Aller au contenu
NNextHop
Methodology

How NextHop scores sovereignty.

Our scoring framework is public, documented and auditable. This page sets out the 6 criteria retained, their weighting, the points-attribution scale, the sources used and the procedure to challenge a score.

Citing this methodology in a publication?How to cite NextHop (in French) ->

In brief

6 criteria to assess the sovereignty of a cloud service, weighting totals 100 per cent.
Scoring based on public sources only: ANSSI, official registries, provider communications, case law.
Monthly score updates, public changelog available on the changelog page.
Any provider may request an adversarial review by email at contact@nexthop.fr.

Contents

Jurisdiction (20 per cent)Extraterritorial immunity (20 per cent)Technology (15 per cent)Hosting and data (20 per cent)Certifications (15 per cent)Openness and portability (10 per cent)

The 6 criteria

Definition, scale and sources

Jurisdiction

20 per cent

Definition

Measures the exposure of the legal entity providing the service to a country with active extraterritorial regimes (CLOUD Act, FISA 702, Chinese NSL). Headquarters, nationality of controlling shareholders and ownership chain are considered together.

Attribution scale

20Legal entity established in an EU member state, with no controlling shareholder outside the EU.
15EU entity with a minor non-EU capital link (under 25 per cent, no veto rights).
10EU entity controlled by an EFTA or United Kingdom actor.
5EU entity subsidiary of a non-EU group without a documented sovereign arrangement.
0Entity established in the United States, in China, or directly subject to an active extraterritorial regime.

Sources consulted

National company registries (Infogreffe, Handelsregister, Companies House)
Reference documents and annual reports of the group
ANSSI, cloud-au-centre doctrine and list of qualified providers
Official publications of applicable law (CLOUD Act, FISA, NSL)

Edge cases handled

Recent joint ventures (Bleu, S3NS): the French legal structure is credited, but technological dependencies remain visible under the Technology criterion.
EU providers recently acquired by a non-EU group: the score is revised down from the effective date of the deal, not its signing.

Extraterritorial immunity

20 per cent

Definition

Documented ability of the provider to refuse or to not be legally compelled to transmit client data to a foreign authority. Distinct from the Jurisdiction criterion, which looks at legal status: here we look at operational commitments and their contractual translation.

Attribution scale

20Contractual commitment to extraterritorial immunity, SecNumCloud qualification or equivalent, transparency report showing zero transfers under foreign injunction.
15Contractual commitment, no ANSSI qualification, public and detailed transparency report.
10Standard clauses limiting cooperation, no immunity commitment and no detailed transparency report.
5Terms of service explicitly mention cooperation with foreign injunctions beyond minimum obligations.
0Active subjection to an extraterritorial regime with a documented history of transfers (US transparency reports, DOJ statistics).

Sources consulted

ANSSI, SecNumCloud v3.2 reference framework and list of qualified providers
Terms and framework agreements published by the provider
Transparency reports published annually by providers
EDPB opinions and rulings of data protection authorities

Edge cases handled

Bleu and S3NS are evaluated on the basis of their sovereign legal structure, without an own transparency report available to date.
For hyperscalers, the score relies on US transparency reports that do not distinguish the jurisdiction of the end client; the score reflects this opacity.

Technology

15 per cent

Definition

Technical independence of the stack: hypervisor, operating system, key dependencies, ability to reproduce the service with open-source or European bricks. Measures the risk of technological capture in case of commercial or diplomatic rupture.

Attribution scale

15Fully open-source stack, European hypervisor or upstream KVM, mainline Linux OS, low dependency on non-EU third-party services.
10Mostly open-source stack with non-critical proprietary dependencies.
5Stack mixing US proprietary bricks and open-source, without documented reversibility plan.
0Service entirely based on a non-European proprietary stack without a documented alternative.

Sources consulted

Public technical documentation of the provider
Inventories of contributing open-source projects (OpenStack, Kubernetes, KVM)
Sector studies (Hexatrust, CIGREF) on sovereign cloud stacks

Edge cases handled

Bleu (Azure) and S3NS (Google Anthos) partnerships: the Technology score remains cautious as the stack is still American, even though the legal structure is French.
Providers claiming open source: actual availability of the final service source code is verified, not only that of its dependencies.

