Ahead of the upcoming EU Cloud and AI Development Act, this Benchmark explores cloud-specific certification or qualification schemes across 19 EU countries. Sovereignty and/or data residency requirements were identified in cloud schemes in the Czech Republic, France, Italy, Poland and Slovakia. 

While some of these schemes (e.g. France and Germany) are based on security certification, in others (e.g. Czech Republic and Slovakia), cloud services providers (CSPs) need to be authorised by competent authorities to be able to offer their services to public administrations. 

In general, the schemes are mandatory either to certain public administrations, depending on the sensitivity or criticality of the data they hold (public administrations can only engage with certified or qualified CSPs), or to all public administrations (in this case, different security levels apply depending on the sensitivity and criticality of the information processed).

The sovereignty requirements identified across the surveyed EU countries take different forms, including caps on shareholding rights that can be held by non-EU companies, having the central administration, establishment or seat in the EU, and ensuring legal independence from third-country jurisdictions.

Scope
Region: Europe
Countries covered: 19 EU countries
Policy area: Cloud, data centers, security
Last updated: April 2026

For more information and access to the full benchmark, please click on “Access the full content” - or on “Request access”, in case you are not subscribed to our European Digital Economy service.