Sovereign Cloud Architecture
Level 2 Technical Implementation Documentation

08e. Provider Evaluation Criteria

Audience: Procurement Officers, Solutions Architects, Security Teams
Purpose: Technical assessment framework for sovereign cloud provider selection

This section provides a structured framework for evaluating European and allied-nation cloud providers against sovereignty, technical capability, and operational requirements.

Critical Requirement: All providers must meet baseline sovereignty criteria before technical evaluation. Providers with US parent companies, US-based control planes, or subject to CLOUD Act jurisdiction are automatically disqualified.

Evaluation Framework

Mandatory Sovereignty Criteria (Pass/Fail)

Criterion Requirement Evidence Required
Corporate Domicile Headquarters in EU/UK/CA/AU/NZ or allied nation Certificate of incorporation, ownership structure
Control Plane Location Management plane hosted within jurisdiction Architecture documentation, network diagrams
Data Residency Customer data never leaves contracted jurisdiction DPA, contractual guarantees, audit reports
Personnel Security Administrative access limited to cleared personnel Security clearance policies, access control evidence
Legal Jurisdiction Not subject to US CLOUD Act or equivalent extraterritorial laws Legal opinion, corporate structure analysis
Supply Chain No critical dependencies on US-controlled services Vendor dependency map, subprocessor list

Technical Capability Scoring

Weighted Total (Summary)

Capability Weight OVHcloud Hetzner Scaleway IONOS
Managed Kubernetes 15% 9/10 3/10 8/10 8/10
Object Storage (S3-compatible) 12% 9/10 6/10 9/10 8/10
Block Storage Performance 10% 8/10 9/10 8/10 8/10
Network Capabilities 12% 9/10 7/10 8/10 8/10
Geographic Coverage 10% 9/10 5/10 6/10 7/10
Compliance Certifications 15% 9/10 6/10 10/10 8/10
API Maturity 8% 8/10 9/10 9/10 7/10
OpenTofu Provider Quality 8% 8/10 9/10 9/10 7/10
Support Quality (Enterprise) 5% 8/10 5/10 7/10 8/10
Price Competitiveness 5% 7/10 10/10 8/10 7/10
Weighted Total 100% 8.5/10 6.4/10 8.3/10 7.8/10

Key Capabilities (Score out of 10)

Provider Profiles

OVHcloud

Recommended

Headquarters: Roubaix, France

Data Centres: EU (FR, DE, PL, UK), CA, AU, SG

Strengths:

  • Broadest geographic coverage of European providers
  • Mature managed Kubernetes (OVHcloud Kubernetes)
  • Strong compliance posture (HDS, ISO 27001, SOC 2)
  • Public Cloud and Hosted Private Cloud options

Considerations:

  • Not SecNumCloud qualified (use Scaleway for highest security FR)
  • UK data centre operates under UK GDPR

Best For: Multi-jurisdiction deployments, general workloads

Scaleway

Recommended

Headquarters: Paris, France (Iliad Group)

Data Centres: Paris, Amsterdam, Warsaw

Strengths:

  • SecNumCloud qualified (highest French government classification)
  • Modern API-first architecture
  • Excellent developer experience
  • Competitive pricing

Considerations:

  • Limited geographic coverage (EU only)
  • Smaller scale than OVHcloud

Best For: Highest-security French/EU workloads

Hetzner

Conditional

Headquarters: Gunzenhausen, Germany

Data Centres: Germany (Nuremberg, Falkenstein, Frankfurt), Finland

Strengths:

  • Exceptional price/performance ratio
  • High-quality bare metal offerings
  • Excellent OpenTofu provider
  • Strong network infrastructure

Considerations:

  • No managed Kubernetes (DIY only)
  • Limited compliance certifications
  • Basic support tiers

Best For: Development/staging, cost-sensitive workloads, teams with strong K8s expertise

IONOS

Recommended

Headquarters: Montabaur, Germany (United Internet AG)

Data Centres: Germany, Spain, UK, US*

Strengths:

  • German corporate governance
  • Managed Kubernetes available
  • Strong enterprise support
  • GDPR-compliant by design

Considerations:

  • Avoid US data centres for sovereign workloads
  • API less mature than competitors

Best For: German/EU enterprise workloads

Exoscale

Recommended

Headquarters: Lausanne, Switzerland

Data Centres: Switzerland (Geneva, Zurich), Germany, Austria, Bulgaria

Strengths:

