EU Digital Sovereignty: What It Actually Means and Why It Matters Now
A practical guide to EU digital sovereignty in 2026. Understand the SEAL framework levels, why US cloud providers cannot achieve full sovereignty, and what European alternatives exist — from Nextcloud to sovereign hosting.
By runtiq Team
Europe is in a sovereignty moment. NIS2, DORA, the EU Cloud Sovereignty Framework, Gaia-X — all converging at once. For the first time, there are real consequences for depending on US infrastructure. This post explains what sovereignty actually means, how it is measured, and what you can do about it.
What Is Digital Sovereignty?
Digital sovereignty means control over your data, your infrastructure, and the legal framework governing both. It is not just “data stays in the EU.” It means no foreign government can compel access to your data.
The core problem is the CLOUD Act. US companies can be compelled under the CLOUD Act to disclose data to US authorities regardless of where the servers are physically located. This applies to AWS, Azure, GCP, Microsoft 365, and Google Workspace — even if you select an EU region. FISA 702 adds another layer: US intelligence agencies can access data held by US-controlled companies without a court order.
Selecting eu-central-1 in Frankfurt does not change this. The server is in Germany. The company is in the United States.
The EU Cloud Sovereignty Framework
The European Commission published the Cloud Sovereignty Framework (v1.2.1, October 2025) to define what sovereignty means in concrete, measurable terms. It is built on two components: eight Sovereignty Objectives (SOV-1 to SOV-8) that define what is measured, and five Sovereignty Effective Assurance Levels (SEAL-0 to SEAL-4) that define how well each objective is met.
The 8 Sovereignty Objectives
Each cloud provider is assessed across eight dimensions. According to the framework specification (v1.2.1), each objective carries a weight in the overall Sovereignty Score:
| # | Objective | What It Measures | Weight |
|---|---|---|---|
| SOV-1 | Strategic Sovereignty | EU anchoring, governance, ownership stability | 15% |
| SOV-2 | Legal & Jurisdictional | Protection from foreign laws (CLOUD Act, FISA 702) | 10% |
| SOV-3 | Data & AI Sovereignty | Control over data, encryption keys, AI models within EU | 10% |
| SOV-4 | Operational Sovereignty | Ability to run and maintain technology with EU staff only | 15% |
| SOV-5 | Supply Chain Sovereignty | Origin and transparency of hardware/software components | 20% |
| SOV-6 | Technology Sovereignty | Open standards, interoperability, no vendor lock-in | 15% |
| SOV-7 | Security & Compliance | NIS2, DORA, GDPR compliance, EU-based security operations | 10% |
| SOV-8 | Environmental Sustainability | Energy efficiency, carbon footprint, circular economy | 5% |
Supply Chain Sovereignty (SOV-5) carries the highest weight at 20%. This reflects the EU’s focus on reducing dependency on non-EU hardware and software — a lesson from semiconductor shortages and concerns about firmware-level vulnerabilities in non-EU equipment. Technology Sovereignty (SOV-6) at 15% rewards open-source and open-standards approaches. Together, these two objectives account for 35% of the total score.
SEAL Levels: How Well Each Objective Is Met
Each provider receives a SEAL level per SOV objective. The overall Sovereignty Score is a weighted sum across all eight objectives.
| Level | Name | Description |
|---|---|---|
| SEAL-0 | No Sovereignty | Service under exclusive control of non-EU third parties, governed entirely in non-EU jurisdictions |
| SEAL-1 | Jurisdictional Sovereignty | EU law formally applies but with limited practical enforceability; service still controlled by non-EU parties |
| SEAL-2 | Data Sovereignty | EU law applicable and enforceable, but material non-EU dependencies remain |
| SEAL-3 | Digital Resilience | EU law enforceable, EU actors exercise meaningful but not full influence; marginal non-EU control |
| SEAL-4 | Full Digital Sovereignty | Complete EU control, subject only to EU law, no critical non-EU dependencies |
Each provider receives a SEAL level per SOV objective. The overall Sovereignty Score is computed as a weighted sum across all eight objectives. This score is used as an award criterion in EU procurement — meaning providers with higher sovereignty scores have a competitive advantage in public tenders.
The SEAL framework matters because EU procurement is starting to require specific levels. EU procurement is beginning to reference SEAL levels as evaluation criteria. The EU Commission’s Cloud III framework (valued at up to €180 million) includes sovereignty requirements aligned with the SEAL framework. See the Cloud III tender documentation for details. NIS2 supply chain requirements push companies to verify their providers’ sovereignty level. Regulated industries are already being asked by auditors: “What SEAL level is your cloud provider?”
See the full Cloud Sovereignty Framework v1.2.1 (October 2025) for the official specification.
