On page six of the European Commission’s Cloud Sovereignty Framework (CSF), in a paragraph no one asked for, nothing required, and apparently no lawyer reviewed, the Commission explains why Legal and Jurisdictional Sovereignty counts for only ten percent of the Sovereignty Score. The text reads: “The weighting considers that the procurement procedure already contains significant safeguards in certain domains such as SOV-2 (Legal and Jurisdictional) and SOV-7 (Security and Compliance).”[1]

This is the Commission arguing, in its own document, that it downweighted legal sovereignty because the procurement process was already handling it. It is difficult to produce a more self-incriminating sentence.

Six months after that framework was published, the Commission awarded €180 million in framework contracts under it.[2] The press release notes that one winning consortium “leverages capacities of partners S3NS, Clarence, and Mistral from a technical environment based on Google Cloud technology, exclusively operated by EU companies.”[3] That will certainly raise a few eyebrows.

And did the Commission ignore that the consortium’s Belgian data center footprint is owned, with fifty percent voting control, by a Canadian-managed investment vehicle? And that one month before the Commission published its framework, the jurisdiction that manages that vehicle had issued a ruling from the Ontario Court of Justice — compelling a French sovereign-cloud champion to hand over EU-hosted customer data to Canadian police, and dismissing France’s blocking statute as an “empty vessel”?[4]

Oops.

Either way, the Commission did not relax the definition of sovereignty. It scored it down to ten percent.

The Award

The EU’s Cloud III Dynamic Purchasing System ran the procurement. Four consortia won framework contracts — maximum authorized spend €180 million, six-year term — to provide sovereign cloud services to EU institutions and agencies.[5]

The winners: Post Luxembourg’s data center subsidiary DEEP, in partnership with OVHcloud and Clever Cloud. Schwarz Digits’ StackIT, the cloud unit of the Schwarz Group behind the Lidl and Kaufland retail chains. Iliad’s Scaleway. And a Proximus-led consortium bundling S3NS, Clarence, Mistral AI, and Thales.[6]

No winner reached SEAL-4 (Sovereignty Effectiveness Assurance Level 4), “Full Digital Sovereignty”, defined as “Technology and operations under complete EU control, subject only to EU law, with no critical non-EU dependencies.”[7]

Three of the four — Post/OVHcloud/Clever Cloud, StackIT, and Scaleway — reached SEAL-3, defined as “EU law applicable and enforceable, EU actors exercising meaningful but not full influence; service, technology or operations under marginal control of non-EU third parties.” The Proximus consortium reached SEAL-2, defined as “EU law applicable and enforceable, with material non-EU dependencies remaining; service, technology or operations under indirect control of non-EU third parties.”

The tier progression encodes a distinction that the piece will return to. SEAL-2 permits “material non-EU dependencies remaining.” SEAL-3 permits only “marginal control of non-EU third parties.” SEAL-4 permits no critical non-EU dependencies at all and requires operations “subject only to EU law.” The framework treats these as cumulative steps on a single ladder. They are not. They are three different questions, and a consortium can satisfy the first two while remaining legally exposed on the third.

The Commission drafted SEAL-4 as Full Digital Sovereignty, published it in the framework, and awarded €180 million without using it. Europe’s most credible sovereign cloud providers, competing in a procurement designed by the Commission to measure sovereignty, could not clear the sovereignty tier the Commission itself defined as the goal. SEAL-4 is not a target. It is the placeholder the framework reserves for a future in which European digital sovereignty exists.

The Eight Objectives

The Cloud Sovereignty Framework, Version 1.2.1, was published by the Commission in October 2025, after iterative drafts spanning roughly two years. It organizes sovereignty into eight objectives, each with a weighting that sums to 100%.[8]

The critical ratio, for a PE or procurement reader: supply chain (SOV-5) and technology (SOV-6) together carry 35% of the Sovereignty Score; operational sovereignty (SOV-4) another 15%; strategic sovereignty (SOV-1) 15%. Legal and jurisdictional sovereignty (SOV-2) — the objective that measures exposure to non-EU legal reach — carries a 10% weighting. Security and compliance (SOV-7): another 10; data and AI sovereignty (SOV-3): 10; environmental sustainability (SOV-8): 5.[9]

This is defensible only if physical and operational EU control substantially produces legal EU insulation. The assumption is load-bearing. It is also contestable.

The framework’s SOV-2 scoring rubric enumerates two specific foreign instruments: the United States CLOUD Act and the Chinese Cybersecurity Law, with a residual reference to “non-EU laws with cross-border reach.”[10] The CLOUD Act deserves its prominence. It is the most documented threat to EU data sovereignty, with Microsoft, Google, and Amazon each publishing transparency reports detailing US authority demands for EU-hosted data. The framework was right to center it.

