EU tender: €180 million for sovereign cloud - what counts now

The EU Commission has launched a tender worth €180 million to procure sovereign cloud services for EU institutions - as a competition in the Cloud III Dynamic Purchasing System (Cloud III DPS). The framework contract will run for up to 6 years and up to four providers will be selected according to a new Cloud Sovereignty Framework. The contract award is scheduled for December 2025 to February 2026.

"Measurable criteria for sovereignty are a win-win situation for everyone: procurers get clarity, providers get planning security - and Europe strengthens its digital competitiveness."
- Marcus Müller, CEO & Founder, SecureCloud

What the EU is planning in concrete terms - sovereignty in practice

The Cloud Sovereignty Framework makes sovereignty verifiable. It evaluates providers along eight objectives (SOV-1 to SOV-8) - from strategy/jurisdiction, data & AI, operations, supply chain and technology openness to security/compliance and sustainability. Minimum assurance levels "SEAL" (0-4) apply to each objective; those who fail to meet the minimum level are eliminated. In addition, a sovereignty score with predefined weightings (e.g. operational 20%, supply chain 20%, technology 15%) is included in the evaluation. The framework is based on CIGREF Trusted Cloud, Gaia-X and ENISA/NIS2/DORA, among others.

1. Sovereignty & jurisdiction: retaining control
   Central requirements: Data processing under EU jurisdiction, BYOK/key sovereignty, clear access and deletion concepts, audit evidence. The SEAL minimum levels define what is considered "sovereign" in tenders - and thus create a level playing field.
   Our SecureCloud approach:
   - Data storage & operation in German data centers, strong client separation, end-to-end encryption
   - customer key (BYOK), strict admin controls, audit-proof logs
   - Portability/exit via signed exports - verifiable and documented
   
   
2. Operations & supply chain: transparency instead of a black box
   The framework weights operations and supply chain at 20% each - including the origin of hardware/firmware/software, update paths, subcontractors and audit rights. Goal: resilience and traceability in day-to-day operations instead of just lists of certificates.
   What has proven itself:
   - Separate backups, tested restore paths, defined RTO/RPO
   - SLA-controlled operating processes, seamless logs
   - Supply chain transparency down to component level
   
   
3. Technology openness & interoperability: avoid lock-ins
   Open interfaces/standards, traceable architecture and data portability are required. This enables public sector teams to exchange/extend solutions without losing sovereignty.

What does this mean for procurement & IT management? Our "30-day checklist"

1. Define SEAL minimum levels per process (jurisdiction, operation/support in the EU, audit obligations).
2. Disclose supply chain (hardware/firmware/software origin, update chain, subcontractors, inspection/audit rights).
3. Contractually secure BYOK/key sovereignty and EU data residency; document deletion and exit processes.
4. Resilience by design: RTO/RPO, restore tests, signed exports, emergency communication.
5. Demand tech openness: standardized APIs/protocols, interop evidence, assess lock-in risks.

Timetable & outlook

The tender sets a benchmark for the EU cloud - especially in the public sector. The contract has been announced for Dec 2025-Feb 2026; Brussels is also planning to massively expand data center capacity in Europe (keyword "AI Continent" and planned Cloud & AI Development Act).

FAQ

What is the Cloud III DPS?

The EU procurement channel for cloud services; the current award for sovereign cloud services runs through it.

What is behind the Cloud Sovereignty Framework?

A set of criteria with eight sovereignty objectives, SEAL minimum levels (0-4) and sovereignty score for the comparable evaluation of providers.

When will be awarded?

Expected December 2025 to February 2026.

Why does the EU emphasize data/digital sovereignty?

It is a competitive factor and reduces dependencies - in procurement, operations and crisis resilience.

After the tender is before the project

Would you like to define requirements, SEAL level and exit path precisely? Let us advise you personally! - In 30 minutes, we will show you how to translate the framework into tendering and operations.