Ahead of the upcoming EU Cloud and AI Development Act, this Benchmark explores cloud-specific certification or qualification schemes across 19 EU countries. Sovereignty and/or data residency requirements were identified in cloud schemes in the Czech Republic, France, Italy, Poland and Slovakia.
While some of these schemes (e.g. France and Germany) are based on security certification, in others (e.g. Czech Republic and Slovakia), cloud services providers (CSPs) need to be authorised by competent authorities to be able to offer their services to public administrations.
In general, the schemes are mandatory either to certain public administrations, depending on the sensitivity or criticality of the data they hold (public administrations can only engage with certified or qualified CSPs), or to all public administrations (in this case, different security levels apply depending on the sensitivity and criticality of the information processed).
The sovereignty requirements identified across the surveyed EU countries take different forms, including caps on shareholding rights that can be held by non-EU companies, having the central administration, establishment or seat in the EU, and ensuring legal independence from third-country jurisdictions.
Scope
Region: Europe
Countries covered: 19 EU countries
Policy area: Cloud, data centers, security
Last updated: April 2026
For more information and access to the full benchmark, please click on “Access the full content” - or on “Request access”, in case you are not subscribed to our European Digital Economy service.
more news
20 April 26
The rise of AI agents in China triggers new industrial and security policies
China’s booming market for artificial intelligence (AI) agents has drawn international attention due to the far-reaching economic, industrial and social impacts. This Global Trends report explains the context and significance of this new phenomenon. It also discusses how the Chinese government has been addressing both the opportunities and challenges brought by the fast adoption of AI agents in China.
15 April 26
VOD advertising to children: fragmented regulatory approaches across the Americas
Cullen International’s latest benchmark shows whether there are restrictions on advertising to protect public health or minors in selected countries in the Americas region.
09 April 26
Asia-Pacific sharpens regulatory control of IoT connectivity across roaming, licensing and SIM registration frameworks
Global IoT connectivity continues to rely heavily on SIM-based architectures, often using cross-border roaming to connect devices deployed at scale. Cullen International’s latest research examines how regulatory frameworks across seven APAC markets affect these connectivity models, while also reflecting broader implications for deployments using local SIM profiles or hybrid architectures.