22MAR

CISPE ships rival sovereign cloud badge

3 min read

05:50UTC

Cloud Infrastructure Services Providers in Europe (CISPE) launched a 40-plus service certification framework on Friday 24 April, one day after the Brussels summit closed and four weeks before the Commission writes 'sovereign' into EU statute.

← Back to Trump: 48 hours to destroy Iran power grid Jump to analysis ↓

ConflictDeveloping

Key takeaway

CISPE's binary sovereignty/resilience certification pre-empts the Commission's CAIDA definition four weeks before adoption.

Cloud Infrastructure Services Providers in Europe (CISPE) launched its Sovereign and Resilient Cloud Services Framework on Friday 24 April with 40-plus certified services, the morning after Sovereign Tech Europe closed in Brussels ¹. Francisco Mingorance, CISPE's Secretary General, gave the launch keynote, Making Sovereignty Verifiable. Four days earlier he had called the Commission's award of its €180m sovereign cloud framework to the Thales-Google joint venture S3NS at SEAL-2 (Sovereignty European Assurance Level, tier 2) "sovereignty washing" . Audits are run by BYCYB, the rebranded Laboratoire national de métrologie et d'essais, France's national metrology body.

The framework draws a binary the SEAL tiers blur. "Sovereign" means jurisdictional control: ownership, governance and operations inside the European Union, with no extraterritorial legal exposure. "Resilient" means technical control: safeguards against disruption. Mingorance reached for tyres on stage. The Sovereign Badge is a puncture-proof tyre; the Resilient Badge is a run-flat. CISPE's framing treats jurisdiction and capability as separate engineering problems with different remedies. SEAL-2 and SEAL-3, in CISPE's reading, average them into "a murky sovereignty score that averages the impossible with the irrelevant" ².

The operational stake is the Cloud and AI Development Act (CAIDA), which the Commission's delayed package is set to carry to adoption late this month. CAIDA will define "sovereign" infrastructure in EU law for the first time. If the binary survives drafting, the Commission's own SEAL-2 award to S3NS will have certified, under the predecessor regime, a provider the new statute excludes. Member of the European Parliament (MEP) Aura Salla, rapporteur on the parallel Digital Omnibus Regulation, was observed by Lowdown at the Brussels conference calling for full European tech sovereignty as soon as possible, a position more aggressive than Forum Europe's published "resilient interdependence" framing of the day. Her own website carries no post-conference statement; the most recent entry remains 16 April.

Deep Analysis

In plain English

Cloud computing means storing data and running software on someone else's servers, usually owned by large US companies like Amazon (AWS), Microsoft (Azure), or Google. European governments have grown uncomfortable with this because US law can compel those companies to hand over data, even when the servers sit physically in Europe. CISPE is a trade association of European cloud companies. On 24 April 2026 it launched a certification system that stamps European cloud services as either 'Sovereign' (fully under European control) or 'Resilient' (meeting minimum security standards). The European Commission has been developing its own certification called SEAL, but it has been slow. CISPE is essentially trying to set the standard first, before Brussels does, so that governments buy from European providers rather than waiting for official rules.

Deep Analysis

Root Causes

The Commission's SEAL process has no statutory deadline; it progresses under the Cybersecurity Act delegated act procedure, leaving a window of regulatory uncertainty that CISPE can occupy before a formal standard is codified.

CISPE members' revenue depends on displacing hyperscaler dominance in public-sector contracts. That gives the trade body a direct commercial incentive to define 'sovereignty' before Alphabet, Microsoft, and Amazon do so through their own EU-resident subsidiary structures.

The binary Sovereign/Resilient distinction fills a real procurement gap. Contracting authorities cannot compare a sovereign score of 6.7 against one of 7.1 without legal cover for that judgment, but they can act on a binary pass/fail under existing procurement procedures.

What could happen next?

Precedent
If CISPE certification becomes referenced in member-state procurement frameworks before SEAL is adopted, it sets a private-sector route to regulatory standing that other industry consortia will copy in AI and semiconductor standards.
Medium term · 0.72
Risk
Conflicting CISPE and SEAL frameworks in the same procurement window create legal uncertainty for contracting authorities that could delay or cancel tenders worth hundreds of millions of euros.
Short term · 0.78
Opportunity
European cloud providers with CISPE certification gain a six-to-twelve month head start on public-sector contract conversions before SEAL is finalised, particularly in Germany and France where government ministries have explicit EU-sovereignty procurement policies.
Short term · 0.81

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: When the Payment Card Industry Data Security Standard (PCI-DSS) was established by Visa and Mastercard in 2004, it created a private certification regime that governments initially ignored, then adopted into public procurement frameworks over roughly six years. CISPE is attempting the same pre-emptive standard-setting before the Commission codifies SEAL.