But the framework was published in October 2025. One month earlier, on September 25, 2025, a Canadian court issued a ruling that demonstrated exactly what the framework’s “non-EU laws with cross-border reach” catch-all does not capture—and, materially, does not name.

The Ottawa Ruling

The case is R. v. OVH Group SA and Hébergement OVH Inc., Court File 24-000659, Ontario Court of Justice, before Justice Heather Perkins-McVey.[11]

In April 2024, the Royal Canadian Mounted Police (RCMP) obtained a Production Order under section 487.014(1) of the Canadian Criminal Code, targeting subscriber data and metadata associated with four IP addresses hosted on OVH servers in France, the United Kingdom, and Australia. The investigation is a national security matter; the underlying facts are sealed.

OVH’s defense was triple-layered. The French parent argued it had no physical presence in Canada and that its Montreal subsidiary, Hébergement OVH Inc., was a separate legal entity that did not control the parent’s data. The French Blocking Statute — Loi 68-678 of July 26, 1968, strengthened by Decree No. 2022-207 — prohibited French companies and personnel from disclosing economic or technical data to foreign public authorities outside formal treaty channels, on penalty of six months’ imprisonment and fines up to €90,000 for legal persons. And Canada and France have a Mutual Legal Assistance Treaty (MLAT); France’s Ministry of Justice had offered expedited processing. The lawful channel was sitting open.[12]

The court rejected all three.

On jurisdiction, Justice Perkins-McVey applied what Canadian courts call the “virtual presence” doctrine: a seven-year settled line across four provinces holding that a foreign corporation with a “real and substantial connection” to Canada — data centers, Canadian customers, marketing targeting Canadian users — falls within Canadian jurisdiction regardless of where its data is physically stored.[13] OVH conceded that it controlled the data and was capable of responding to a lawful court order.[14] From there, the question answered itself.

On the blocking statute, the court acknowledged that Article 1 bis of Loi 68-678 applied. France’s SISSE — the Service de l’Information Stratégique et de la Sécurité Économiques, designated as the official enforcement point under the 2022 reforms — had written to OVH in May 2024 asserting that disclosure would violate French law. The court weighed that evidence and dismissed it. Only one conviction had ever been recorded under Article 1 bis in nearly half a century since it was added to the statute in 1980. Expert witnesses could not point to a single case in which the statute had been respected by a foreign court. Justice Perkins-McVey adopted the English High Court’s “empty vessel” characterization — the standard articulated by Butcher J in Tugushev v. Orlov and applied in Joshua v. Renault — concluding that the blocking statute, in practical effect, is an empty vessel.[15]

On MLAT, the court held the treaty process permissive, not mandatory: Canadian courts retain jurisdiction to issue production orders where the target is present in Canada, and the availability of MLAT does not preclude that jurisdiction.[16]

The application to revoke the production order was dismissed. OVH Group SA and Hébergement OVH Inc. were ordered to comply by October 27, 2025. OVH filed for judicial review to the Ontario Superior Court of Justice through Miller Thomson at the end of October 2025. As of this writing, that appeal is pending.[17]

Three facts carry forward from the ruling into the framework analysis.

The “virtual presence” doctrine is not a one-off improvisation by a trial court. It is a seven-year settled line across British Columbia, Alberta, Quebec, and Ontario, anchored by two provincial Courts of Appeal and reinforced by two 2025 Superior Court rulings extending the doctrine to restraint and management orders. A single Newfoundland ruling that pointed the other way was explicitly declared non-binding.

OVH’s own sovereignty marketing was quoted by the Crown as evidence of control. OVH’s corporate website describes the company as “part of an active ecosystem that shares the same values, and a common vision of a sovereign cloud” — language lifted directly into the Crown’s compendium at Tab 4 as proof that OVH operates as a unified global enterprise over which its Canadian subsidiary exercises possession or control.[18] The branding that OVH built to sell sovereignty became the evidence that defeated its sovereignty defense in court.

And a twenty-five-year-old Ontario Superior Court ruling, Wilson v. Servier Canada, had already held in the civil context that French blocking statutes should be given “minimal weight” when they conflict with Canadian proceedings anchored on a real and substantial connection to Ontario.[19] Wilson was a civil class action, not a criminal production order, and the analogy has limits. But the Canadian courts’ general posture toward French extraterritorial protection predates 2024 by decades.

CSF Version 1.2.1 was published one month after Justice Perkins-McVey released her ruling. A Commission drafter scoping the CSF’s SOV-2 risk vectors would have found it on a first search.

The Proximus Consortium

Of the four winning consortia, only the Proximus-led group scored SEAL-2. It also carries the most complex non-EU exposure, and the Commission’s press release names the exposure on both ends of the stack.

