For years, the discussion about European digital sovereignty was mainly based on political declarations. However, the Gaia-X 2025 summit in Porto saw a key shift towards hard market realities. Ulrich Ahle, CEO of the organisation, presented the first operational catalogue of cloud services, which allows business customers to verify providers for true independence from foreign jurisdictions.
The catalogue, developed by CISPE (the association of cloud infrastructure providers in Europe), introduces a three-tier rating scale that has the potential to become the new market standard for transparency. While Levels 1 and 2 focus on technical compliance and identity verification, Level 3 (Level 3) represents a fundamental shift in the balance of power in the IT market. This label is reserved exclusively for organisations based in the European Union, which guarantee immunity from extraterritorial third-country legislation – by implication, primarily the US CLOUD Act.
The first wave of certification included a small group of entities that managed to meet these stringent criteria. Among the pioneers were Cloud Temple, Thésée Datacenter, Opiquad, OVHcloud and Seeweb. A total of nine services provided by these companies have been officially recognised by CISPE – which acts as the clearing house – as fully sovereign. Francisco Mingorance, secretary general of CISPE, indicated that the list would soon grow, although the timeframe for implementing the standards was extremely tight.
The move is a clear signal to the market that ‘trust’ is becoming a measurable business parameter. Sebastien Lescop, CEO of Cloud Temple, points out that the industry has relied on vague assurances for too long, and that the Level 3 label is the ultimate ‘check’ for marketing declarations. Significantly, Gaia-X has managed to stay ahead of the bureaucratic machinery of Brussels. Although the European Union is still working on its own rating system, the Gaia-X standard is now available and, the organisation assures, will largely coincide with the definition of sovereignty pushed by the European Commission. For CIOs of large European companies, this means that for the first time they have been given a tool to instantly assess the legal risks of entrusting data to the public cloud.
