Skip to content
You can now search across every topic, entity and event.What's new
CISPE
Organisation

CISPE

European cloud trade body; launched rival auditable sovereignty badge to contest the Commission's SEAL framework.

Last refreshed: 17 May 2026 · Appears in 1 active topic

Key Question

CISPE's rival badge launched the day after SEAL — can it become the standard CAIDA actually references?

Timeline for CISPE

View full timeline →
Common Questions
What is CISPE and why did it criticise the EU sovereign cloud contract?
CISPE (Cloud Infrastructure Services Providers in Europe) is the trade body for European cloud providers. Its Secretary General called the inclusion of S3NS, a Thales-Google joint venture, in the EU sovereign cloud framework sovereignty washing, arguing the US CLOUD Act creates a structural data-disclosure risk that disqualifies any Google-linked provider from genuine sovereign certification.Source: The Register / CISPE
What is CISPE's auditable sovereignty framework?
CISPE's auditable sovereignty framework is a proposed certification system designed to give cloud procurement legally defensible criteria that distinguish genuine operational independence from sovereignty washing — meaning providers who carry US CLOUD Act exposure should not receive the same tier as providers without foreign legal jurisdiction over their data.Source: CISPE / Francisco Mingorance keynote, Sovereign Tech Europe
What is the US CLOUD Act and why does it matter for European cloud sovereignty?
The US CLOUD Act (2018) allows American authorities to compel US-domiciled cloud companies to disclose data held anywhere in the world, including in European jurisdictions. It means any cloud service operated through a US parent company — including joint ventures like S3NS (Thales/Google) — carries a structural disclosure risk regardless of where the data is physically stored.Source: CISPE / The Register

Background

CISPE (Cloud Infrastructure Services Providers in Europe) is the trade association representing European cloud infrastructure providers, including OVHcloud, Hetzner, Scaleway, and dozens of smaller operators across EU member states. On 22 April 2026, its Secretary General Francisco Mingorance publicly described the European Commission's decision to include S3NS — a joint venture between Thales and Google Cloud — in the €180m sovereign cloud framework as "clearly an own goal" and characterised it as "sovereignty washing" .

CISPE's core commercial interest is enforcement of a meaningful distinction between genuinely European cloud infrastructure and US-linked providers operating under a European brand. The US CLOUD Act gives American authorities the power to compel US-domiciled cloud companies to disclose data held anywhere in the world, including through European joint ventures. CISPE argues this structural legal exposure makes S3NS's SEAL-2 certification — the minimum data sovereignty threshold, one tier below the digital resilience achieved by the other three awardees — an insufficient basis for inclusion in a framework described as sovereign.

Mingorance delivers the keynote "Making Sovereignty Verifiable" at Sovereign Tech Europe on 23 April 2026, presenting CISPE's proposed auditable sovereignty framework — a certification scheme designed to give cloud procurement legally defensible definitions that distinguish hedged access from genuine independence . Whether CISPE translates its public criticism into a formal legal challenge against the framework award remains an open question.

On 24 April 2026 — the day after Mingorance's Brussels keynote — CISPE formally launched its Sovereign and Resilient Cloud Services Framework, certifying 40-plus services under a binary distinction: Sovereign (full CLOUD Act immunity, data processed exclusively in the EU, no non-EU legal access vectors) or Resilient (operational independence, but without the full legal immunity). Third-party audits are conducted by BYCYB (formerly LNE). CISPE explicitly framed the launch as a challenge to the Commission's graduated SEAL tiers, calling SEAL a "murky sovereignty score" that obscures whether a service is genuinely immune or merely operationally independent.

The framework competition with SEAL now has a legislative dimension. The Commission's CAIDA (Cloud and AI Development Act), tabled for adoption 27 May 2026, is expected to name a certification standard for procurement of sensitive public-sector data. CISPE has lobbied for its binary framework to be that reference, arguing SEAL's tiered structure allowed the S3NS compromise that CISPE publicly called an own goal. If CAIDA references CISPE's binary standard rather than SEAL, it would effectively mandate that S3NS-type hybrid structures are excluded from the most sensitive data categories across all EU member states — a commercially decisive outcome for OVHcloud, Hetzner, and Scaleway.

The result is a contest between two rival certification architectures: the Commission's SEAL (graduated tiers, broader inclusion, backed by institutional procurement precedent) and CISPE's binary badge (all-or-nothing sovereign test, industry-led, auditor-backed). CAIDA's language will determine which framework shapes EU public procurement for the next decade.

More questions
What is CISPE's new sovereign cloud certification framework?
Launched 24 April 2026, CISPE's Sovereign and Resilient Cloud Services Framework certifies cloud services as either fully Sovereign (CLOUD Act immune) or Resilient (operationally independent). Third-party audits are conducted by BYCYB. Over 40 services were certified at launch.Source: CISPE
Why did CISPE call the EU sovereign cloud award 'sovereignty washing'?
CISPE Secretary General Francisco Mingorance said including S3NS — a Google Cloud joint venture — in the €180m framework was an own goal because S3NS remains subject to the US CLOUD Act despite operating under a European brand.Source: Lowdown
What is the difference between SEAL and the CISPE sovereign cloud badge?
SEAL has graduated tiers (SEAL-1 to SEAL-3) allowing hybrids like S3NS at SEAL-2. CISPE's framework is binary: a service is either fully Sovereign (CLOUD Act immune) or merely Resilient. CISPE argues only the binary test is legally defensible.Source: CISPE, Lowdown
Will CAIDA use CISPE certification or the EU SEAL framework?
CAIDA (tabled 27 May 2026) has not yet specified which framework it will reference. CISPE is lobbying for its binary standard; the Commission is expected to defend SEAL. The outcome will determine whether US-linked cloud joint ventures are excluded from the most sensitive EU public-sector data.Source: Lowdown
Source Material