The consortium bundles five entities. Clarence is a Luxembourg-based joint venture between Proximus and LuxConnect (a Luxembourg state-owned company) that deploys Google Distributed Cloud in an air-gapped configuration. S3NS is Thales Cloud Sécurisé SAS, a Thales subsidiary licensed to operate Google Cloud technology from three Île-de-France facilities under the French “Cloud de Confiance” framework, qualified SecNumCloud 3.2 in December 2025.[20] Mistral AI provides model services. Thales contributes security infrastructure, including hardware security modules. Proximus is the Belgian telecommunications incumbent — with the Belgian state holding an economic stake of 53.51 percent through SFPI-FPIM (Société Fédérale de Participations et d’Investissement) — and acts as a systems integrator for Belgian federal agencies, covering more than 70,000 users.[21]

Two of the five — S3NS and Clarence — run Google Cloud technology. Both sit within sovereign-cloud qualification constraints intended to insulate the technology from its American owner. The mechanism is corporate and operational: Thales holds a controlling interest in S3NS with Google as a minority partner, and only cleared EU citizens can access production systems. Thales holds the hardware security module keys, and the Google software stack is deployed through a technical quarantine intended to prevent upstream control. The French ANSSI referential for SecNumCloud 3.2 caps non-EU ownership at 24 percent individually and 39 percent collectively, covering both share capital and voting rights, direct or indirect. Google’s stake in S3NS is structurally constrained below these caps by the qualification requirement itself; the exact equity split has not been publicly disclosed by Thales or Google.[22] For its part, the Commission’s April 17 press release accepts the arrangement at SEAL-2 — “Data Sovereignty” in the framework’s own naming. It describes the technical environment as “based on Google Cloud technology, exclusively operated by EU companies.”[23]

The SecNumCloud qualification is real. The personnel, key-custody, and operational constraints it imposes on Google-powered partnerships materially reduce the likelihood that a CLOUD Act demand on the American partner reaches tenant data, the specific threat vector the framework was designed to address. What SecNumCloud does not address is an exposure category involving different actors in the stack: the physical infrastructure owner, the infrastructure owner’s shareholders, and the shareholders’ investment manager. That exposure is not within the qualified entity’s control, nor is it within the framework’s named risk vectors.

The more direct exposure is elsewhere in the consortium’s stack. The integrator workloads Proximus runs for Belgian federal agencies — the logging infrastructure, the operational telemetry, the coordination surfaces — run on Belgian data centers. Proximus itself owned those facilities until March 2025, when it sold them to Datacenter United for €128 million cash, against a combined enterprise value of €200.5 million.[24]

Who owns Datacenter United? TINC NV, a Belgian-listed infrastructure fund, holds 47.5 percent economic / 50 percent voting. Cordiant Digital Infrastructure Limited, together with a second Cordiant-managed vehicle, holds 47.5 percent economic / 50 percent voting, with aggregate equity consideration of €92.3 million. Friso Haringsma, CEO, holds 5 percent of non-voting shares.[25]

Let’s keep digging. Cordiant Digital Infrastructure Limited is a closed-end investment company listed on the London Stock Exchange since February 2021. Its investment manager — the firm that controls investment decisions, allocation, and board representation on behalf of the listed company — is Cordiant Capital Inc., a private markets asset management firm headquartered in Montreal, Quebec, with additional offices in London, Luxembourg, and São Paulo.[26]

The analytical parallel to OVH is imperfect, and the piece acknowledges this. Cordiant Capital Inc. is an asset manager; it does not directly access tenant data, and a Canadian production order to Cordiant would face a higher “possession or control” hurdle than OVH Canada faced. A fund’s management jurisdiction imposes regulatory obligations on the fund, not automatically on the tenants of its portfolio companies.

The objections are real. What they do not close is the structural exposure. Belgium has no equivalent to Loi 68-678. The legal barrier the OVH ruling dismissed is not even in place to be dismissed here. The seven-year Canadian precedent line is still expanding, and In re TD Bank Production Order in 2025 narrowed the “possession or control” test further — the Quebec Superior Court found that a Canadian parent had possession or control over data held by a US subsidiary on the strength of its corporate control, without requiring direct technical access. That test applied to the Cordiant chain is harder than OVH Canada faced, but not categorically different from the one TD Bank lost on.[27]

The exposure is present in the ownership chain, but has not yet been demonstrated in an enforcement event. Risk committees should assess exposure categories that the framework does not name without assuming any specific exposure has materialized.

What Actually Exists

Three of the four winners come closer to what the framework’s SEAL-4 language describes.

