedback through info@eurotechguide.com.