The European Momentum
The numbers are significant. Sovereign cloud spending in Europe is projected to triple from €6.9B in 2025 to €23.1B in 2027. Importantly, 80% of this spend goes to new workloads — not migrations. This is a greenfield opportunity, not a painful transition.
The regulatory pressure is real and growing:
- NIS2 affects 160,000+ companies across the EU (30,000+ in Germany alone), with mandatory supply chain security requirements
- DORA makes financial sector infrastructure compliance mandatory from January 2025
- EU Cloud Rulebook, EUCS certification scheme, and Gaia-X trust framework are all creating a regulatory push toward sovereignty
Companies are already being asked by customers and auditors: “Where is your data? Who can access it? Under which jurisdiction?” These are no longer theoretical questions.
Beyond Cloud: Sovereignty in Your Daily Tools
Sovereignty is not just about where your servers run. It is about every tool your team uses daily. Here is a practical overview of European and open-source alternatives.
| Current Tool | Sovereign Alternative | Notes |
|---|---|---|
| Microsoft 365 / Outlook | Proton Mail | Swiss, end-to-end encrypted |
| Google Workspace | Tuta | German, open source |
| Any US provider | Stalwart Mail | Self-hosted, Rust-based, modern open source |
Key question: can a US court compel your email provider to hand over data? For any US-based provider, the answer is yes.
Office & Collaboration
| Current Tool | Sovereign Alternative | Notes |
|---|---|---|
| Microsoft 365 / Google Docs | Nextcloud | German, open source, 400,000+ deployments |
| Google Docs | OnlyOffice | Latvian, open source, full Office compatibility |
| Any US provider | CryptPad | French, end-to-end encrypted collaboration |
Nextcloud is used by the German federal government. openDesk is funded by it. These are not toy alternatives.
File Storage
| Current Tool | Sovereign Alternative | Notes |
|---|---|---|
| Dropbox / Google Drive / OneDrive | Nextcloud Files | Self-hosted or EU-hosted |
| Any US provider | Tresorit | Swiss/Hungarian, end-to-end encrypted |
Video Conferencing
| Current Tool | Sovereign Alternative | Notes |
|---|---|---|
| Zoom / Teams / Google Meet | Jitsi | Open source, self-hostable, no account needed |
| Slack + Zoom / Teams | Element | Matrix-based, EU-hosted option, Element (Matrix) is used by the German Bundeswehr (source) and French government agencies |
Password Management
| Current Tool | Sovereign Alternative | Notes |
|---|---|---|
| LastPass / 1Password | Bitwarden | Open source, self-hostable |
| Any US provider | Vaultwarden | Self-hosted Bitwarden-compatible server |
Complete Workplace Suite
| Current Tool | Sovereign Alternative | Notes |
|---|---|---|
| Microsoft 365 (full suite) | openDesk | German government-backed, open source, includes email, docs, chat, video, calendar, IAM |
| Google Workspace (full suite) | Nextcloud Hub | German, open source, 400,000+ deployments, used by German federal government |
openDesk deserves special mention. It is developed by ZenDiS GmbH — a publicly-funded company of the German Federal Government — as part of the “Sovereign Workplace” initiative. It bundles email, documents, chat, video conferencing, calendar, and identity management into one open-source platform. If you are looking for a complete Microsoft 365 replacement backed by a European government, openDesk is the most serious option available today.
Hosting & Infrastructure
| Current Tool | Sovereign Alternative | Notes |
|---|---|---|
| AWS / Azure / GCP | OVHcloud (FR), STACKIT (DE), IONOS (DE), runtiq (AT) | EU-owned, SEAL-4 capable |
| Heroku / Render / Vercel | Clever Cloud (FR), Corelix (FR), runtiq (AT) | EU PaaS with compliance documentation |
What Should You Do?
-
Audit your current stack. List every SaaS tool and check the provider’s jurisdiction. Where is the parent company incorporated? Is it subject to US law?
-
Identify your SEAL level requirement. Regulated industry? You likely need SEAL-3 minimum. Sensitive personal data, healthcare, or public sector? SEAL-4 is the appropriate target.
-
Start with the easy wins. Email and file storage are the simplest to migrate. The tooling is mature and the operational overhead is low.
-
For infrastructure, evaluate EU-native PaaS providers that include compliance documentation — DPA, subprocessor list, and SEAL level documentation — from day one.
-
Document your decisions. NIS2 requires you to justify your supply chain choices. A clear record of why you selected each provider, and what their sovereignty posture is, is part of your compliance obligation.
runtiq
runtiq is built for teams that need SEAL-4 sovereignty without the operational overhead. Austrian company, EU-only infrastructure, compliance documentation included from day one. We handle the infrastructure sovereignty so you can focus on building your product — and because runtiq runs native containers on Kubernetes, it is also the easiest way to host your own sovereign open-source alternatives like Nextcloud, Jitsi, Stalwart Mail, or Element. See our pricing for details.