8JUN

CISPE ships rival sovereign cloud badge

3 min read

09:58UTC

Cloud Infrastructure Services Providers in Europe (CISPE) launched a 40-plus service certification framework on Friday 24 April, one day after the Brussels summit closed and four weeks before the Commission writes 'sovereign' into EU statute.

← Back to Trump said don't strike; Israel struck Iran Jump to analysis ↓

ConflictDeveloping

Key takeaway

CISPE's binary sovereignty/resilience certification pre-empts the Commission's CAIDA definition four weeks before adoption.

Cloud Infrastructure Services Providers in Europe (CISPE) launched its Sovereign and Resilient Cloud Services Framework on Friday 24 April with 40-plus certified services, the morning after Sovereign Tech Europe closed in Brussels ¹. Francisco Mingorance, CISPE's Secretary General, gave the launch keynote, Making Sovereignty Verifiable. Four days earlier he had called the Commission's award of its €180m sovereign cloud framework to the Thales-Google joint venture S3NS at SEAL-2 (Sovereignty European Assurance Level, tier 2) "sovereignty washing" . Audits are run by BYCYB, the rebranded Laboratoire national de métrologie et d'essais, France's national metrology body.

The framework draws a binary the SEAL tiers blur. "Sovereign" means jurisdictional control: ownership, governance and operations inside the European Union, with no extraterritorial legal exposure. "Resilient" means technical control: safeguards against disruption. Mingorance reached for tyres on stage. The Sovereign Badge is a puncture-proof tyre; the Resilient Badge is a run-flat. CISPE's framing treats jurisdiction and capability as separate engineering problems with different remedies. SEAL-2 and SEAL-3, in CISPE's reading, average them into "a murky sovereignty score that averages the impossible with the irrelevant" ².

The operational stake is the Cloud and AI Development Act (CAIDA), which the Commission's delayed package is set to carry to adoption late this month. CAIDA will define "sovereign" infrastructure in EU law for the first time. If the binary survives drafting, the Commission's own SEAL-2 award to S3NS will have certified, under the predecessor regime, a provider the new statute excludes. Member of the European Parliament (MEP) Aura Salla, rapporteur on the parallel Digital Omnibus Regulation, was observed by Lowdown at the Brussels conference calling for full European tech sovereignty as soon as possible, a position more aggressive than Forum Europe's published "resilient interdependence" framing of the day. Her own website carries no post-conference statement; the most recent entry remains 16 April.

Deep Analysis

In plain English

Cloud computing means storing data and running software on someone else's servers, usually owned by large US companies like Amazon (AWS), Microsoft (Azure), or Google. European governments have grown uncomfortable with this because US law can compel those companies to hand over data, even when the servers sit physically in Europe. CISPE is a trade association of European cloud companies. On 24 April 2026 it launched a certification system that stamps European cloud services as either 'Sovereign' (fully under European control) or 'Resilient' (meeting minimum security standards). The European Commission has been developing its own certification called SEAL, but it has been slow. CISPE is essentially trying to set the standard first, before Brussels does, so that governments buy from European providers rather than waiting for official rules.

Deep Analysis

Root Causes

The Commission's SEAL process has no statutory deadline; it progresses under the Cybersecurity Act delegated act procedure, leaving a window of regulatory uncertainty that CISPE can occupy before a formal standard is codified.

CISPE members' revenue depends on displacing hyperscaler dominance in public-sector contracts. That gives the trade body a direct commercial incentive to define 'sovereignty' before Alphabet, Microsoft, and Amazon do so through their own EU-resident subsidiary structures.

The binary Sovereign/Resilient distinction fills a real procurement gap. Contracting authorities cannot compare a sovereign score of 6.7 against one of 7.1 without legal cover for that judgment, but they can act on a binary pass/fail under existing procurement procedures.

What could happen next?

Precedent
If CISPE certification becomes referenced in member-state procurement frameworks before SEAL is adopted, it sets a private-sector route to regulatory standing that other industry consortia will copy in AI and semiconductor standards.
Medium term · 0.72
Risk
Conflicting CISPE and SEAL frameworks in the same procurement window create legal uncertainty for contracting authorities that could delay or cancel tenders worth hundreds of millions of euros.
Short term · 0.78
Opportunity
European cloud providers with CISPE certification gain a six-to-twelve month head start on public-sector contract conversions before SEAL is finalised, particularly in Germany and France where government ministries have explicit EU-sovereignty procurement policies.
Short term · 0.81

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: When the Payment Card Industry Data Security Standard (PCI-DSS) was established by Visa and Mastercard in 2004, it created a private certification regime that governments initially ignored, then adopted into public procurement frameworks over roughly six years. CISPE is attempting the same pre-emptive standard-setting before the Commission codifies SEAL.

