27MAY

CISPE ships rival sovereign cloud badge

3 min read

15:19UTC

Cloud Infrastructure Services Providers in Europe (CISPE) launched a 40-plus service certification framework on Friday 24 April, one day after the Brussels summit closed and four weeks before the Commission writes 'sovereign' into EU statute.

← Back to Brussels slips sovereignty law a third time Jump to analysis ↓

TechnologyDeveloping

Key takeaway

CISPE's binary sovereignty/resilience certification pre-empts the Commission's CAIDA definition four weeks before adoption.

Cloud Infrastructure Services Providers in Europe (CISPE) launched its Sovereign and Resilient Cloud Services Framework on Friday 24 April with 40-plus certified services, the morning after Sovereign Tech Europe closed in Brussels ¹. Francisco Mingorance, CISPE's Secretary General, gave the launch keynote, Making Sovereignty Verifiable. Four days earlier he had called the Commission's award of its €180m sovereign cloud framework to the Thales-Google joint venture S3NS at SEAL-2 (Sovereignty European Assurance Level, tier 2) "sovereignty washing" . Audits are run by BYCYB, the rebranded Laboratoire national de métrologie et d'essais, France's national metrology body.

The framework draws a binary the SEAL tiers blur. "Sovereign" means jurisdictional control: ownership, governance and operations inside the European Union, with no extraterritorial legal exposure. "Resilient" means technical control: safeguards against disruption. Mingorance reached for tyres on stage. The Sovereign Badge is a puncture-proof tyre; the Resilient Badge is a run-flat. CISPE's framing treats jurisdiction and capability as separate engineering problems with different remedies. SEAL-2 and SEAL-3, in CISPE's reading, average them into "a murky sovereignty score that averages the impossible with the irrelevant" ².

The operational stake is the Cloud and AI Development Act (CAIDA), which the Commission's delayed package is set to carry to adoption late this month. CAIDA will define "sovereign" infrastructure in EU law for the first time. If the binary survives drafting, the Commission's own SEAL-2 award to S3NS will have certified, under the predecessor regime, a provider the new statute excludes. Member of the European Parliament (MEP) Aura Salla, rapporteur on the parallel Digital Omnibus Regulation, was observed by Lowdown at the Brussels conference calling for full European tech sovereignty as soon as possible, a position more aggressive than Forum Europe's published "resilient interdependence" framing of the day. Her own website carries no post-conference statement; the most recent entry remains 16 April.

Deep Analysis

In plain English

Cloud computing means storing data and running software on someone else's servers, usually owned by large US companies like Amazon (AWS), Microsoft (Azure), or Google. European governments have grown uncomfortable with this because US law can compel those companies to hand over data, even when the servers sit physically in Europe. CISPE is a trade association of European cloud companies. On 24 April 2026 it launched a certification system that stamps European cloud services as either 'Sovereign' (fully under European control) or 'Resilient' (meeting minimum security standards). The European Commission has been developing its own certification called SEAL, but it has been slow. CISPE is essentially trying to set the standard first, before Brussels does, so that governments buy from European providers rather than waiting for official rules.

Deep Analysis

Root Causes

The Commission's SEAL process has no statutory deadline; it progresses under the Cybersecurity Act delegated act procedure, leaving a window of regulatory uncertainty that CISPE can occupy before a formal standard is codified.

CISPE members' revenue depends on displacing hyperscaler dominance in public-sector contracts. That gives the trade body a direct commercial incentive to define 'sovereignty' before Alphabet, Microsoft, and Amazon do so through their own EU-resident subsidiary structures.

The binary Sovereign/Resilient distinction fills a real procurement gap. Contracting authorities cannot compare a sovereign score of 6.7 against one of 7.1 without legal cover for that judgment, but they can act on a binary pass/fail under existing procurement procedures.

What could happen next?

Precedent
If CISPE certification becomes referenced in member-state procurement frameworks before SEAL is adopted, it sets a private-sector route to regulatory standing that other industry consortia will copy in AI and semiconductor standards.
Medium term · 0.72
Risk
Conflicting CISPE and SEAL frameworks in the same procurement window create legal uncertainty for contracting authorities that could delay or cancel tenders worth hundreds of millions of euros.
Short term · 0.78
Opportunity
European cloud providers with CISPE certification gain a six-to-twelve month head start on public-sector contract conversions before SEAL is finalised, particularly in Germany and France where government ministries have explicit EU-sovereignty procurement policies.
Short term · 0.81

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: When the Payment Card Industry Data Security Standard (PCI-DSS) was established by Visa and Mastercard in 2004, it created a private certification regime that governments initially ignored, then adopted into public procurement frameworks over roughly six years. CISPE is attempting the same pre-emptive standard-setting before the Commission codifies SEAL.