The Post Luxembourg consortium runs through DEEP, the data center subsidiary of Post Telecom (itself a subsidiary of POST Luxembourg, 100% owned by the Luxembourg state). DEEP operates three data centers in Luxembourg at Windhof, Kayl, and Betzdorf, carrying Tier IV Uptime Institute certification — Kayl and Betzdorf at Tier IV Constructed Facility level, Windhof at Tier IV Design Documents level — and hosts OVHcloud infrastructure and Clever Cloud workloads on sovereign Luxembourg soil.[28] OVHcloud itself is listed on Euronext Paris; the Klaba family holds approximately 81 percent of shares.[29] Clever Cloud is French and privately held. The full stack runs on EU-owned infrastructure in an EU jurisdiction. This is a genuine sovereignty claim at SEAL-3, and if the framework’s SOV-2 actually tested legal exposure, it could plausibly have scored higher.

StackIT, the cloud unit of Schwarz Digits, runs in data centers the Schwarz Group has operated for decades — DC01 in Neckarsulm, DC08 in Ellhofen, DC10 in Ostermiething, Austria, and a new 200 MW facility under construction at Lübbenau with an €11 billion capex commitment through 2027.[30] Schwarz Group, the privately-held Schwarz family holding that also controls Lidl and Kaufland, reported fiscal year 2024 total sales of €175.4 billion; Schwarz Digits segment revenue was €1.9 billion, with StackIT as one of several business units within the digital segment.[31] No non-EU entity appears in the ownership or operational chain.

Scaleway’s parent is Iliad, the French telecommunications group controlled by Xavier Niel. Its Paris-anchored sovereign-qualified infrastructure — Paris DC2 through DC5, Lyon, Marseille, and facilities in Poland — is operated by OpCore, carved out of Scaleway in July 2024 and converted into a fifty-fifty joint venture between Iliad and InfraVia Capital Partners on March 2025 closing, at an enterprise value €860 million and a €2.5 billion capex commitment over ten years.[32] InfraVia is a French independent private equity firm headquartered in Paris, regulated under the EU’s Alternative Investment Fund Managers Directive.

Three of the four consortium members run infrastructure that the framework was designed to produce. The SOV-5 Supply Chain weight — the heaviest in the rubric at 20% — rewards EU-owned hardware and operations, and the SEAL-2 eligibility floor keeps non-sovereign offerings out entirely. The result: all four winners operate on EU soil with EU-controlled physical layers. Physical sovereignty is genuine at three of the four.

The framework succeeded at physical sovereignty. It was not designed to deliver legal sovereignty, and SOV-2 at 10% never was. The SEAL-4 definition says it plainly: "subject only to EU law."

That is not a question of where servers sit. The question is whether every legal avenue through which a non-EU authority could compel disclosure has been closed. None of the four winners can answer yes.

The Commission has not published individual scoring breakdowns. We know the tier outcomes; we do not know which objectives each winner failed, by how much, or whether the gap was structural or marginal. That opacity is itself a finding.

The Governance Pattern

The Commission’s sovereign cloud framework is the third European attempt in three years to codify cloud sovereignty as a procurement instrument. EUCS — the European Union Cybersecurity Certification Scheme for cloud services — stalled in draft over exactly this question: whether the highest assurance level should require ownership by an EU entity not subject to non-EU law. France pushed for the requirement, with Italy and Spain supporting it. A coalition of Member States, including Denmark, Estonia, Greece, Ireland, the Netherlands, Poland, and Sweden, resisted, signing a joint non-paper in July 2022; by mid-2023, approximately twelve Member States opposed the sovereignty requirement. The final March 2024 draft dropped the ownership requirement in favor of an International Company Profile Attestation.[33] The proposed Cloud and AI Development Act (CADA), announced but not yet tabled as of April 2026, is the Commission’s next attempt.[34]

The CSF filled the gap left by EUCS, and CADA has not closed it. The Commission chose to do what it could procure — a scoring rubric tied to a dynamic purchasing system — rather than what it could not secure politically: a legal definition of sovereignty with binding ownership constraints.

For three years, Paris held the line in the EUCS negotiations: sovereignty meant EU ownership, full stop, no hyperscaler joint ventures, no Cloud de Confiance workarounds. Italy and Spain agreed. Twelve Member States did not. The EUCS draft dropped the ownership requirement in March 2024. The maximalist French demand became a scoring coefficient that the Commission preemptively justified as redundant.

CISPE, the European cloud providers’ trade association, called the outcome six months early. Its October 24, 2025 statement “No Such Thing as ‘75% Sovereign’” warned that the framework’s ten-percent legal weighting would allow hyperscaler-backed offerings to qualify; Secretary General Francisco Mingorance was quoted saying “the big players will be able to achieve very high overall scores that minimize the impact of poor results in legal and jurisdictional sovereignty — which only account for 10% of the total score.” The Commission did not dispute the analysis. It published the award six months later, exactly as described.[36]

What Would Have to Break

The Commission’s April 17 press release announcing the €180 million award also announced the framework revision that would incorporate the lessons learned from the award. In the same press release. The Commission published the awards and the planned fix in a single document, which is either unusual procedural efficiency or a tell about what the Commission expected the reaction to be. Lessons are ordinarily learned after events. Here they were scheduled before the event’s ink dried.