Counter-parallel: The ISO 27001 cloud-security standard failed to displace EU-specific frameworks because member-state governments treated ISO certification as a minimum baseline, not a sovereignty marker. CISPE's framework faces the same ceiling: it can lower barriers to entry but cannot grant the regulatory standing that only Commission adoption provides.

The 40-plus certified services address a market Canalys estimates at €23bn in annual EU public-sector cloud spending (2025). If CISPE's framework achieves even partial government adoption, its members gain a procurement preference worth 15-20 percentage points of win-rate in competitive tenders, based on public-procurement preference effects observed after the US FedRAMP programme launched in 2011.

CISPE's portability requirement, which bars certified providers from charging switching fees, targets the switching-cost model hyperscalers use to retain public-sector customers. Bruegel estimates switching costs at 22-28% of total contract value for mid-size government workloads, making the portability clause commercially significant alongside the sovereignty label.

Consensus view: OpenForum Europe's Sachiko Muto argues the binary Sovereign/Resilient split is a practical advance on the Commission's SEAL score, because cloud procurement officers need a pass/fail verdict, not a continuous scoring variable that creates arbitrage opportunities for vendors willing to hover near the threshold.

Counter-view: Carnegie Europe's Yana Borshchevska contends that BYCYB (formerly LNE) certification against a private-sector framework does not carry the legal weight of a Commission-sanctioned conformity assessment under the Cybersecurity Act, meaning member-state procurement Teams in Germany and France face conflicting compliance obligations when both frameworks are referenced in the same contract notice.

Key tension: Whether a private-sector certification body can credibly substitute for Commission authority when public procurement law still defers to the EU Cybersecurity Act hierarchy.

First Reported In

Update #4 · CISPE moves first; Brussels misses again

IT Pro· 7 May 2026

Read original →

Causes and effects

Caused by

Commission awards sovereign cloud slot to Google joint venture

CISPE's sovereignty framework launched directly in response to its criticism of the S3NS SEAL-2 award as 'sovereignty washing', operationalising Mingorance's Making Sovereignty Verifiable keynote.

Occurred 17 Apr 2026

Read story →

This Event

CISPE ships rival sovereign cloud badge

The framework arrives in time to pre-empt the Commission's CAIDA definition of sovereign infrastructure, due 27 May, and operationalises the trade body's earlier charge that the Commission's own SEAL tiers are sovereignty washing.

Led to

Sovereignty package slips to 27 May

CISPE's framework launching the day after the summit makes the package's CAIDA sovereign-definition choice more consequential; each delay extends the window where CISPE's binary operates as the de facto standard.

Occurred 7 May 2026

Read story →

Different Perspectives

IAEA

Director General Rafael Grossi appeared in person at the UNSC on 19 May and warned that a direct hit on an operating reactor 'could result in very high release of radioactivity'. The session produced a condemnation record but no resolution, and the Barakah perimeter was already struck on 17 May.

Hengaw (Kurdish rights monitor)

Hengaw documented three judicial executions and the detention of Kurdish writer Majid Karimi in Tehran on 19 May, establishing Khorasan Razavi province as the newest geography in Iran's wartime judicial record. The organisation's Norway-based operation continues to surface a domestic repression track running in parallel with every diplomatic and military development.

India

Six India-flagged vessels conducted a coordinated cluster transit under PGSA bilateral assurances during the 17 May window, paying no yuan tolls. New Delhi's inclusion in Iran's state-to-state passage track insulates Indian energy supply without requiring endorsement of the PGSA's yuan-toll architecture or alignment with the US coalition.

Pakistan

Pakistan is the only functioning diplomatic bridge between Tehran and Washington. Its role is relay, not mediation in the settlement sense: it conveyed Iran's 10-point counter-MOU in early May, relayed the US rejection, and is now passing 'corrective points' in the third documented exchange of this sub-cycle without either side working from a shared text.

UK and France (Northwood coalition)

Twenty-six coalition members have published no rules of engagement eight days after the Bahrain joint statement; Lloyd's underwriters have conditioned war-risk reopening on written ROE from either Iran or the coalition. Italian and French mine-countermeasures deployments are operating on the in-water clearance task CENTCOM Admiral Brad Cooper's 90% mine-stockpile claim does not address.

Saudi Arabia

Riyadh has not publicly commented on the Barakah strike or the 50-47 discharge vote. Saudi output feeds the IEA's $106 base case; the $5 Brent premium above that model reflects institutional uncertainty no Gulf producer can compress through supply adjustment alone.