Counter-parallel: The ISO 27001 cloud-security standard failed to displace EU-specific frameworks because member-state governments treated ISO certification as a minimum baseline, not a sovereignty marker. CISPE's framework faces the same ceiling: it can lower barriers to entry but cannot grant the regulatory standing that only Commission adoption provides.

The 40-plus certified services address a market Canalys estimates at €23bn in annual EU public-sector cloud spending (2025). If CISPE's framework achieves even partial government adoption, its members gain a procurement preference worth 15-20 percentage points of win-rate in competitive tenders, based on public-procurement preference effects observed after the US FedRAMP programme launched in 2011.

CISPE's portability requirement, which bars certified providers from charging switching fees, targets the switching-cost model hyperscalers use to retain public-sector customers. Bruegel estimates switching costs at 22-28% of total contract value for mid-size government workloads, making the portability clause commercially significant alongside the sovereignty label.

Consensus view: OpenForum Europe's Sachiko Muto argues the binary Sovereign/Resilient split is a practical advance on the Commission's SEAL score, because cloud procurement officers need a pass/fail verdict, not a continuous scoring variable that creates arbitrage opportunities for vendors willing to hover near the threshold.

Counter-view: Carnegie Europe's Yana Borshchevska contends that BYCYB (formerly LNE) certification against a private-sector framework does not carry the legal weight of a Commission-sanctioned conformity assessment under the Cybersecurity Act, meaning member-state procurement Teams in Germany and France face conflicting compliance obligations when both frameworks are referenced in the same contract notice.

Key tension: Whether a private-sector certification body can credibly substitute for Commission authority when public procurement law still defers to the EU Cybersecurity Act hierarchy.

First Reported In

Update #4 · CISPE moves first; Brussels misses again

IT Pro· 7 May 2026

Read original →

Causes and effects

Caused by

Commission awards sovereign cloud slot to Google joint venture

CISPE's sovereignty framework launched directly in response to its criticism of the S3NS SEAL-2 award as 'sovereignty washing', operationalising Mingorance's Making Sovereignty Verifiable keynote.

Occurred 17 Apr 2026

Read story →

This Event

CISPE ships rival sovereign cloud badge

The framework arrives in time to pre-empt the Commission's CAIDA definition of sovereign infrastructure, due 27 May, and operationalises the trade body's earlier charge that the Commission's own SEAL tiers are sovereignty washing.

Led to

Sovereignty package slips to 27 May

CISPE's framework launching the day after the summit makes the package's CAIDA sovereign-definition choice more consequential; each delay extends the window where CISPE's binary operates as the de facto standard.

Occurred 7 May 2026

Read story →

Different Perspectives

ASML / European tech industry

ASML's Q2 2026 guidance came in €300m below consensus as China DUV revenue collapsed 17 percentage points; the company's CEO wrote US export-control outcomes directly into 2026 guidance. European tech firms named on the USTR retaliation list alongside SAP, Siemens and Spotify face the same calculus: US trade exposure constrains what Brussels can legislate on their behalf.

France / Anne Le Henanff

Le Henanff chaired the G7 Digital Ministerial at Bercy on 29 May with CAIDA off the agenda, pivoting France's presidency to AI safety principles it had not designed the week around. France backs CAIDA but cannot override Berlin's tariff calculus, so the ministerial produced no new French-led commitment.

Germany / Federal government

Berlin's automotive sector faces up to $200bn in threatened US tariffs, a commercial exposure that dwarfs any benefit CAIDA's public-sector cloud rules would deliver to German digital firms. Federal silence inside the College of Commissioners functions as a block under consensus adoption rules without requiring a formal veto.

USTR / Ambassador Andrew Puzder

Puzder's public warning on 25 May that CAIDA is inconsistent with the EU-US trade framework was the first time Washington made its bilateral pressure visible before a Commission adoption vote rather than after. The USTR Section 301 determination on 24 July provides the enforcement backstop.

European Commission / Henna Virkkunen

Virkkunen framed the third slip as a procedural delay in finalising a 400-page text without addressing Puzder's trade-framework red line publicly. The Commission enforces existing law against Google while losing the legislative timeline on CAIDA, exposing an asymmetric position: enforcement holds; new sovereignty legislation does not.

OpenForum Europe / open-source community

The EUR 350m Sovereign Tech Fund has no Commission host, no budget line, and no commissioner's name attached six weeks after the April conference, while Germany is already paying maintainers to staff international standards bodies. The CRA open-source guidance resolves contributor liability but leaves the financial-donations grey area open with the 11 September reporting clock running.