The CSF’s defenders can argue the framework was never meant to be final. SEAL-4 exists in the definition even though no winner reached it; CADA is on the legislative calendar; the Commission stated in its April 17 announcement that it “will publish an updated version of the Sovereign Cloud Framework based on lessons learned from this tender.” True. Insufficient. A lessons-learned revision is a calibration instrument — it adjusts weights and contributing factors. The structural question is whether a future CSF iteration will restructure the SOV-2 weighting and extend the named risk vectors beyond the CLOUD Act and the Chinese Cybersecurity Law, not as an administrative update, but as a political choice.

The real test is whether the ten-percent SOV-2 weight reflects a drafting accident that a later iteration will correct, or a negotiated outcome reflecting a coalition that cannot accept binding legal sovereignty as a procurement requirement. The Commission’s own justification — that procurement procedure “already contains significant safeguards” at SOV-2 — points to the second.

The Proximus consortium’s composite score would fall below what the other three winners achieved. If SOV-2 contributing factors extended beyond the two named threats, Commonwealth extraterritorial doctrines would enter the evaluation matrix. The ten-percent weight and the two named threats are the mechanisms by which the framework was shipped to procurement on its intended timeline. Removing them reopens the EUCS deadlock.

This thesis would be wrong if CADA, when tabled, restructures the SOV-2 weighting and extends the named risk vectors to cover Canadian, UK, and Five Eyes extraterritorial reach, and does so with binding effect. It would be wrong if the Ontario Superior Court of Justice overturns OVH on the pending appeal, unwinding the case on narrow procedural grounds that deny broader doctrinal implications.

None of these seems likely. CADA has been on the European Parliament’s legislative train since 2025 and has not been tabled; the Q1 2026 tabling window closed without a Commission proposal. The OVH appeal, even if successful, unwinds the specific case but not the doctrine — the Canadian precedent line is seven years and four provinces deep, and one reversal does not erase two Courts of Appeal and two 2025 Superior Court rulings. European institutions process data continuously; the framework contracts are live now.

What actually breaks the pattern is an enforcement event. A Canadian production order that reaches a Cordiant-managed Belgian data center; a UK Investigatory Powers Act technical capability notice served under section 253 on a telecommunications operator in the ownership chain of a Commission-awarded tenant’s infrastructure; a CJEU ruling, on preliminary reference under GDPR Articles 44–48, that personal data processed under a CSF-awarded contract fell outside the transfer framework because the CSF’s sovereignty assurance did not substantially block non-EU access. Until one of those arrives, the framework holds.

The CSF’s enforcement failure, like the failures that preceded EUCS and CADA, is not a bug. It is the negotiated outcome. The Commission’s page-six explanation — that SOV-2 is downweighted because procurement procedure “already contains significant safeguards” — is, read strictly, accurate. The procurement process did contain safeguards. They were the ones the Commission chose to put there.

The weights were set, the named threats were chosen, and the SEAL tiers were defined to produce a specific outcome: a procurement the Commission could run, with winners it could defend, under a rubric it controlled. The OVH ruling didn’t fit that rubric. The Cordiant ownership chain didn’t fit that rubric. The Canadian virtual presence doctrine didn’t fit that rubric. So they were not named, SOV-2 was weighted at 10%, and the contracts were awarded on schedule.

The European Commission did not relax the definition of sovereignty on April 17, 2026. It built a scoring matrix that made its preferred outcome look like a sovereignty finding, awarded €180 million under it, and announced the lessons-learned revision in the same press release. The next framework will be more defensible. It will not be more sovereign.

Did you really expect something else?

Notes

[1] European Commission, Directorate-General for Digital Services, Cloud Sovereignty Framework, Version 1.2.1, October 2025, p. 6 (Section 5, Computation of Sovereignty Score). The document cover carries “Version 1.2.1 – Oct. 2025”; external sources (CISERO, Interoperable Europe Portal, CISPE responses) place publication on or about October 20, 2025. Direct quotation from the document’s justification for SOV-2 and SOV-7 weighting.

[2] European Commission press release, “Commission advances cloud sovereignty through strategic procurement,” IP/26/833, April 17, 2026. €180 million is the maximum authorized spend under the framework contract, not a committed disbursement; actual call-offs across the six-year term will determine spend. Mechanism: Cloud III Dynamic Purchasing System. The same announcement states that the Commission “will also publish an updated version of the Sovereign Cloud Framework based on lessons learned from this tender”; this is cited in the body’s Act 6 as the Commission’s own acknowledgment of a lessons-learned revision cycle.

[3] European Commission press release, April 17, 2026, describing the Proximus-led consortium’s technical architecture. Direct quotation.

