CISPE Launches Auditable Framework for Sovereign Cloud Services — Over 40 Services Already Declared

Brussels -- CISPE (Cloud Infrastructure Service Providers in Europe) today announced the launch of its Sovereign and Resilient Cloud Services Framework. Developed, defined, and tested exclusively by European cloud infrastructure providers, the framework enables customers to easily select cloud services rigorously audited to verify their sovereign and resilience credentials.

The market is currently flooded with unverified “sovereign” offerings, making it difficult for customers to understand what they are procuring. Even official definitions of sovereignty remain unclear and the metrics and approach to assessment are opaque. Customers deserve to know if cloud services are safe from foreign jurisdictional interference (are they ‘Trump Proof’), or do they carry risks related to service disruption and data access? There is an urgent need for transparency and an auditable way to prevent “sovereignty washing.”

The CISPE Framework addresses this gap by providing a clear, certifiable definition of control in cloud services. It helps customers and public authorities identify offerings that ensure effective control over data, infrastructure, workloads, and operations. Crucially, cybersecurity certification alone does not guarantee sovereignty.

The framework introduces two distinct but complementary approaches to achieving effective control:

• Sovereign services ensure control by design: they are owned, governed, and operated within the relevant jurisdiction, preventing foreign powers from accessing, interfering with, or disrupting them.
• Resilient services ensure control by capability: even where some non-sovereign elements exist, customers retain control through robust technical and operational safeguards, such as customer-managed encryption, portability, independent backups, and the ability to switch providers or redeploy workloads.

In short, sovereignty prevents the risk; resilience ensures customers can withstand it. CISPE’s approach delivers the transparency necessary to make informed decisions about which route is most suitable.

As of launch, more than 40 services have already been declared against the CISPE framework. These include sovereign and resilient European AI assistant services, public cloud, Kubernetes, and storage offerings. Additional compliant services are expected in the coming weeks and will be listed in the CISPE Federated Cloud Catalogue.

The CISPE framework is designed to promote sovereignty and increase choice. It recognises that where fully sovereign services may not yet be available, resilient alternatives can provide legitimate and effective solutions for customers. It is not about excluding services from the market, just building trust in control over cloud data and workloads.

Francisco Mingorance, Secretary General of CISPE, said:

“Think of the CISPE Sovereign Badge as ‘puncture-proof tyres’ on a car: it guarantees immunity from external interference with your cloud services or data. By contrast, the CISPE Resilient Cloud Service Badge represents ‘run-flat tyres’ — you may encounter disruption, but you can continue your journey without losing control.”

Skander Riou, Head of Certification Projects at BYCYB, added:

“BYCYB (formerly LNE) was one of the first certification bodies to be involved in the CISPE Code of Conduct, and we are keen to continue this momentum with the sovereignty and resilience labels, for which we aspire to be among the first certification bodies.”