Whaller and the European Commission’s Cloud Sovereignty Framework
Digital sovereignty: where do we really stand?
Digital sovereignty – Europe’s ability to control its data and critical infrastructures – lies at the heart of current concerns. And the facts are stubborn: today, around 70% of the cloud market in Europe is dominated by American players, compared with barely 15% for European providers. This massive dependence on non-European services poses well-known risks, particularly in terms of jurisdiction (extraterritorial laws such as the US Cloud Act) and data security.
In France, the government has made these issues a priority – requiring, for instance, that public data deemed to be of “particular sensitivity” must be hosted on SecNumCloud-qualified solutions, the ANSSI’s highest security qualification.
In response to these challenges, Europe is taking action. On 20 October 2025, the European Commission published a clear reference framework for assessing the sovereignty of cloud solutions: the Cloud Sovereignty Framework.
Inspired by French initiatives (the Trusted Cloud framework by CIGREF, the ANSSI’s Cloud de Confiance strategy) and German ones (Souveräner Cloud), as well as European regulations (NIS2, DORA), this framework offers a shared approach to finally objectify a topic that’s often too vague.
The Cloud Sovereignty Framework: eight official criteria for a sovereign cloud
This new European evaluation framework defines eight cloud sovereignty objectives, each graded from 0 to 4 (the SEAL level – Sovereignty Effectiveness Assurance Level). The criteria cover all key dimensions of digital independence.
The Commission lists strategic, legal, operational, environmental aspects, but also supply chain transparency, technological openness, security and compliance with EU law.
In other words, it assesses how deeply a cloud provider is embedded in the European ecosystem (ownership, governance, alignment with EU priorities), under European jurisdiction (minimally exposed to foreign injunctions), how far it controls its data and AI services locally, and whether it operates autonomously without critical dependencies outside the EU.
Additional criteria concern the supply chain (mostly European technology partners), technology stack (interoperability, in-house code mastery), security and compliance (certifications such as ISO, ENISA or SecNumCloud qualification), and the environmental sustainability of cloud operations (energy-efficient infrastructures, measurable long-term improvement goals).
Why this framework?
In practice, the European Commission will use it for its own cloud procurements. A €180 million tender was launched in 2025 to select up to four providers over six years, each meeting minimum levels across all eight objectives. Any offer failing to meet a criterion’s minimum level will be automatically rejected.
The idea is to create a “level playing field”: pushing the entire market towards shared trust standards and reducing dependence on non-European services by giving decision-makers an impartial comparison tool.
It’s a direct response to concerns over data transfers outside the EU and foreign surveillance. In short, Europe is finally adopting a common language to measure true cloud sovereignty, beyond marketing slogans.
Whaller’s self-assessment based on European criteria
The European Commission has published its framework to measure cloud sovereignty. (Photo credit: European Commission)
At Whaller, the French collaborative platform, we embraced the Cloud Sovereignty Framework by conducting a rigorous and transparent self-assessment.
Here’s how we position ourselves across the eight sovereignty objectives (SEAL score out of 4):
- SOV-1 Strategic – Score 4/4. 100% French governance, independent capital. Since its creation, Whaller has been rooted in France: local ownership, French headquarters, and no dependency on non-European capital or technologies. This grounding ensures natural alignment with the EU’s strategic digital priorities.
- SOV-2 Legal – Score 4/4. French law contracts, ANSSI-certified infrastructure. All Whaller data is hosted in France, under French and EU jurisdiction. Our service agreements are governed exclusively by French law, guaranteeing maximum protection against extraterritorial legislation. Moreover, our infrastructure runs on a SecNumCloud-qualified cloud – the security visa issued by ANSSI – ensuring that no non-EU authority can access hosted data.
- SOV-3 Data & AI – Score 3/4. No secondary use of data. Whaller guarantees that user data is never exploited for any other purpose. Unlike certain US suites that analyse your data for advertising or AI training, we ensure full client data isolation: no hidden profiling, no algorithm training on your content without explicit consent. Any AI services integrated remain under the client’s control and comply with European regulations (GDPR, upcoming AI Act).
- SOV-4 Operational – Score 3/4. In-house infrastructure management, strong technical autonomy. Whaller’s platform is managed by our own teams in France, on environments we control end-to-end. We minimise technological dependency on non-European vendors. This operational autonomy enables us to evolve or migrate the service if needed, without proprietary lock-in.
- SOV-5 Supply Chain – Score 3/4. Mostly European suppliers, room for improvement. We prioritise French and European partners for software components, data centres and subcontractors. For example, hosting relies on OVHcloud (France), SecNumCloud-qualified. That said, we acknowledge there’s still room for progress to reach a 100% European supply chain (some critical hardware or third-party software remains non-EU). Our goal is to tighten our trusted partner ecosystem.
- SOV-6 Technology Stack – Score 3/4. Fully controlled stack, closed yet interoperable architecture. Whaller’s solution is built on a technology stack designed and developed in-house, giving us full control over the code and features. While our architecture is proprietary for security reasons, it remains interoperable: we provide APIs and standard connectors for integration with other systems. This interoperability limits vendor lock-in and ensures clients retain full control over their data and workflows.