  • Swiss data protection (strongest in Europe)
  • SKS Kubernetes service
  • Excellent API and OpenTofu support
  • Privacy-focused culture

Considerations:

  • Smaller scale, fewer regions
  • Premium pricing

Best For: Highest-sensitivity data, Swiss/EU operations

AARNet / NeCTAR (Australia)

Conditional

Headquarters: Sydney, Australia

Data Centres: Multiple Australian locations

Strengths:

  • Australian government/academic network
  • OpenStack-based (no vendor lock-in)
  • Australian data sovereignty
  • Research cloud expertise

Considerations:

  • Primarily academic/research focused
  • Limited commercial SLAs
  • Requires OpenStack expertise

Best For: Australian government/research workloads

Provider Selection Decision Tree

Step 1: Determine Jurisdiction Requirements

  • France (SecNumCloud required): Scaleway
  • Germany: Hetzner, IONOS, or OVHcloud DE
  • UK: OVHcloud UK
  • Switzerland (maximum privacy): Exoscale
  • Multi-jurisdiction EU: OVHcloud or Scaleway
  • Australia: AARNet/NeCTAR or OVHcloud AU
  • Canada: OVHcloud CA

Step 2: Determine Workload Type

  • Kubernetes-native: OVHcloud, Scaleway, IONOS, Exoscale
  • Bare metal / HPC: Hetzner, OVHcloud
  • Managed databases: OVHcloud, Scaleway
  • Cost-optimized: Hetzner

Step 3: Validate Compliance Requirements

  • ISO 27001: All listed providers
  • SOC 2 Type II: OVHcloud, Scaleway
  • SecNumCloud: Scaleway only
  • HDS (Health Data): OVHcloud, Scaleway

Due Diligence Checklist

Technical Validation

# Provider technical assessment checklist

## Network Performance Testing
# Measure latency between regions
for region in fr-par de-fra uk-lon; do
  mtr -r -c 100 $region.provider.example.com
done

# Bandwidth testing
iperf3 -c $PROVIDER_ENDPOINT -t 60 -P 4

## Kubernetes Assessment
# Deploy test workload
kubectl apply -f sovereign-benchmark.yaml

# Measure pod startup time
kubectl get pods -w --output-watch-events

# Test persistent volume performance
fio --filename=/mnt/test --size=1G --direct=1 --rw=randrw --bs=4k --ioengine=libaio --iodepth=256 --numjobs=4 --time_based --runtime=60

## API Reliability
# Test API availability over 24 hours
while true; do
  curl -s -o /dev/null -w "%{http_code} %{time_total}\n" https://api.provider.example.com/v1/health
  sleep 60
done >> api-health.log

## Object Storage S3 Compatibility
# Test MinIO client compatibility
mc alias set provider https://s3.provider.example.com ACCESS_KEY SECRET_KEY
mc mb provider/test-bucket
mc cp large-file.bin provider/test-bucket/
mc stat provider/test-bucket/large-file.bin

Contractual Requirements

Requirement Minimum Standard Negotiation Notes
Data Processing Agreement GDPR Article 28 compliant Ensure jurisdiction-specific clauses
SLA Availability 99.9% for production workloads Clarify exclusions and calculation method
Data Deletion Certified destruction within 30 days Request destruction certificate
Audit Rights Annual audit permitted Include penetration testing rights
Subprocessor Notification 30 days advance notice Include veto rights for sovereignty concerns
Exit Assistance 90 days post-termination data access Negotiate extended period for large datasets
Government Access Disclosure Notification unless legally prohibited Critical for sovereignty assurance

Multi-Provider Strategy

Recommendation: Adopt a multi-provider strategy to avoid single points of failure and maintain negotiating leverage. Use Kubernetes and OpenTofu abstractions to enable workload portability.

Suggested Provider Allocation

Workload Type Primary Provider Secondary Provider Rationale
Production (EU) OVHcloud Scaleway Geographic diversity, both mature
Production (UK) OVHcloud UK IONOS UK UK-specific compliance
High-Security (FR) Scaleway - SecNumCloud requirement
Development/Test Hetzner - Cost optimization
Disaster Recovery Exoscale (CH) - Jurisdictional isolation

Related Documentation

← Previous: Operational Runbooks Back to Level 2 Index →