Hosting and data

20 per cent

Definition

Effective location of data, metadata, logs and encryption keys. Verifies the reality of user control over these elements and the consistency with provider commitments.

Attribution scale

20Data, metadata, logs and keys residing exclusively on EU territory, effective user control via BYOK or HYOK.
15Data and logs in the EU, keys managed by the provider in certified EU HSMs.
10Data in a selectable EU region, metadata and logs may transit outside the EU.
5EU region available but no firm contractual commitment on metadata or keys.
0No EU region or EU region served by non-EU operators without a sovereign arrangement.

Sources consulted

Provider regions documentation
Terms of service on data location
Independent audits (ISAE 3402, SOC 2) when available
NextHop verifications against the list of operator datacenters

Edge cases handled

Managed services (databases, AI) often store metadata outside the region: the score reflects the gap between marketing promise and operational reality.
BYOK is credited only if keys are stored in an external HSM not controlled by the provider or its parent company.

Certifications

15 per cent

Definition

Qualifications held over the evaluated perimeter: SecNumCloud, HDS, ISO 27001, ISO 27017, ISO 27018, eIDAS, C5, ENS, sector-specific qualifications. Weight is given to qualifications attesting to independent and regularly audited control.

Attribution scale

15SecNumCloud v3.2 qualification on the evaluated perimeter, plus at least one sector qualification (HDS, ENS High).
10ISO 27001 plus one sector qualification (HDS, C5, ENS), without SecNumCloud.
5ISO 27001 alone, or self-attestations not verified by an independent third party.
0No verifiable public certification on the evaluated perimeter.

Sources consulted

Official list of SecNumCloud-qualified providers (cyber.gouv.fr)
List of HDS providers (esante.gouv.fr)
ENISA and BSI registries for European certifications
Provider certification pages, cross-checked with issuing bodies

Edge cases handled

Certifications held by a parent company without application to the evaluated service are not credited.
Expired or renewing certifications are credited for the contractual duration of their extension when this is public.

Openness and portability

10 per cent

Definition

Ability to leave the provider without prohibitive cost: open standards, documented APIs, interoperable export formats, open-source contribution, no lock-in via proprietary services without an equivalent.

Attribution scale

10APIs compliant with open standards (OpenStack, S3, OCI), documented and proven export formats, active open-source contribution.
7Documented APIs, standard export formats, proprietary dependencies limited to secondary services.
4Provider-specific APIs, possible but non-standard export, moderate lock-in.
0Major proprietary services without open equivalent, incomplete or paid export, strong dependency on in-house tooling.

Sources consulted

Public API documentation
Portability and migration policies
Migration tools documented by the provider or by third parties
Public open-source footprint (GitHub, OpenStack, CNCF)

Edge cases handled

Providers offering an S3-compatible API are credited even if they also develop proprietary services, insofar as the client can exit.
Generative AI services are evaluated separately because models, prompts and fine-tunings are rarely exportable.

Total score

How the final score is calculated

The final score is a direct weighted sum. Each criterion yields a number of points between 0 and its maximum weight (20, 15 or 10). The gross total therefore ranges from 0 to 100 points.

No further normalisation is applied, and no weighting is hidden behind secondary coefficients. If a criterion cannot be evaluated due to lack of public source, it is scored 0 by default, which mechanically penalises opacity.

Formula

score = jurisdiction + immunity + technology + data + certifications + openness

With each term within its respective scale range. Theoretical maximum: 100.

Versions

Methodology changelog

v1.02026-04Public launch of the framework. 6 criteria, weightings 20/20/15/20/15/10, public sources only.

Any future evolution of the scale, weightings or list of sources will be recorded here and accompanied by an explanatory note. The score changelog page lists, separately, changes applied to providers.

Contest

How to challenge a score

A provider, a client or a journalist may flag an error or request an adversarial review. The procedure is deliberately simple, free and informal.

1. Email contact@nexthop.fr

Indicate the provider, the contested criterion, and the public source justifying revision.

2. Acknowledgement within 5 business days

If the request is admissible, it is logged in the internal review journal.

3. Reasoned decision within 30 days

Acceptance, refusal or request for additional documents. The decision is published in the score changelog with the source.

Open observatory (in French)Score changelog (in French)Sources and bibliography (in French)