3MAY

CISPE ships rival sovereign cloud badge

3 min read

10:26UTC

Cloud Infrastructure Services Providers in Europe (CISPE) launched a 40-plus service certification framework on Friday 24 April, one day after the Brussels summit closed and four weeks before the Commission writes 'sovereign' into EU statute.

← Back to China blocks OFAC; Iran writes; Trump tweets Jump to analysis ↓

ConflictDeveloping

Key takeaway

CISPE's binary sovereignty/resilience certification pre-empts the Commission's CAIDA definition four weeks before adoption.

Cloud Infrastructure Services Providers in Europe (CISPE) launched its Sovereign and Resilient Cloud Services Framework on Friday 24 April with 40-plus certified services, the morning after Sovereign Tech Europe closed in Brussels ¹. Francisco Mingorance, CISPE's Secretary General, gave the launch keynote, Making Sovereignty Verifiable. Four days earlier he had called the Commission's award of its €180m sovereign cloud framework to the Thales-Google joint venture S3NS at SEAL-2 (Sovereignty European Assurance Level, tier 2) "sovereignty washing" . Audits are run by BYCYB, the rebranded Laboratoire national de métrologie et d'essais, France's national metrology body.

The framework draws a binary the SEAL tiers blur. "Sovereign" means jurisdictional control: ownership, governance and operations inside the European Union, with no extraterritorial legal exposure. "Resilient" means technical control: safeguards against disruption. Mingorance reached for tyres on stage. The Sovereign Badge is a puncture-proof Tyre; the Resilient Badge is a run-flat. CISPE's framing treats jurisdiction and capability as separate engineering problems with different remedies. SEAL-2 and SEAL-3, in CISPE's reading, average them into "a murky sovereignty score that averages the impossible with the irrelevant" ².

The operational stake is the Cloud and AI Development Act (CAIDA), which the Commission's delayed package is set to carry to adoption late this month. CAIDA will define "sovereign" infrastructure in EU law for the first time. If the binary survives drafting, the Commission's own SEAL-2 award to S3NS will have certified, under the predecessor regime, a provider the new statute excludes. Member of the European Parliament (MEP) Aura Salla, rapporteur on the parallel Digital Omnibus Regulation, was observed by Lowdown at the Brussels conference calling for full European tech sovereignty as soon as possible, a position more aggressive than Forum Europe's published "resilient interdependence" framing of the day. Her own website carries no post-conference statement; the most recent entry remains 16 April.

Deep Analysis

In plain English

Cloud computing means storing data and running software on someone else's servers, usually owned by large US companies like Amazon (AWS), Microsoft (Azure), or Google. European governments have grown uncomfortable with this because US law can compel those companies to hand over data, even when the servers sit physically in Europe. CISPE is a trade association of European cloud companies. On 24 April 2026 it launched a certification system that stamps European cloud services as either 'Sovereign' (fully under European control) or 'Resilient' (meeting minimum security standards). The European Commission has been developing its own certification called SEAL, but it has been slow. CISPE is essentially trying to set the standard first, before Brussels does, so that governments buy from European providers rather than waiting for official rules.

Deep Analysis

Root Causes

The Commission's SEAL process has no statutory deadline; it progresses under the Cybersecurity Act delegated act procedure, leaving a window of regulatory uncertainty that CISPE can occupy before a formal standard is codified.

CISPE members' revenue depends on displacing hyperscaler dominance in public-sector contracts. That gives the trade body a direct commercial incentive to define 'sovereignty' before Alphabet, Microsoft, and Amazon do so through their own EU-resident subsidiary structures.

The binary Sovereign/Resilient distinction fills a real procurement gap. Contracting authorities cannot compare a sovereign score of 6.7 against one of 7.1 without legal cover for that judgment, but they can act on a binary pass/fail under existing procurement procedures.

What could happen next?

Precedent
If CISPE certification becomes referenced in member-state procurement frameworks before SEAL is adopted, it sets a private-sector route to regulatory standing that other industry consortia will copy in AI and semiconductor standards.
Medium term · 0.72
Risk
Conflicting CISPE and SEAL frameworks in the same procurement window create legal uncertainty for contracting authorities that could delay or cancel tenders worth hundreds of millions of euros.
Short term · 0.78
Opportunity
European cloud providers with CISPE certification gain a six-to-twelve month head start on public-sector contract conversions before SEAL is finalised, particularly in Germany and France where government ministries have explicit EU-sovereignty procurement policies.
Short term · 0.81

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: When the Payment Card Industry Data Security Standard (PCI-DSS) was established by Visa and Mastercard in 2004, it created a private certification regime that governments initially ignored, then adopted into public procurement frameworks over roughly six years. CISPE is attempting the same pre-emptive standard-setting before the Commission codifies SEAL.

