Twenty-Four Hours.

Tomorrow Brussels Will Define Sovereign Cloud. Today, Eighty Percent of European Public-Sector Cloud Spending Already Fails the Draft No One Has Read.

Eighty percent. Three hundred and one billion dollars. Sixty-five percent regional share. Five SEAL levels. Four awarded consortia, of which one — S3NS — is a joint venture with Google. One Cloud and AI Development Act due in the Commission’s College on the twenty-seventh of May, the day after this edition publishes.

The Cloud and AI Development Act, CADA, is the legal instrument that converts five years of EU cloud-sovereignty rhetoric into a binding obligation. It is also the moment European enterprise architecture stops being able to argue that the sovereignty question is a procurement detail or a regulatory aside. Tomorrow morning, the Commission College is scheduled to present CADA together with the Chips Act 2.0 inside a single Tech Sovereignty Package. The same package is expected to define, for the first time at EU level, the eligibility criteria for cloud and AI services that handle sensitive public-sector data. The architecture community has had years to prepare. Most of it did not.

Today’s edition pre-publishes the Sovereignty Stress Vector — SSV — a five-axis diagnostic designed to stress-test any cloud, AI, or data stack against both of the sovereignty scenarios on the CADA table, before the legal text is final. SSV does not depend on which scenario the Commission picks. It is built to falsify the architecture either way.

The Two Scenarios Brussels Is About to Choose Between

Two architectures of sovereignty are currently in the College draft, and both have political weight behind them.

The first is strict sovereignty. Under strict sovereignty, sensitive public-sector workloads — defined in current Council discussions as financial supervision data, judicial records, and health data covered by the European Health Data Space — would be hostable only on cloud providers headquartered in the European Union, with no extraterritorial parent and no exposure to third-country law-enforcement compulsion. This is France’s preferred line. It corresponds to SEAL-4 in the Commission’s own Cloud Sovereignty Framework — the level the framework itself describes as “very high to complete digital sovereignty” with minimal critical non-EU dependencies.

The second is qualified sovereignty. Under qualified sovereignty, the same workloads could remain on hyperscaler technology, but only when delivered through joint ventures that meet operational requirements: EU-based and EU-cleared staff, encryption keys under EU control, no contractual party domiciled outside the Union, and an explicit operating model designed to defeat extraterritorial process. This is the SEAL-3 line. It is the line the Commission’s own April seventeenth procurement award already crossed when it recognised S3NS — a Thales-majority joint venture running Google Cloud technology — as eligible alongside three fully European consortia, splitting one hundred and eighty million euros over six years.

CISPE called that recognition an own goal. The Secretary General of the European cloud trade body publicly warned that recognising a Google-technology venture as sovereign “threatens to institutionalize sovereignty washing at the highest levels.” The Commission’s counter-position is the operational doctrine — that “non-European technologies, when operated within a strict and appropriate framework, can meet the minimum level of sovereignty required.” That doctrine is now the philosophical pivot of CADA itself.

For enterprise architects, the choice between strict and qualified sovereignty is not a debate to win. It is a procurement reality both versions of which will arrive at the same desk, and the diagnostic question is identical: can the workload pass either bar without re-architecture?

Why Eighty Percent of European Cloud Spending Is Architecturally Exposed

The macro picture is unambiguous. AWS, Microsoft Azure, and Google Cloud together hold roughly sixty-five percent of the European regional cloud market. American providers absorb close to eighty percent of European Union professional cloud expenditure — three hundred and one billion dollars annually. European providers — OVHcloud, Deutsche Telekom T-Systems, Telefonica Tech, Aruba, Scaleway, IONOS — together hold approximately fifteen percent.

Public sector adoption is more concentrated, not less. Most national digital strategies between 2021 and 2025 settled on hyperscaler-first procurement because hyperscalers were the only providers able to absorb the workload scale of a national tax authority, a national health service, or a national identity register on the timelines those programmes demanded. That decision is now being re-litigated under CADA — by the same Commission that signed off on the strategies in the first place.

The architecturally consequential point is not the market share. It is that the eighty-percent figure was accumulated under a regulatory regime that did not yet define sovereignty as a procurement disqualifier. Tomorrow’s legislative move converts a market position into a compliance position retroactively. The transition risk lives in the architecture, not in the procurement file.