[4] R. v. OVH Group SA and Hébergement OVH Inc., Ontario Court of Justice (Ottawa), Court File 24-000659, Heather E. Perkins-McVey J., decision released September 25, 2025. Signed final decision available via David Fraser, McInnes Cooper. The “empty vessel” characterization originates in Butcher J’s judgment in Tugushev v. Orlov, [2021] EWHC 1514 (Comm) at paragraph [33], and was applied to Loi 68-678 in Thomas John Joshua et al v. Renault S.A., [2024] EWHC 1424 (KB) at paragraphs [77]–[78]. Adopted in R. v. OVH at paragraph [115].

[5] European Commission announcement, April 17, 2026. The four awardees are identified in the Commission’s release.

[6] Winner composition per Commission announcement. Thales is named as a consortium partner in Commission and Proximus materials; the Commission press release specifically names S3NS, Clarence, and Mistral in describing the Google Cloud technology base.

[7] Cloud Sovereignty Framework, Version 1.2.1, Section 3, page 3. SEAL tier names and definitions verbatim from the document: SEAL-0 “No Sovereignty”; SEAL-1 “Jurisdictional Sovereignty”; SEAL-2 “Data Sovereignty”; SEAL-3 “Digital Resilience”; SEAL-4 “Full Digital Sovereignty.”

[8] Cloud Sovereignty Framework, Version 1.2.1, October 2025. Document cover dated “Oct. 2025”; contemporaneous coverage and Commission register place publication on or about October 20, 2025.

[9] Cloud Sovereignty Framework, Version 1.2.1, Section 5, page 6 weighting table. Per-objective weights: SOV-1 Strategic Sovereignty 15%, SOV-2 Legal & Jurisdictional Sovereignty 10%, SOV-3 Data & AI Sovereignty 10%, SOV-4 Operational Sovereignty 15%, SOV-5 Supply Chain Sovereignty 20%, SOV-6 Technology Sovereignty 15%, SOV-7 Security & Compliance Sovereignty 10%, SOV-8 Environmental Sustainability 5%. SOV-5 is the largest single weight; SOV-8 is the smallest and, notably, the only objective titled “Sustainability” rather than “Sovereignty.”

[10] Cloud Sovereignty Framework v1.2.1, SOV-2 contributing factors. The framework enumerates the US CLOUD Act and the Chinese Cybersecurity Law and adds a catch-all reference to “non-EU laws with cross-border reach” without naming specific Commonwealth jurisdictions.

[11] R. v. OVH Group SA and Hébergement OVH Inc., Ontario Court of Justice, Court File 24-000659, Ottawa, Heather E. Perkins-McVey J., decision released September 25, 2025. Crown counsel: Michael Fawcett; OVH counsel: Scott Spencer (Miller Thomson). The ruling is a statutory review under the Criminal Code s. 487.0193(4) of a Production Order issued under s. 487.014. The underlying Production Order was issued in April 2024; paragraph [1] of the ruling gives April 11, and paragraph [24] gives April 19 with specific IP/date associations, the latter treated as authoritative. Investigation sealed (national security).

[12] Summary of OVH’s position per paragraphs [3]–[9] of the ruling. French blocking statute at Loi 68-678 of July 26, 1968, with Article 1 bis added by Loi n° 80-538 of 16 July 1980, strengthened by Decree No. 2022-207 of February 18, 2022. Statutory penalty scheme under Article 3, as amended: imprisonment up to 6 months and fines up to €18,000 for individuals; for legal persons, the fine is fixed at 5× the individual fine under Article 131-38 of the French Code pénal, producing a maximum of €90,000.

[13] British Columbia (Attorney General) v. Brecknell, 2018 BCCA 5 (CanLII); R v Love, 2022 ABCA 269 (CanLII); In the Matter of textPlus Inc., 2022 ONSC 7413 (CanLII); In re TD Bank Production Order, 2025 QCCS 2094; R v Binance Holdings Ltd., 2025 ONSC 7113. Per R. v. OVH ruling paragraphs [40]–[53]. The Newfoundland authority In the Matter of an application to obtain a Production Order, 2018 Carswell Nfld 19, is distinguished as non-binding at paragraph [55]. The doctrine remains contested within the Canadian privacy bar — see David Fraser, Canadian Privacy Law Blog, December 5, 2025, arguing that Brecknell itself was wrongly decided on its facts (Craigslist had voluntarily accepted jurisdiction, a fact the OVH court did not preserve as a limiting principle). The piece’s framing reflects the doctrine as applied by the courts, not uniform agreement among Canadian commentators.

[14] Ruling at paragraph [60]: “OVH Parent has acknowledged that it controls the data sought and is capable of responding to a lawful court order (OVH Factum at para. 34).” Jurisdictional analysis at paragraphs [56]–[63].

