Thinking · EU Data Sovereignty
The EU Cloud Sovereignty Framework, explained.
What SEAL levels mean for enterprise AI platform procurement.
The European Commission has moved cloud sovereignty from a political aspiration to a procurement standard. Here is what the new framework means, why it matters, and how to use it when evaluating AI governance platforms.
What changed
For years, "data sovereignty" in enterprise software procurement meant different things to different people. Some meant data residency — servers in the EU. Some meant legal jurisdiction — subject to EU law. Some meant operational sovereignty — no foreign government could compel access. The terms were used interchangeably, and vendors exploited the ambiguity.
The European Commission has now changed that. The EU Cloud Sovereignty Framework, introduced in April 2026, defines cloud sovereignty through objective, verifiable Sovereignty Effectiveness Assurance Levels — SEAL. For the first time, enterprises have a standardised vocabulary and a clear assessment method for evaluating what a vendor's sovereignty claim actually means.
The four SEAL levels explained
SEAL is a four-level framework. Each level represents a progressively stronger sovereignty guarantee.
| Level | Name | What it means | Who it's for |
|---|---|---|---|
| SEAL-1 | Contractual protection | Provider abides by EU law contractually. Standard GDPR DPA compliance. | General commercial use |
| SEAL-2 | Jurisdictional sovereignty | Provider operates exclusively under EU jurisdiction. No exposure to non-EU legal access mechanisms (e.g. US CLOUD Act). Adopted as minimum standard in EU Commission procurement. | Regulated enterprises: BFSI, healthcare, government |
| SEAL-3 | Technical sovereignty | Full technical controls preventing non-EU access, independent of contractual arrangements. | Critical infrastructure, sensitive public sector |
| SEAL-4 | Operational sovereignty | Complete on-premise or air-gapped deployment. No external dependencies. | Defence, central banks, national security |
Most enterprises in regulated sectors should be asking whether their software vendors meet SEAL-2 at minimum. SEAL-1 — the contractual baseline — does not protect against legal compulsion from outside the EU, regardless of where the servers are located.
Why this matters for AI governance platforms specifically
AI governance platforms handle some of the most sensitive information an enterprise produces: strategic AI investment decisions, council votes and rationale, risk assessments, evidence documentation, and financial projections. In regulated industries, this is also the documentation regulators will request.
Yet most AI governance platforms available to European enterprises are incorporated in the United States or the United Kingdom. Under US law — specifically the CLOUD Act — US authorities can compel a US-incorporated company to produce data stored anywhere in the world, regardless of the server location. A US-incorporated AI governance platform storing data in an Irish data centre is not jurisdictionally sovereign, even if the data never physically leaves the EU.
For BFSI, healthcare, and government organisations, this is not a theoretical risk. It is a procurement criterion. The question to ask any AI governance vendor is simple: under which jurisdiction is your company incorporated, and can a non-EU authority compel access to my data?
How to use SEAL in procurement
The SEAL framework gives procurement teams a concrete assessment method. When evaluating AI governance platforms, ask vendors to specify which SEAL level their offering meets and provide supporting documentation. The key questions:
- Where is the vendor incorporated? (Jurisdiction of the company, not just the servers)
- Are there any US or non-EU parent companies, investors, or infrastructure sub-processors that could create CLOUD Act exposure?
- What contractual guarantees exist around EU-only processing?
- For SEAL-2+: is the infrastructure provided by an EU-sovereign provider, or a US hyperscaler with EU region presence?
Vendors should be able to answer these questions clearly and provide supporting DPA documentation. If they cannot, their sovereignty claim is marketing, not substance.
Verdix and the SEAL framework
Verdix is incorporated in the Netherlands and operated under Dutch and EU law. Our Tier 2 EU Data Sovereignty offering is designed and architected to meet SEAL-2 requirements — dedicated infrastructure operating exclusively under EU jurisdiction, with no exposure to non-EU legal access mechanisms. Our Tier 3 Private Cloud / On-Premise offering is designed to meet SEAL-3 and SEAL-4 requirements depending on deployment configuration.
We are transparent about where each tier stands. Tier 1 (EU Data Residency, included in all plans) delivers SEAL-1 compliance — GDPR-compliant EU hosting. It does not deliver SEAL-2. We will always tell you honestly which tier your organisation's procurement requirements and regulatory obligations actually need.
The EU Commission Cloud Sovereignty Framework was introduced in April 2026. SEAL levels are a procurement assessment standard — not a third-party certification scheme. Verdix's SEAL alignment claims refer to architectural design against published SEAL criteria, not formal certification by a third party.