10JUN

CISPE ships rival sovereign cloud badge

3 min read

10:31UTC

Cloud Infrastructure Services Providers in Europe (CISPE) launched a 40-plus service certification framework on Friday 24 April, one day after the Brussels summit closed and four weeks before the Commission writes 'sovereign' into EU statute.

← Back to Sovereignty law adopted; $40bn US chip buy Jump to analysis ↓

TechnologyDeveloping

Key takeaway

CISPE's binary sovereignty/resilience certification pre-empts the Commission's CAIDA definition four weeks before adoption.

Cloud Infrastructure Services Providers in Europe (CISPE) launched its Sovereign and Resilient Cloud Services Framework on Friday 24 April with 40-plus certified services, the morning after Sovereign Tech Europe closed in Brussels ¹. Francisco Mingorance, CISPE's Secretary General, gave the launch keynote, Making Sovereignty Verifiable. Four days earlier he had called the Commission's award of its €180m sovereign cloud framework to the Thales-Google joint venture S3NS at SEAL-2 (Sovereignty European Assurance Level, tier 2) "sovereignty washing" . Audits are run by BYCYB, the rebranded Laboratoire national de métrologie et d'essais, France's national metrology body.

The framework draws a binary the SEAL tiers blur. "Sovereign" means jurisdictional control: ownership, governance and operations inside the European Union, with no extraterritorial legal exposure. "Resilient" means technical control: safeguards against disruption. Mingorance reached for tyres on stage. The Sovereign Badge is a puncture-proof tyre; the Resilient Badge is a run-flat. CISPE's framing treats jurisdiction and capability as separate engineering problems with different remedies. SEAL-2 and SEAL-3, in CISPE's reading, average them into "a murky sovereignty score that averages the impossible with the irrelevant" ².

The operational stake is the Cloud and AI Development Act (CAIDA), which the Commission's delayed package is set to carry to adoption late this month. CAIDA will define "sovereign" infrastructure in EU law for the first time. If the binary survives drafting, the Commission's own SEAL-2 award to S3NS will have certified, under the predecessor regime, a provider the new statute excludes. Member of the European Parliament (MEP) Aura Salla, rapporteur on the parallel Digital Omnibus Regulation, was observed by Lowdown at the Brussels conference calling for full European tech sovereignty as soon as possible, a position more aggressive than Forum Europe's published "resilient interdependence" framing of the day. Her own website carries no post-conference statement; the most recent entry remains 16 April.

Deep Analysis

In plain English

Cloud computing means storing data and running software on someone else's servers, usually owned by large US companies like Amazon (AWS), Microsoft (Azure), or Google. European governments have grown uncomfortable with this because US law can compel those companies to hand over data, even when the servers sit physically in Europe. CISPE is a trade association of European cloud companies. On 24 April 2026 it launched a certification system that stamps European cloud services as either 'Sovereign' (fully under European control) or 'Resilient' (meeting minimum security standards). The European Commission has been developing its own certification called SEAL, but it has been slow. CISPE is essentially trying to set the standard first, before Brussels does, so that governments buy from European providers rather than waiting for official rules.

Deep Analysis

Root Causes

The Commission's SEAL process has no statutory deadline; it progresses under the Cybersecurity Act delegated act procedure, leaving a window of regulatory uncertainty that CISPE can occupy before a formal standard is codified.

CISPE members' revenue depends on displacing hyperscaler dominance in public-sector contracts. That gives the trade body a direct commercial incentive to define 'sovereignty' before Alphabet, Microsoft, and Amazon do so through their own EU-resident subsidiary structures.

The binary Sovereign/Resilient distinction fills a real procurement gap. Contracting authorities cannot compare a sovereign score of 6.7 against one of 7.1 without legal cover for that judgment, but they can act on a binary pass/fail under existing procurement procedures.

What could happen next?

Precedent
If CISPE certification becomes referenced in member-state procurement frameworks before SEAL is adopted, it sets a private-sector route to regulatory standing that other industry consortia will copy in AI and semiconductor standards.
Medium term · 0.72
Risk
Conflicting CISPE and SEAL frameworks in the same procurement window create legal uncertainty for contracting authorities that could delay or cancel tenders worth hundreds of millions of euros.
Short term · 0.78
Opportunity
European cloud providers with CISPE certification gain a six-to-twelve month head start on public-sector contract conversions before SEAL is finalised, particularly in Germany and France where government ministries have explicit EU-sovereignty procurement policies.
Short term · 0.81

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: When the Payment Card Industry Data Security Standard (PCI-DSS) was established by Visa and Mastercard in 2004, it created a private certification regime that governments initially ignored, then adopted into public procurement frameworks over roughly six years. CISPE is attempting the same pre-emptive standard-setting before the Commission codifies SEAL.

