The European Commission has awarded four contracts designed to advance cloud sovereignty in the EU, but one uses services from S3NS, a joint venture between Thales and Google Cloud, raising questions about its real independence.
In line with Europe's push for digital sovereignty, the Commission announced this tender for local cloud services to "strengthen the digital sovereignty posture of the Union" last October.
Through it, EU institutions, offices and agencies will be able to procure cloud-based resources and services for up to €180 million ($212 million) over a period of six years.
The Commission says that it has awarded four contracts to ensure diversification and resilience, with the aim of avoiding a potential lock-in that might result from sourcing IT services from a single provider.
Those four providers are:
The Commission insists that the sovereignty of the providers was assessed using the Cloud Sovereignty Framework it developed last year for the purpose of evaluating services against eight sovereignty objectives.
But this was criticized last year by CISPE (Cloud Infrastructure Service Providers in Europe), a trade association of 38 of the region's cloud firms. It claimed that the Framework's criteria are drafted so vaguely as to favor incumbents – meaning the big American operators that already dominate Europe's cloud market.
"CISPE's concern is that the Framework's criteria are so broad and weighted that they could allow a provider to tick enough boxes to get a high score without really delivering on the spirit of European sovereignty," a spokesperson told The Register at the time.
This could now have come to pass, as S3NS is a joint venture between French technology multinational Thales and Google Cloud, the latter of which is famously a US-based corporation.
Under the US CLOUD Act, US authorities can compel American cloud companies to provide access to certain data they hold, including data stored outside the United States, subject to applicable legal process.
Last year, a Microsoft executive acknowledged under oath before the French Senate that the company could not guarantee French customer data would never be disclosed under US legal orders because of this.
We asked Thales how its S3NS joint venture with Google could be considered a sovereign provider under these circumstances, and await an explanation.
We also asked the European Commission why it has awarded a contract for sovereign cloud services to a partnership that includes Google Cloud.
In its announcement of the awards, the Commission says that the Cloud Sovereignty Framework specifies Sovereignty Effectiveness Assurance Levels (SEAL) that go from SEAL-0, which indicates that providers completely lack sovereignty, to SEAL-4, which requires a full EU supply chain, from chips to software.
For the providers to be considered eligible, they needed to be able to demonstrate SEAL-2, or the Data Sovereignty level. This means that they abide by the EU laws and regulations without requiring additional technical measures by the customer to protect its data, the Commission states.
The other three providers were able to demonstrate SEAL-3 level, or the Digital Resilience level, implying that they are immune from supply chain disruption from non-EU third parties. S3NS could not.
In response to this latest development, CISPE told us that the Commission's framework fails to provide clear, trustworthy answers to two vital questions: what happens to your cloud infrastructure if a foreign government wants to turn it off, and what happens if a foreign government wants access to your data in that cloud?
"Recognising S3NS, which leverages Google's cloud technology, as 'sovereign' is clearly an own goal and threatens to institutionalize sovereignty washing at the highest levels," said CISPE Secretary General Francisco Mingorance. ®
Source: The register