What is CISPE and why did it criticise the EU sovereign cloud contract?: CISPE (Cloud Infrastructure Services Providers in Europe) is the trade body for European cloud providers. Its Secretary General called the inclusion of S3NS, a Thales-Google joint venture, in the EU sovereign cloud framework sovereignty washing, arguing the US CLOUD Act creates a structural data-disclosure risk that disqualifies any Google-linked provider from genuine sovereign certification.Source: The Register / CISPE
What is CISPE's auditable sovereignty framework?: CISPE's auditable sovereignty framework is a proposed certification system designed to give cloud procurement legally defensible criteria that distinguish genuine operational independence from sovereignty washing — meaning providers who carry US CLOUD Act exposure should not receive the same tier as providers without foreign legal jurisdiction over their data.Source: CISPE / Francisco Mingorance keynote, Sovereign Tech Europe
What is the US CLOUD Act and why does it matter for European cloud sovereignty?: The US CLOUD Act (2018) allows American authorities to compel US-domiciled cloud companies to disclose data held anywhere in the world, including in European jurisdictions. It means any cloud service operated through a US parent company — including joint ventures like S3NS (Thales/Google) — carries a structural disclosure risk regardless of where the data is physically stored.Source: CISPE / The Register

Background

CISPE (Cloud Infrastructure Services Providers in Europe) is the trade association representing European cloud infrastructure providers, including OVHcloud, Hetzner, Scaleway, and dozens of smaller operators across EU member states. On 22 April 2026, its Secretary General Francisco Mingorance publicly described the European Commission's decision to include S3NS — a joint venture between Thales and Google Cloud — in the €180m sovereign cloud framework as "clearly an own goal" and characterised it as "sovereignty washing" .

CISPE's core commercial interest is enforcement of a meaningful distinction between genuinely European cloud infrastructure and US-linked providers operating under a European brand. The US CLOUD Act gives American authorities the power to compel US-domiciled cloud companies to disclose data held anywhere in the world, including through European joint ventures. CISPE argues this structural legal exposure makes S3NS's SEAL-2 certification — the minimum data sovereignty threshold, one tier below the digital resilience achieved by the other three awardees — an insufficient basis for inclusion in a framework described as sovereign.

Mingorance delivers the keynote "Making Sovereignty Verifiable" at Sovereign Tech Europe on 23 April 2026, presenting CISPE's proposed auditable sovereignty framework — a certification scheme designed to give cloud procurement legally defensible definitions that distinguish hedged access from genuine independence . Whether CISPE translates its public criticism into a formal legal challenge against the framework award remains an open question.

How the World Sees Them

Member states

National procurement officers who cite the €180m framework as a reference contract are effectively endorsing the Commission's blended sovereignty standard.

United States

Google Cloud and hyperscalers view CISPE certification frameworks as market-access barriers dressed as technical standards.

European Commission

Defends the S3NS inclusion as necessary to keep the tender viable given limited European-only supply at scale; disputes the sovereignty washing characterisation.

European cloud industry

CISPE speaks commercially for providers who hold 15% of European cloud and whose growth depends on enforcement of sovereignty standards that exclude US-linked competitors.