The Sovereignty Stress Vector

SSV is a five-axis architectural stress-test. It does not measure whether a provider claims to be sovereign. It measures whether the workload running on the provider survives both CADA scenarios without re-engineering. Each axis is scored one to five. A composite of twenty-five indicates SSV-ready under either scenario. A composite below fifteen indicates that the day CADA passes is the day the public-sector contract becomes contestable. Most European public-sector workloads score between eight and twelve today.

Axis 1 — Header Jurisdiction (HJ)

Header Jurisdiction measures the legal jurisdiction at the top of the corporate stack that owns the technology you depend on. Not the operating entity in your contract — the parent, the ultimate controller, the jurisdiction whose law-enforcement and economic-sanctions regimes can reach the provider regardless of where the technology runs. This is the question the US CLOUD Act made existential and the question that joint-venture structures are designed to obscure rather than answer.

Regulatory anchors: CADA Article 114 TFEU base; Cloud Sovereignty Framework SEAL-1 to SEAL-4; GDPR Article 48 (third-country compelled disclosure); EU Data Protection Board Recommendations 01/2020 on supplementary measures.

Score 5 if the provider parent and every entity in the contractual chain is EU-headquartered, with no third-country golden share, no change-of-control trigger that admits non-EU acquirers, and no controlling shareholder agreement signed outside the Union. Score 1 if the provider is a US-incorporated parent operating in Europe under a wholly-owned subsidiary. Score 3 if the structure is a joint venture in which non-EU technology is delivered through an EU-cleared operator — the S3NS pattern.

Axis 2 — Operations Locus (OL)

Operations Locus measures where the operational control of the workload physically and personally lives. Not where the data centre is — where the encryption keys, the support tunnels, the change tickets, the privileged accounts, the runbooks, and the people who can read or modify the workload at three in the morning actually reside. SEAL-3 lives or dies on this axis.

Regulatory anchors: Cloud Sovereignty Framework SEAL-3; CADA expected operational requirements; ENISA EUCS scheme high assurance; ISO/IEC 27001 Annex A.5.16, A.8.5.

Score 5 if encryption keys are held under EU customer control or EU-domiciled KMS with no third-country root of trust, support is delivered exclusively by EU-cleared personnel, and no privileged session can be initiated from outside the Union. Score 1 if the provider operates a global support model with follow-the-sun rotation through non-EU jurisdictions and a global root of trust under non-EU control. Score 3 if encryption keys are EU-controlled but operational support remains hybrid.

Axis 3 — Extraterritorial Exposure (EE)

Extraterritorial Exposure measures the reach of foreign legal compulsion into the workload regardless of the technical controls in place. The US CLOUD Act is the primary instrument. FISA 702 is the secondary instrument. The point of this axis is to make the legal-process risk explicit and architecturally addressable, rather than leave it as a footnote in the supplier governance pack.

Regulatory anchors: GDPR Article 48; Schrems II; CLOUD Act 18 U.S.C. § 2713; FISA Section 702; EDPB Recommendations 01/2020; CADA expected extraterritoriality clause.

Score 5 if no entity in the contractual or technical chain is subject to third-country compelled-disclosure law. Score 1 if the provider parent is a US-incorporated entity directly within CLOUD Act scope and the operator cannot demonstrate effective insulation. Score 3 if the operator is EU-incorporated but the technology supplier remains within third-country compulsion reach — again the joint-venture pattern.

Axis 4 — Power-of-Substrate Continuity (PSC)

Power-of-Substrate Continuity measures whether the workload survives the physical substrate it runs on — the grid, the carriers, the cooling, the substations. Edition 50 of this newsletter introduced GAIA-D on the seven-year grid-connection wait now standard in FLAP-D hubs. CADA proposes to triple EU data-centre capacity. The substations are not on the same timeline. The sovereignty fight has migrated from the cloud to the substation, and CADA is the legal instrument that locks the contradiction in place.

Regulatory anchors: Energy Efficiency Directive Article 12 (Q2 2026 Data Centre Energy Efficiency Package); CADA proposed data-centre tripling; NIS2 Annex I energy and digital infrastructure; DORA Article 11 business-continuity; CSRD ESRS E1.

Score 5 if the workload’s primary and secondary substrate sit on firm-power grid-connected sites within the Union with multi-carrier diversity and demonstrated curtailment tolerance. Score 1 if the workload is hosted in a single FLAP-D submarket with no firm-power contract and no curtailment runbook. Score 3 if firm power is contracted but curtailment events have not been exercised. Cross-reference: GAIA-D Axis 1 maps directly into SSV Axis 4.