[15] Ruling at paragraphs [79]–[123]. “Empty vessel” standard adopted from Butcher J in Tugushev v. Orlov, [2021] EWHC 1514 (Comm) at paragraph [33], applied to Loi 68-678 in Thomas John Joshua et al v. Renault S.A., [2024] EWHC 1424 (KB) at paragraphs [77]–[78]. Sole reported Article 1 bis conviction is the “Christopher X” case, Cour de cassation chambre criminelle, 12 December 2007, pourvoi n° 07-83.228, addressed at ruling paragraph [85]. Australian authority on the French Blocking Statute: ACCC v. Prysmian Cavi e Sistemi Energia S.R.L. (No 4), [2012] FCA 1323. US authority: Societe Nationale Industrielle Aerospatiale v. US District Court, 482 U.S. 522 (1987). The 2022 SISSE reforms under Decree No. 2022-207 are discussed at paragraphs [86]–[87]. The SISSE letter to OVH dated May 27, 2024 appears as Appendix B to the Barrière Affidavit (ruling at paragraph [108]); secondary press reports reference a further letter in January 2025 not directly quoted in the ruling.

[16] Ruling at paragraphs [97]–[105]. Canadian authority on MLAT’s permissive nature: R v Strong, 2020 ONSC 7528 at paragraphs 103, 112. The court’s conclusion that MLAT is not mandatory and does not preclude Canadian production orders appears at paragraphs [17] and [99].

[17] Ruling disposition at paragraphs [124]–[126]. Appeal filing confirmed by Heise Online, November 26, 2025, citing OVH filings. As of April 2026, no Ontario Superior Court ruling on the judicial review has been released.

[18] Ruling at paragraph [12], quoting OVH Canada’s “About Us” and “Our Values” pages as reproduced in the Crown’s compendium at Tab 4.

[19] Wilson v. Servier Canada Inc., 2000 CanLII 22407 (ONSC), cited at ruling paragraph [95]. An Ontario class action against a French pharmaceutical company, concerning French Civil Code Article 15 (a civil blocking statute asserting exclusive French jurisdiction). Civil procedural context, not criminal production orders; the analogy holds on Canadian judicial posture toward French extraterritorial protection in cross-border contexts, but does not establish criminal production-order precedent.

[20] S3NS (Thales Cloud Sécurisé SAS), RCS Paris 908 211 980, qualified SecNumCloud 3.2 by ANSSI on December 17, 2025. Thales/Google joint venture structure per S3NS General Terms of Use.

[21] Proximus NV, 2025 Integrated Annual Report, capital structure section. The Belgian state economic stake held via SFPI-FPIM (Société Fédérale de Participations et d’Investissement) is stated at 53.51%. Integrator scope: Proximus NXT SECaaS1 press materials reference 10 key government entities and 70,000+ users served under the federal framework; the Commission has not published a specific tender-linked agency count.

[22] SecNumCloud v3.2 referential (ANSSI, 2022) caps non-EU ownership of qualified entities at 24% individually and 39% collectively, applied to both share capital and voting rights, whether held directly or indirectly. Thales is the controlling shareholder of S3NS; the exact Google equity stake has not been publicly disclosed by Thales or Google. ANSSI’s December 17, 2025, qualification of S3NS 3.2 is the formal finding that the referential’s ownership test is met.

[23] European Commission press release, April 17, 2026, describing the Proximus-led consortium’s technical architecture: “Proximus leverages capacities of partners S3NS, Clarenc,e and Mistral from a technical environment based on Google Cloud technology, exclusively operated by EU companies.”

[24] Proximus NV press release, “Proximus sells its data centers to Datacenter United,” March 3, 2025. Transaction structure: €128 million cash consideration to Proximus; combined enterprise value €200.5 million. Post-sale Proximus remainsthe anchor tenant under a 10-year master services agreement with annual pricing review.

[25] Datacenter United ownership structure per TINC NV announcement and Cordiant Digital Infrastructure Limited regulatory disclosure, March 2025. TINC NV: 47.5% economic / 50% voting. Cordiant Digital Infrastructure Limited, together with a second Cordiant-managed fund: 47.5% economic / 50% voting, with aggregate equity consideration of €92.3 million across both Cordiant vehicles. Friso Haringsma (CEO): 5% non-voting.

[26] Cordiant Digital Infrastructure Limited is listed on the London Stock Exchange (ticker CORD) since February 2021. Investment management performed by Cordiant Capital Inc., a private markets asset manager headquartered in Montreal, Quebec, with additional offices in London, Luxembourg, and São Paulo. Per Cordiant Capital Inc. corporate disclosures.