- SOV-7 Security & Compliance – Score 4/4. Compliant with GDPR/NIS2/DORA/CRA and SecNumCloud-qualified. Security is part of Whaller’s DNA. In addition to full GDPR compliance, we meet the strictest standards in digital trust. Whaller DONJON is the first collaborative platform to earn SecNumCloud qualification from ANSSI through a “composition” process. This qualification – based on more than 300 requirements – certifies our service’s high technical and legal security level. Few can claim the same: only a handful of solutions in France (around 8 or 9 to date) hold this demanding certification.
- SOV-8 Environmental – Score 2/4. Efforts ongoing, not enough public KPIs yet. Aware that sovereignty also means sustainability, we are working to reduce our cloud services’ carbon footprint. Our partner OVHcloud’s data centres in France already have excellent energy efficiency (PUE) and are partly powered by renewable energy. We’ve initiated a process of continuous improvement (resource optimisation, energy monitoring), but we acknowledge that we do not yet publish official environmental indicators. Our goal is to improve transparency in this area: the European Union aims for climate-neutral data centres by 2030, and we share that ambition.
Applying the official weightings of the Cloud Sovereignty Framework, Whaller’s actual Sovereignty Score is 82.5%, i.e. 16.5/20.
| Criterion | Score | Weight | Contribution |
|---|---|---|---|
| SOV-1 | 4 | 15 % | 15 % |
| SOV-2 | 4 | 10 % | 10 % |
| SOV-3 | 3 | 10 % | 7.5 % |
| SOV-4 | 3 | 15 % | 11.25 % |
| SOV-5 | 3 | 20 % | 15 % |
| SOV-6 | 3 | 15 % | 11.25 % |
| SOV-7 | 4 | 10 % | 10 % |
| SOV-8 | 2 | 5 % | 2.5 % |
| Total | – | 100 % | 82.5 % ✅ |
Calculation of a cloud offer’s sovereignty score. (Photo credit: EU)
With equal weighting, two offers can show very different levels of effective sovereignty. This often occurs when certain services, though hosted in France or operated by French entities, still rely on American technologies or proprietary architectures developed outside the EU. Even with contractual safeguards, dependence on components subject to extraterritorial legislation limits their ability to fully meet legal (SOV-2), technological (SOV-6) or supply chain (SOV-5) criteria.
The weighted calculation then reveals a tangible gap, beyond marketing claims: sovereignty cannot be declared; it must be measured.
This result reflects our high level of digital sovereignty, well above that of mainstream market solutions.
Comparison – Whaller vs US market players
To better understand our position, let’s compare this score with that of major non-European collaborative solutions, based on the Cloud Sovereignty Framework criteria:
| Provider | Overall score | SecNumCloud? | Jurisdiction | Governance |
|---|---|---|---|---|
| Whaller | 16.5/20 | ✅ Yes | 🇫🇷 France | 🇫🇷 Independent |
| Microsoft 365 | ~7/20 | ❌ No | 🇺🇸 USA | US multinational |
| Google Workspace | ~7/20 | ❌ No | 🇺🇸 USA | US multinational |
| Slack (Salesforce) | ~7/20 | ❌ No | 🇺🇸 USA | Subsidiary of a US entity |
None of these American cloud services is currently SecNumCloud-qualified. Their extra-European jurisdiction poses a major obstacle under SOV-2 and SOV-3: being subject to US law, they cannot guarantee full immunity from access by their authorities (Cloud Act, etc.) to European clients’ data.
Their governance and decision-making centres also remain largely outside the EU. Even though Microsoft, Google and AWS have recently announced “sovereign cloud” partnerships with local players, these remain primarily contractual or technical arrangements – not full European control.
Whaller, on the other hand, ticks many boxes these giants cannot, thanks to its independence and compliance with the strictest French and European standards.
Notably, no other equivalent French collaborative solution currently holds SecNumCloud qualification, apart from Oodrive – which offers sovereign cloud services focused on file sharing and document collaboration. It paved the way, and Whaller now joins this exclusive circle of trusted SaaS providers.
Beyond these two players, other SecNumCloud-qualified French solutions belong mostly to infrastructure (IaaS/PaaS): examples include OVHcloud, 3DS Outscale, Worldline, and Cloud Temple.
This proves that building a sovereign cloud is a long-term challenge, one that few have fully met.
Transparency and high standards: beyond marketing labels
Why make this self-assessment public? Because it’s time to go beyond fine words and marketing labels.
Everyone claims to offer a “sovereign cloud” these days – but on what concrete basis? The European framework provides precisely that: an objective benchmark, a common language for measuring and comparing what has so far been mostly slogan-based.
It enables decision-makers to ask the right questions and demand greater transparency from providers.
At Whaller, we do not claim to be perfect in every area – we acknowledge there is room for improvement. By publishing our scores transparently, we lay our cards on the table.
Because sovereignty is also about trust and honesty towards our users.
We invite other players to do the same, to collectively raise the bar. The European Commission itself is setting a clear course: its new framework aims to “raise the entire sector towards compliance with European standards and values” rather than settle for promises.
In short, digital sovereignty cannot be declared – it must be demonstrated.
Criterion by criterion, commitment by commitment, Whaller strives to build a trustworthy digital environment that meets French and European expectations.
We firmly believe that this approach of transparency and continuous improvement is the only way to earn lasting trust.
And together – users, providers and public authorities – we can build genuine digital autonomy in the service of our freedoms.
0 Comments