Axis 5 — Settlement Continuity Under Sovereignty Stress (SCSS)

Settlement Continuity Under Sovereignty Stress measures whether the payments leg, the agentic commit leg, and the audit-trail leg of the workload all survive a forced jurisdictional re-host. This is the axis where CADA collides with the agentic-payments stack that this newsletter has tracked since the x402 Foundation launch on the second of April. Fireblocks joined that foundation on the twentieth of May with an Agentic Payments Suite explicitly billed as the governance layer x402 itself lacked. AWS launched Bedrock AgentCore Payments on the seventh of May. The settlement plumbing for agentic commerce is becoming productised at hyperscaler scale while the sovereignty question above it is unresolved.

Regulatory anchors: DORA Article 11 business-continuity; MiCA Article 34 stablecoin custody and redemption; PSD3/PSR final compromise pending Parliament plenary; CADA expected workload-portability clause.

Score 5 if every payment instrument, agent-identity store, settlement asset, and audit trail can be re-instantiated under an EU-sovereign operator within the recovery-time objective defined by the workload’s DORA classification. Score 1 if the audit trail itself is hosted outside the workload’s sovereignty perimeter — that is, the regulator cannot reach the evidence without the third-country provider’s cooperation. Cross-references: ACAM Layer 1 (Edition 48), AGCR-D Axis 5 (Edition 51), AASI Axis 5 (Edition 52).

How to Read the Composite

Score one to five on each axis. Composite twenty-five — SSV-ready under either CADA scenario. Composite twenty to twenty-four — defensible under qualified sovereignty, exposed under strict. Composite thirteen to nineteen — exposed under qualified sovereignty, indefensible under strict. Composite below thirteen — every public-sector contract in the workload is contestable from the day CADA is published in the Official Journal. Any single axis below three is, on its own, a standalone procurement finding even if the composite passes.

The diagnostic is deliberately blunt. CADA will not reward narrative. It will reward the architecture that scores.

Why This Edition Sits on Top of the Last Seven

SSV is the synthesis edition for the sovereignty thread. SHAD (Edition 47) named sovereign cloud as the architecture risk inside European healthcare. GAIA-D (Edition 50) named power sovereignty as the third sovereignty axis after data and operations. AGCR-D (Edition 51) named the AI gateway library as the fifth, regulator-invisible layer of third-party concentration. AASI (Edition 52) named the agent fleet itself as the most populous, least governed, regulator-invisible third party in the European enterprise.

SSV folds all four into a single portfolio diagnostic, tuned to the legal instrument that arrives tomorrow. The five SSV axes are designed so that an enterprise that has already scored AGCR-D, SAVED, GAIA-D, and AASI can pull most of the input data without a new evidence pass. The work has already been done. SSV is the consolidation.

The Architecture Bet CADA Forces

Brussels is about to choose between two definitions of sovereignty, and both are achievable architectures. Neither is a default. Strict sovereignty rewards the European cloud ecosystem that CISPE represents and forces hyperscaler workloads to be re-architected or surrendered. Qualified sovereignty rewards the joint-venture pattern that S3NS pioneered and forces the operating model of every hyperscaler deployment to be re-engineered to defeat extraterritorial reach. Both definitions terminate the casual hyperscaler-first procurement that produced the eighty-percent figure. Neither leaves the current architecture in place.

Sovereignty washing is the failure mode of qualified sovereignty done badly. Sovereignty surrender is the failure mode of strict sovereignty done late. SSV is the diagnostic that distinguishes which failure mode the workload is heading for, and how many axes of re-architecture stand between today’s posture and either of CADA’s definitions of pass.

The architecture bet is not whether sovereignty is coming. It is whether your stack can name, on every axis, the version of sovereignty it is built for. Tomorrow morning, Brussels names the question. Today, the architecture answers it. Or it does not.

Hawk Nest Newsletter is written by Paulo Falcao. For twenty-five years, helping organisations turn complex technology challenges into measurable business outcomes — payments systems, enterprise architecture, AI, technology. The intersection of strategy and architecture, converted into reliable, revenue-generating reality. SSV joins the IP portfolio next to SIRM, AVAEM, SHAD, ACAM, SAVED, GAIA-D, AGCR-D, and AASI.