Cloud Sovereignty Checklist

Mansfeld-Südharz, Germany - November 30, 2025

A vendor-neutral compass for clerks, CIOs and elected officials who must keep data on EU soil without betting the budget on bespoke infrastructure

The slide-deck said “sovereign cloud” in bold Helvetica, the price was 40 % below last year’s on-premise quote, and the footnote reassured the council that “data stays in Germany.” Everyone around the table nodded, but no one asked the follow-up question that keeps EU auditors awake at night: which Germany? The one that ends at the Länder border, or the one that ends wherever the provider’s German subsidiary files its consolidated accounts? Cloud sovereignty is no longer a romantic appeal to national champions; it is a due-diligence exercise that can be reduced to twelve plain-language questions. We wrote them after watching three European counties sign three different “sovereign” deals and then spend eighteen months renegotiating once they discovered that sovereignty is not a label but a chain of custody that must be evidenced at every link. The checklist is intentionally short, intentionally boring, and intentionally free of product names—because the moment marketing enters the room, the custody chain starts to blur.

Question one is deceptively simple: who holds the encryption keys? Not who stores them, not who manages the HSM, but who possesses the technical ability to decrypt the data without your active consent. If the answer is a cloud entity incorporated outside the EU, every other clause in the contract is decorative. The second question follows naturally: can you rotate those keys without notice to, or assistance from, that same entity? Rotation must be measurable in minutes, not in ticket queues, because the Schrems II ruling treats delayed rotation as equivalent to access by a foreign intelligence service. Question three moves from cryptography to corporate law: is the cloud operator’s ultimate parent listed on a stock exchange that requires disclosure of foreign intelligence cooperation? A New York listing does not disqualify the vendor, but it obliges you to layer additional technical controls—such as split-key ceremonies inside an EU trustee office—that the baseline price rarely includes.

Question four inspects the network layer: does the provider run its own physical fibre into the data centre, or does it purchase dark fibre from a carrier that may reroute traffic through non-EU backbones during maintenance windows? We have seen contracts that guarantee “German data centres” while the packet path dips through Zurich nightly for peering optimisation. The only enforceable safeguard is a traceroute clause that gives you daily raw captures and the right to terminate if more than 0.1 % of your prefixes leave the EU for longer than the time needed to repair a submarine cable. Question five repeats the exercise at the hypervisor level: is the virtualisation stack compiled inside the EU from source code you can audit? Binary equivalence is acceptable, but the hash manifest must be signed by an EU legal entity that carries professional liability insurance. Without that signature you are leasing a black box whose behaviour under subpoena is unknowable.

Question six addresses subcontracting: which sub-processors receive clear-text data, and are those sub-processors themselves subject to the same jurisdictional test? A US-owned DNS resolver that sees your API calls is as critical as the primary tenant. The cleanest answer is a positive list: any new sub-processor requires 30 days’ written notice and an automatic right for you to port your workloads elsewhere without exit fees. Question seven looks at support: where do the 24/7 engineers sit when they type sudo commands? If the answer is Chennai or Kansas, you need jump-hosts inside EU borders with logs that you—not the provider—control. Question eight quantifies those logs: can you stream authentication events into your own SIEM in real time, and can you disable vendor access to that stream without breaking the service? Sovereignty is meaningless if the provider can still read your audit trail after you declare a diplomatic incident.

"Sovereignty is not a flag on a data centre; it is a custody chain you can read aloud in court without blinking."

Question nine examines insolvency: what happens to the keys if the operator enters Chapter 11 or its local equivalent? The correct structure is a tripartite escrow agreement with an EU credit institution that holds the root of trust in a segregated account, releasable to you on evidence of payment default or legal compulsion from a non-EU court. Question ten covers export-control: does the stack include cryptographic libraries whose ECC curves or key lengths require US BXA notification? If so, you must obtain an EU equivalence certificate before go-live, or you risk inheriting re-export constraints that could criminalise a future data-port. Question eleven audits green sovereignty: is the electricity that powers the servers procured through a supplier of record registered inside the EU, and can you obtain hourly certificates of origin? Data residency is only half the story; energy sovereignty prevents foreign utilities from switching off your bits by switching off your volts.

Question twelve is the meta-question: can you leave? A sovereign cloud that costs more to exit than to enter is a velvet-lined jail. The contract must cap data-egress fees at the documented cost of electricity and cross-connect rental for the duration of the transfer, and it must give you the right to replicate your entire environment—including KMS policies, firewall rules and IAM schemas—into an open-source format you can redeploy on commodity hardware inside 72 hours. If the provider cannot demo that migration in a dry-run, sovereignty is marketing, not engineering.

We run this checklist against every supplier that knocks on the county door, and we publish the redacted results on a public register hosted in our own Bitterfeld cloud. The register does not rank or score; it simply states, for each question, “pass,” “fail,” or “partial,” along with the documentary evidence. Over twelve months the register has grown to 38 providers, and the pattern is clear: vendors who score eleven or twelve passes also quote the lowest total-cost-of-ownership, because transparency and efficiency are convergent traits. Meanwhile, offerings that fail more than three questions typically embed hidden compliance costs—extra legal reviews, additional penetration tests, insurance riders—that surface only after signature. The checklist has thereby become a market signal: improve your custody chain or lose public-sector revenue.

The ultimate payoff is not contractual purity but democratic continuity. When elected officials change, when coalitions shift, when the next foreign-policy crisis lands, the custody chain must remain intelligible to a newly appointed clerk who has six weeks to prepare for an EU Court of Auditors hearing. If that clerk can trace every answer back to a document written in a language she speaks, under a legal system she can sue in, sovereignty is real. Anything shorter is a service-level agreement written on water—and water evaporates when the weather gets hot.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.