CCS Guest Blog
Tests, Interoperability and Certification
This article builds on the definitions and procurement levers set out in my previous blog post, Turning Sovereignty into Action: Principles and Policy Levers. It sets out the pass-or-fail checks and pragmatic certification approach that translate principles into outcomes.
Make Reversibility and Interoperability First-Class Tests
The problems of switching costs and the risk of concentrating too heavily on one supplier are solvable with design and contract choices that can be tested. Can workloads and data be exported in standard formats with no material re-architecture? Does the customer control encryption keys? Is there a documented, time-bound exit at a reasonable cost? Do interfaces rely on widely used, open components? Is failover available within European borders?
These requirements preserve neutrality, as they're just as accessible to a global provider willing to operate under European constraints as they're to a European provider. By elevating reversibility and interoperability from talking points to pass-or-fail tests, the EU can reduce the risk of lock-in without picking winners.
Treat AI as a Worked Example, Not a Separate Silo
AI makes sovereignty concrete. Because AI runs in the cloud, a sovereign cloud baseline should automatically confer sovereign AI guarantees, and no parallel scheme is required. Training, fine-tuning and inference all raise familiar questions about where data lives, who can access logs, how keys are managed, where failover runs and how exit works. The same sovereign tests should apply and be published, certifiable and usable in tenders. That's the cleanest way to avoid building a parallel policy for sovereign AI that duplicates effort.
Put differently: if the foundation is sovereign and the controls are auditable, providers can offer AI-specific services that inherit those guarantees, rather than crafting custom exceptions.
Recognize Diversity without Creating Fragmentation
Member states have different histories, industrial strengths and appetites for risk. That diversity can be an asset if the European level sets the baseline, allowing pragmatic federation where minimal standard interfaces and mutual recognition of certifications enable workloads to move between certified sovereign providers, burst during peaks and failover during incidents.
Federation should be optional and lean, not a new supraplatform, with lessons from Europe's Gaia-X project in mind: keep scope narrow, governance light and prioritize working interoperability over new standards. Sovereignty and resilience reinforce one another when federation is intentional rather than ad hoc.
Buyers Say Intention Is High, Execution Lags
Public signals from the UK offer a valuable snapshot of demand-side intentions. The figures presented below are directional signals consistent with what many European buyers tell us privately; they aren't a standalone mandate for action by the EU.
A survey of over 1,000 IT decision-makers in April 2025, commissioned by UK-based cloud provider Civo, found 84% of respondents had concerns about geopolitics affecting data control. About 60% of respondents said sovereignty was moving up the strategy agenda, along with a shift away from dependency on a single provider; 68% expressed a desire for certainty on data ownership in AI services. At the same time, only 35% reported full visibility over where their data is stored and governed, and fewer than one in four say they feel prepared for new guidance — a gap between intention and execution that policy can help close.
CCS Insight's survey of over 900 decision-makers shows similar results: 40% of respondents described their strategy as multicloud, 50% had moved some workloads off public cloud in the past year, and the top reasons for choosing where to run workloads were security and compliance (32%), integration fit (27%) and cost (26%).
The anecdotes often cited alongside these numbers — for example, Microsoft's admission before the French Senate that it can't guarantee the sovereignty of French data — explain the political pressure. The constructive response, however, isn't rhetoric but verifiable controls: jurisdictional guarantees that can be audited, certification that can be checked, and procurement criteria that reward compliance rather than branding.
Practical Steps the European Commission Can Take Now
Some of the following measures can be advanced through European Commission guidance or delegated implementation (for example, through ENISA, the EU's cybersecurity agency), and others will require an ordinary legislative process.
Publish a draft definition and test suite — a concise document that outlines the sovereignty domains and the specific tests for each (data, operations, infrastructure). This would immediately improve comparability. Invite feedback, but anchor the tests in existing law so they can be performed from day one.
Align procurement guidance to the definition: issue a note to public buyers with example scoring for sovereignty criteria and model clauses for reversibility, key management and in-region resilience. Provide a template requirement for an exit plan, with time-bound obligations and data export formats.
Calibrate certification for speed and clarity: whether under an evolved EU Cloud Services Scheme or another vehicle, start with an iterative, tiered label — good, better, best — mapped to the test suite. Require independent attestation for the top tier and publish a registry. Keep the door open for member state overlays where they are justified by sector risk, but avoid a maze of inconsistent labels. Where appropriate, align certification evidence with the European Commission's Directorate-General for Digital Services (DG DIGIT) Cloud Sovereignty Framework so procurement and labelling stay in step.
Pilot with willing member states and critical industry sectors by inviting ministries in, say, health and finance, to test the guidance in live procurements, publish lessons learned and iterate quickly. The near-term signal should be visible progress on guidance and pilots within quarters, with formal legislation following its longer timetable.
Use funding and energy policy as boosts, not crutches. Where offerings meet the top tier, consider targeted incentives such as faster access to cross-border funding opportunities, simplified documentation and pragmatic energy-grid prioritization to nudge economics in favour of sovereign capacity that passes the tests. Keep support time-limited and performance-based to avoid dependency.
Coordinate with the broader competitiveness agenda. Where feasible, align sovereignty certification and procurement templates with cross-border investment tools and efforts to deepen the single market, enabling compliant capacity to scale, costs to fall and market fragmentation to recede without compromising jurisdictional control.
Encourage diffusion and entry. This can be achieved by opening up conformity tests and reference implementations, designing tenders with interoperability requirements and lots that are friendly to small and medium businesses, and using time‑limited regulatory sandboxes so new providers can prove capability under real constraints without placing systems at undue risk.
What Success Should Look Like in 12 to 24 Months
Success is visible. Public tenders are referenced and scored against a published sovereignty test suite. A public registry shows multiple offerings, European and global, meeting the bar at different tiers, with independent attestations for the top tier. Buyers have carried out documented exit drills without drama. AI workloads ride on the same certified foundations rather than custom carve-outs. Federated failover within European borders is proven in exercises. And Europe is referenced internationally as a practical standard-setter for cloud and AI controls. None of these results require heroics; they need clarity, consistency and the self-discipline to keep the conversation focused on outcomes rather than branding.
Tone Matters: Pro-Competition, Pro-Investment, Pro-Resilience
Throughout, it's worth keeping the tone measured. Some economists argue that prosperity comes from enabling entry, experimentation and diffusion, in what could be described as the discipline of creative destruction. The policy implication for sovereignty is practical: set guardrails that make risk-taking safe and reversible, not impossible; prioritize contestability so capable entrants can challenge incumbents; and focus on diffusion so benefits reach small and medium businesses and public services, not just the largest providers. As with open banking, clear rules can strengthen established players and challengers alike by widening participation without dulling incentives to invest.
There's no need to caricature the role of global providers; they've invested heavily in capacity that European businesses use today. But capacity alone isn't sovereignty. Europe has an opportunity to set transparent, auditable and fair rules that lift the competitive bar for everyone and reduce the uncertainty costs that are slowing execution. That's how sovereignty becomes an economic asset rather than a political argument.
A Final Thought
The European Commission's first act should be to publish a definition and a minimal test suite that anyone can understand and independently verify. Once buyers can grade offers against the same criteria, procurement can reward readiness; providers can invest with confidence; and the policy conversation can move from claims to evidence. That's the shortest, fairest path from principle to practice and the surest way to make sovereignty a source of competition and resilience for Europe, not a wedge that narrows choice.