Counter-parallel: The ISO 27001 cloud-security standard failed to displace EU-specific frameworks because member-state governments treated ISO certification as a minimum baseline, not a sovereignty marker. CISPE's framework faces the same ceiling: it can lower barriers to entry but cannot grant the regulatory standing that only Commission adoption provides.

The 40-plus certified services address a market Canalys estimates at €23bn in annual EU public-sector cloud spending (2025). If CISPE's framework achieves even partial government adoption, its members gain a procurement preference worth 15-20 percentage points of win-rate in competitive tenders, based on public-procurement preference effects observed after the US FedRAMP programme launched in 2011.

CISPE's portability requirement, which bars certified providers from charging switching fees, targets the switching-cost model hyperscalers use to retain public-sector customers. Bruegel estimates switching costs at 22-28% of total contract value for mid-size government workloads, making the portability clause commercially significant alongside the sovereignty label.

Consensus view: OpenForum Europe's Sachiko Muto argues the binary Sovereign/Resilient split is a practical advance on the Commission's SEAL score, because cloud procurement officers need a pass/fail verdict, not a continuous scoring variable that creates arbitrage opportunities for vendors willing to hover near the threshold.

Counter-view: Carnegie Europe's Yana Borshchevska contends that BYCYB (formerly LNE) certification against a private-sector framework does not carry the legal weight of a Commission-sanctioned conformity assessment under the Cybersecurity Act, meaning member-state procurement Teams in Germany and France face conflicting compliance obligations when both frameworks are referenced in the same contract notice.

Key tension: Whether a private-sector certification body can credibly substitute for Commission authority when public procurement law still defers to the EU Cybersecurity Act hierarchy.

First Reported In

Update #4 · CISPE moves first; Brussels misses again

IT Pro· 7 May 2026

Read original →

Causes and effects

Caused by

Commission awards sovereign cloud slot to Google joint venture

CISPE's sovereignty framework launched directly in response to its criticism of the S3NS SEAL-2 award as 'sovereignty washing', operationalising Mingorance's Making Sovereignty Verifiable keynote.

Occurred 17 Apr 2026

Read story →

This Event

CISPE ships rival sovereign cloud badge

The framework arrives in time to pre-empt the Commission's CAIDA definition of sovereign infrastructure, due 27 May, and operationalises the trade body's earlier charge that the Commission's own SEAL tiers are sovereignty washing.

Led to

Sovereignty package slips to 27 May

CISPE's framework launching the day after the summit makes the package's CAIDA sovereign-definition choice more consequential; each delay extends the window where CISPE's binary operates as the de facto standard.

Occurred 7 May 2026

Read story →

Different Perspectives

Gulf shipping and insurance markets

With Hormuz and Bab el-Mandeb both hostile at once, war-risk underwriters face their first dual-chokepoint pricing problem; the rerouting hedge that absorbed one closure is gone for Israeli-linked hulls. Any deal that reopens Hormuz without a Houthi stand-down clause delivers only partial shipping relief.

Russia and China

Russia and China met IAEA chief Grossi jointly in Geneva on 5 June to coordinate an advance blocking position against Washington's censure resolution, the first documented instance of proactive pre-session obstruction rather than reactive post-vote dissent. Beijing's move came four days after OFAC designated Shanghai Qianye Energy under Iran energy sanctions.

Saudi Arabia

Saudi Arabia was left out of the emergency $4.01 billion Patriot waiver Qatar received on 2 May as its own PAC-3 stocks ran near-empty from intercepting Iranian salvoes over Aramco facilities. Riyadh is on a standard 18-month FMS queue behind a production line booked through 2030, with no equivalent priority to Qatar's Al Udeid basing role.

Houthis (Ansar Allah)

The Houthis declared a complete ban on Israeli Red Sea navigation on 8 June and struck Jaffa, their first attack on Israeli territory since April, seven days after the Tasnim authorisation to activate other fronts including Bab el-Mandeb. The declaration put both chokepoints under hostile authority simultaneously.

Iran

Iran agreed the 9 June mutual halt after the Mahshahr exchange and coordinated with Russia and China to block Washington's IAEA censure resolution, using the Board as a second front while the bilateral pause held on the military one. Tehran's acceptance of the Lebanon carve-out contradicts the linkage position it stated on 1 June.

Benjamin Netanyahu and the IDF

Israel struck the Karun Petrochemical plant at Mahshahr on 8 June over Trump's explicit objection, then agreed a halt with Iran the following day scoped on Israeli terms with Lebanon carved out. Netanyahu's posture is that the IDF will not accept Iranian missile factories as off-limits regardless of US diplomatic timelines.