[27] In re TD Bank Production Order, 2025 QCCS 2094 (Quebec Superior Court). The Court found TD Bank Canada had “possession or control” over records held by its US subsidiary on the strength of corporate control, without requiring direct technical access by Canadian employees. See also R v Binance Holdings Ltd., 2025 ONSC 7113, extending Brecknell‘s “real and substantial connection” test to restraint and management orders. Per R. v. OVH ruling paragraph [53].

[28] Post Telecom corporate structure: Post Telecom is a subsidiary of POST Luxembourg, which is 100% owned by the Luxembourg state. DEEP is Post Telecom’s data center subsidiary, consolidating the former EBRC, Digora, Elgon, and POST Telecom cloud units under a single brand. Three data centers at Windhof, Kayl, and Betzdorf; Tier IV certification status per Uptime Institute public database: Kayl (Tier IV Design + Constructed Facility, 2013), Betzdorf (Tier IV Design + Constructed Facility, 2015), Windhof (Tier IV Design Documents only).

[29] OVH Groupe SA, FY2024 Annual Results, October 23, 2024. Klaba family's share capital increased from ~68% to ~81% following the 2024 buyback completion, per OVHcloud's press release and Bredin Prat's deal notes. Voting rights are materially higher through French double-voting loyalty provisions, controlling provision for listed companies at Article L.22-10-46 of the Code de commerce since the 2020 recodification (Ordonnance n° 2020-1142), cross-referencing Article L.225-123; loi Florange (Loi n° 2014-384 of 29 March 2014); voting rights reported at approximately 82% as of late 2025.

[30] Schwarz Group data center operations: DC01 Neckarsulm, DC08 Ellhofen (Germany), DC10 Ostermiething (Austria). Lübbenau facility: 200 MW planned capacity, €11 billion capex commitment cited in Schwarz Group materials, target completion 2027.

[31] Schwarz Group FY24 press communication, May 22, 2025. Group total sales €175.4 billion for fiscal year 2024 (March 1, 2024 to February 28, 2025); Schwarz Group reports on a March–February fiscal year. Schwarz Digits segment revenue €1.9 billion; Schwarz Digits includes StackIT, XMCloud, and other digital operations — StackIT portion not separately disclosed. StackIT’s Lübbenau facility is the fourth German site; additional capacity sites, including Berlin and the Austrian Ostermiething facility, bring the operational footprint to 4–7 data centers, depending on the definitional scope.

[32] InfraVia Capital Partners and Iliad Group press release, “The Iliad Group and InfraVia partner to develop a major European hyperscale data center platform,” December 4, 2024 (announcement); closing March 2025. OpCore was carved out of Scaleway on July 1, 2024, as a standalone Iliad data-center vehicle; the 50/50 Iliad/InfraVia JV structure was announced on December 4, 2024, and closed in March 2025. Enterprise value €860 million at JV formation; capex commitment stated as “more than €2.5 billion” over a decade, structured as joint capital deployment commitments of the 50/50 shareholders rather than a contractually enforceable obligation to a third party. InfraVia Capital Partners registered as an Alternative Investment Fund Manager with the French AMF (GP 08 000018) under the EU’s AIFMD framework.

[33] EUCS (European Union Cybersecurity Certification Scheme for Cloud Services) consultation history per ENISA public records. The High+ assurance level’s “Annex J” sovereignty requirements — EU headquarters, EU ownership, immunity from non-EU law — were contested between 2021 and 2024. A July 2022 joint non-paper opposing the sovereignty requirement was signed by at least Denmark, Estonia, Greece, Ireland, the Netherlands, Poland, and Sweden, with Lithuania sometimes added. France, supported by Italy and Spain, championed the requirement; Germany’s position was mixed. By mid-2023, EUISS reporting cited approximately twelve Member States opposing. The March 22, 2024 ENISA draft dropped sovereignty requirements in favor of an International Company Profile Attestation (ICPA). The scheme had not been formally adopted as of April 2026.

[34] Cloud and AI Development Act (CADA), status “Announced” on the European Parliament Legislative Train as of March 20, 2026. The expected Q1 2026 tabling window closed without a Commission proposal.

[35] Emmanuel Macron, Artificial Intelligence Action Summit, Grand Palais, Paris, February 10, 2025. “France is back in the AI race” per France 24 live coverage, February 10, 2025. “Plug baby, plug” quotation per CSIS analysis, “France’s AI Action Summit”. €109 billion investment figure and €50 billion UAE contribution per contemporaneous summit coverage. The Paris AI Action Summit took place February 10–11, 2025; the EUCS Annex J sovereignty requirements were dropped from the ENISA draft in March 2024.

[36] CISPE (Cloud Infrastructure Services Providers in Europe), “No Such Thing as ‘75% Sovereign’: CISPE Responds to the European Commission’s Sovereign Cloud Framework,” October 24, 2025. Francisco Mingorance's quotation per interview with Incyber News, November 2025. CISPE subsequently issued a January 2026 position paper expanding the critique.