The EU Commission has launched a tender worth €180 million to procure sovereign cloud services for EU institutions - as a competition in the Cloud III Dynamic Purchasing System (Cloud III DPS). The framework contract will run for up to 6 years and up to four providers will be selected according to a new Cloud Sovereignty Framework. The contract award is scheduled for December 2025 to February 2026.
"Measurable criteria for sovereignty are a win-win situation for everyone: procurers get clarity, providers get planning security - and Europe strengthens its digital competitiveness."
- Marcus Müller, CEO & Founder, SecureCloud
What the EU is planning in concrete terms - sovereignty in practice
The Cloud Sovereignty Framework makes sovereignty verifiable. It evaluates providers along eight objectives (SOV-1 to SOV-8) - from strategy/jurisdiction, data & AI, operations, supply chain and technology openness to security/compliance and sustainability. Minimum assurance levels "SEAL" (0-4) apply to each objective; those who fail to meet the minimum level are eliminated. In addition, a sovereignty score with predefined weightings (e.g. operational 20%, supply chain 20%, technology 15%) is included in the evaluation. The framework is based on CIGREF Trusted Cloud, Gaia-X and ENISA/NIS2/DORA, among others.
- Sovereignty & jurisdiction: retaining control
Central requirements: Data processing under EU jurisdiction, BYOK/key sovereignty, clear access and deletion concepts, audit evidence. The SEAL minimum levels define what is considered "sovereign" in tenders - and thus create a level playing field.
Our SecureCloud approach:
- Data storage & operation in German data centers, strong client separation, end-to-end encryption
- customer key (BYOK), strict admin controls, audit-proof logs
- Portability/exit via signed exports - verifiable and documented
- Operations & supply chain: transparency instead of a black box
The framework weights operations and supply chain at 20% each - including the origin of hardware/firmware/software, update paths, subcontractors and audit rights. Goal: resilience and traceability in day-to-day operations instead of just lists of certificates.
What has proven itself:
- Separate backups, tested restore paths, defined RTO/RPO
- SLA-controlled operating processes, seamless logs
- Supply chain transparency down to component level
- Technology openness & interoperability: avoid lock-ins
Open interfaces/standards, traceable architecture and data portability are required. This enables public sector teams to exchange/extend solutions without losing sovereignty.
What does this mean for procurement & IT management? Our "30-day checklist"
- Define SEAL minimum levels per process (jurisdiction, operation/support in the EU, audit obligations).
- Disclose supply chain (hardware/firmware/software origin, update chain, subcontractors, inspection/audit rights).
- Contractually secure BYOK/key sovereignty and EU data residency; document deletion and exit processes.
- Resilience by design: RTO/RPO, restore tests, signed exports, emergency communication.
- Demand tech openness: standardized APIs/protocols, interop evidence, assess lock-in risks.
Timetable & outlook
The tender sets a benchmark for the EU cloud - especially in the public sector. The contract has been announced for Dec 2025-Feb 2026; Brussels is also planning to massively expand data center capacity in Europe (keyword "AI Continent" and planned Cloud & AI Development Act).
FAQ
What is the Cloud III DPS?
The EU procurement channel for cloud services; the current award for sovereign cloud services runs through it.
What is behind the Cloud Sovereignty Framework?
A set of criteria with eight sovereignty objectives, SEAL minimum levels (0-4) and sovereignty score for the comparable evaluation of providers.
When will be awarded?
Expected December 2025 to February 2026.
Why does the EU emphasize data/digital sovereignty?
It is a competitive factor and reduces dependencies - in procurement, operations and crisis resilience.
After the tender is before the project
Would you like to define requirements, SEAL level and exit path precisely? Let us advise you personally! - In 30 minutes, we will show you how to translate the framework into tendering and operations.