Counter-parallel: The ISO 27001 cloud-security standard failed to displace EU-specific frameworks because member-state governments treated ISO certification as a minimum baseline, not a sovereignty marker. CISPE's framework faces the same ceiling: it can lower barriers to entry but cannot grant the regulatory standing that only Commission adoption provides.

The 40-plus certified services address a market Canalys estimates at €23bn in annual EU public-sector cloud spending (2025). If CISPE's framework achieves even partial government adoption, its members gain a procurement preference worth 15-20 percentage points of win-rate in competitive tenders, based on public-procurement preference effects observed after the US FedRAMP programme launched in 2011.

CISPE's portability requirement, which bars certified providers from charging switching fees, targets the switching-cost model hyperscalers use to retain public-sector customers. Bruegel estimates switching costs at 22-28% of total contract value for mid-size government workloads, making the portability clause commercially significant alongside the sovereignty label.

Consensus view: OpenForum Europe's Sachiko Muto argues the binary Sovereign/Resilient split is a practical advance on the Commission's SEAL score, because cloud procurement officers need a pass/fail verdict, not a continuous scoring variable that creates arbitrage opportunities for vendors willing to hover near the threshold.

Counter-view: Carnegie Europe's Yana Borshchevska contends that BYCYB (formerly LNE) certification against a private-sector framework does not carry the legal weight of a Commission-sanctioned conformity assessment under the Cybersecurity Act, meaning member-state procurement Teams in Germany and France face conflicting compliance obligations when both frameworks are referenced in the same contract notice.

Key tension: Whether a private-sector certification body can credibly substitute for Commission authority when public procurement law still defers to the EU Cybersecurity Act hierarchy.

First Reported In

Update #4 · CISPE moves first; Brussels misses again

IT Pro· 7 May 2026

Read original →

Causes and effects

Caused by

Commission awards sovereign cloud slot to Google joint venture

CISPE's sovereignty framework launched directly in response to its criticism of the S3NS SEAL-2 award as 'sovereignty washing', operationalising Mingorance's Making Sovereignty Verifiable keynote.

Occurred 17 Apr 2026

Read story →

This Event

CISPE ships rival sovereign cloud badge

The framework arrives in time to pre-empt the Commission's CAIDA definition of sovereign infrastructure, due 27 May, and operationalises the trade body's earlier charge that the Commission's own SEAL tiers are sovereignty washing.

Led to

Sovereignty package slips to 27 May

CISPE's framework launching the day after the summit makes the package's CAIDA sovereign-definition choice more consequential; each delay extends the window where CISPE's binary operates as the de facto standard.

Occurred 7 May 2026

Read story →

Different Perspectives

Bahrain / Gulf partners

Bahrain's PAC-3 interceptor magazine sits at 87% depletion after absorbing IRGC salvos aimed at US bases; no resupply is scheduled before 2027, concentrating the intercept burden on US assets and Israeli Iron Dome and Arrow-3.

IAEA / Vienna process

IAEA officials cited proliferation concerns over 440.9 kg of HEU unaccounted for after 97 days without inspector access; the Board session that opened 8 June cannot retroactively close the evidentiary gap its own resolution documents.

China

China absorbed the Shanghai Qianye designation by OFAC and opposes censure at the IAEA Board, arguing the verification gap was created by strikes rather than Iranian non-compliance, a framing it shares with Russia to protect the non-Western bloc's Board votes.

Russia

Putin reaffirmed at SPIEF on 6 June his offer to hold Iran's uranium stockpile as custodian, a proposal the IAEA's 97-day verification gap now renders undeliverable: no one can transfer or confirm a stockpile that has not been inspected.

United States / Trump administration

Trump publicly asked Netanyahu not to retaliate and described a deal as 95% done; Rubio then acknowledged enrichment terms could take months. The 24-hour gap between the request and the Mahshahr strike removes the credible-restraint argument from US diplomatic leverage with Tehran.

Israel / Netanyahu government

Netanyahu struck the Mahshahr complex and missile sites inside Iran within 24 hours of Trump's public no-retaliation request, a second kinetic override of US counsel that confirms Israel will not allow Tehran to dictate the terms of the exchange.