Counter-parallel: The ISO 27001 cloud-security standard failed to displace EU-specific frameworks because member-state governments treated ISO certification as a minimum baseline, not a sovereignty marker. CISPE's framework faces the same ceiling: it can lower barriers to entry but cannot grant the regulatory standing that only Commission adoption provides.

The 40-plus certified services address a market Canalys estimates at €23bn in annual EU public-sector cloud spending (2025). If CISPE's framework achieves even partial government adoption, its members gain a procurement preference worth 15-20 percentage points of win-rate in competitive tenders, based on public-procurement preference effects observed after the US FedRAMP programme launched in 2011.

CISPE's portability requirement, which bars certified providers from charging switching fees, targets the switching-cost model hyperscalers use to retain public-sector customers. Bruegel estimates switching costs at 22-28% of total contract value for mid-size government workloads, making the portability clause commercially significant alongside the sovereignty label.

Consensus view: OpenForum Europe's Sachiko Muto argues the binary Sovereign/Resilient split is a practical advance on the Commission's SEAL score, because cloud procurement officers need a pass/fail verdict, not a continuous scoring variable that creates arbitrage opportunities for vendors willing to hover near the threshold.

Counter-view: Carnegie Europe's Yana Borshchevska contends that BYCYB (formerly LNE) certification against a private-sector framework does not carry the legal weight of a Commission-sanctioned conformity assessment under the Cybersecurity Act, meaning member-state procurement Teams in Germany and France face conflicting compliance obligations when both frameworks are referenced in the same contract notice.

Key tension: Whether a private-sector certification body can credibly substitute for Commission authority when public procurement law still defers to the EU Cybersecurity Act hierarchy.

First Reported In

Update #4 · CISPE moves first; Brussels misses again

IT Pro· 7 May 2026

Read original →

Causes and effects

Caused by

Commission awards sovereign cloud slot to Google joint venture

CISPE's sovereignty framework launched directly in response to its criticism of the S3NS SEAL-2 award as 'sovereignty washing', operationalising Mingorance's Making Sovereignty Verifiable keynote.

Occurred 17 Apr 2026

Read story →

This Event

CISPE ships rival sovereign cloud badge

The framework arrives in time to pre-empt the Commission's CAIDA definition of sovereign infrastructure, due 27 May, and operationalises the trade body's earlier charge that the Commission's own SEAL tiers are sovereignty washing.

Led to

Sovereignty package slips to 27 May

CISPE's framework launching the day after the summit makes the package's CAIDA sovereign-definition choice more consequential; each delay extends the window where CISPE's binary operates as the de facto standard.

Occurred 7 May 2026

Read story →

Different Perspectives

European cloud and open-source industry

European cloud providers gain a binding procurement mandate from CADA, confirmed by Gartner's $12.6bn sovereign-cloud figure for 2026. The $40bn Pax Silica commitment signals Brussels will not extend sovereignty discipline to the silicon layer, and the missing €350m Sovereign Tech Fund leaves open-source maintenance infrastructure unfunded beneath those same clouds.

United Kingdom

Science Secretary Kendall's £1.1bn Hardware Plan on 8 June chose demand-side instruments, advancing £150m to British chip startups via the British Business Bank, where Brussels chose supply-side alliance membership. Britain joined Pax Silica before the EU and has no collective EU procurement leverage; the Hardware Plan is the bilateral answer to the same silicon gap.

United States

Pax Silica, a State Department initiative launched in December 2025, secured EU membership the same afternoon Brussels adopted its cloud sovereignty law. Ambassador Puzder had named CADA a red line against the EU-US trade framework; the narrowed CADA scope and the $40bn chip commitment together represent the settlement Washington sought.

France

France was the only EU state to oppose Pax Silica accession at COREPER on 3 June, asking the Commission to clarify the Council's steering role inside the alliance. Paris backed CADA and hosts Mistral AI; a $40bn US-chip commitment contractually narrows the commercial space for the sovereign AI model that France is trying to scale.

European Commission

Von der Leyen framed CADA on 3 June as keeping 'most of our market open to like-minded partners', and the Commission's EVP Virkkunen simultaneously required majority-European ownership for the €4.12bn AI Gigafactories call. Brussels is managing rather than resolving the silicon dependency by asserting regulatory control at the cloud layer while formalising the chip relationship through Pax Silica.

European Central Bank

The ECB's digital euro pilot drew more than 50 PSP applications and is naming 10 to 30 participants in July, advancing on its own monetary mandate without requiring a Commission act. Its trajectory this week is the inverse of CAIDA's: the sovereignty instrument that restricts no US firm is the only one keeping its published calendar.