Europe built sovereign clouds to escape US control. Then forgot about the processors

FEATURE Can digital sovereignty exist on American silicon? 

Europe is pouring greater than €2 billion into sovereign cloud initiatives designed to scale back publicity to US authorized attain. The EU’s IPCEI-CIS program funds infrastructure growth. France qualifies operators beneath SecNumCloud, a framework with almost 1,200 technical necessities promising “immunity from extraterritorial legal guidelines.”

However most datacenters and certified cloud operators nonetheless rely closely on Intel or AMD processors. And inside these processors sits a pc beneath the pc: administration engines working at Ring -3, beneath the working system, exterior the management of host safety software program, persistent even when the machine seems powered off. Underneath the US Reforming Intelligence and Securing America Act (RISAA) 2024, {hardware} producers rely as “digital communications service suppliers” topic to secret authorities orders. 

Europe’s frameworks certify the clouds. They do not assess the silicon.

The pc your OS cannot see

That pc beneath the pc has a reputation. On Intel processors, it’s the Administration Engine (ME), or extra exactly the Converged Safety and Administration Engine (CSME). On AMD, it’s the Platform Safety Processor (PSP). Each run at what safety researchers name Ring -3, beneath the working system, beneath the hypervisor, in a privilege stage the host can not see or log.

“It is a pc inside your pc,” explains John Goodacre, Professor of Laptop Architectures and former director of the UK’s £200 million Digital Safety by Design program. He’s clear about what which means in observe. The ME has its personal reminiscence, its personal clock, and its personal community stack, and since it may share the host’s MAC and IP addresses, any site visitors it generates is indistinguishable from the host’s personal site visitors to the firewall.

The structure is just not theoretical. Embedded within the Platform Controller Hub, the CSME is a separate microcontroller that operates independently of the host, with direct reminiscence, gadget entry, and community connectivity the host working system can not monitor. AMD’s PSP works the identical method.

Intel’s Lively Administration Know-how (AMT), the distant administration function the ME allows, exposes no less than TCP ports 16992, 16993, 16994, and 16995 on provisioned units. Goodacre notes that an assault floor exists on unprovisioned {hardware} too. These ports ship keyboard-video-mouse redirection, storage redirection, Serial-over-LAN, and energy management to directors managing fleets of units remotely. The aptitude has professional makes use of. It additionally offers a channel that operates at a stage beneath what European sovereignty frameworks can attest.

Microsoft documented in 2017 that the PLATINUM nation state actor used Intel’s Serial-over-LAN (SOL) as a covert exfiltration channel. SOL site visitors transits the Administration Engine and the NIC sideband path, delivered to the ME earlier than the host TCP/IP stack runs. The host firewall and endpoint detection noticed nothing, and any safety tooling working on the compromised machine itself was equally blind. PLATINUM didn’t exploit a vulnerability. It exploited a function, requiring solely that AMT be enabled and credentials obtained. In documented instances, these credentials have been the manufacturing facility default: admin, with no password set.

Goodacre catalogues this and associated eventualities in a 37-page risk assessment ready for CISOs evaluating Intel vPro {hardware} linked to company networks. Its conclusion is blunt: connecting an untouched-ME gadget to company assets “exposes the group to a category of compromise that defeats the host safety stack in its entirety.”

The ME doesn’t cease when the machine seems to. Customers acknowledge the symptom: a laptop computer powered off and saved for weeks is discovered, on subsequent boot, to have a depleted battery. On fashionable skinny and light-weight platforms, what Microsoft paperwork as Trendy Standby means “off” doesn’t correspond to “all subsystems unpowered.” The system-on-chip elements the Administration Engine runs on stay in low-power states, drawing sufficient to empty a 55 Wh battery over weeks, on the order of 100-200 mW steady draw.

The implication is documented in Goodacre’s threat evaluation: “Whether or not the radio is in a Wake-on-Wi-fi-LAN listening state is firmware coverage. On a tool whose firmware has been tampered with throughout transit via the provision chain, the reply can’t be inferred from the seen energy state.” A laptop computer that seems off, in a bag, can affiliate with a hostile community the consumer has no data of.

Professor Aurélien Francillon, a safety researcher at French engineering college EURECOM, has spent years finding out precisely this class of drawback. Working with colleagues, he constructed a fully functional backdoor in hard disk drive firmware [PDF], a proof of idea demonstrating how storage units might silently exfiltrate knowledge via covert channels. Three months after presenting it at an instructional convention, the Snowden disclosures revealed the NSA’s ANT catalogue, which documented an similar functionality already deployed within the subject. 

“The NSA have been already doing it,” Francillon says flatly. “Fairly wonderful.” That background informs his evaluation of the ME. “Sure, it may most likely be used as a backdoor, like many different issues, together with BMC [baseboard management controller] and lots of different firmwares,” he says. The query, he argues, is just not whether or not the backdoor exists however whether or not operational controls make it unreachable in observe.

AMD faces the identical architectural query. On April 14, 2026, researchers demonstrated the Fabricked attack towards AMD’s SEV-SNP confidential computing expertise, attaining a 100% success price with a software-only exploit. The Platform Safety Processor proved susceptible to the identical class of compromise.

On server {hardware}, the image is similar. Intel ME runs on servers beneath a unique identify, Server Platform Companies or SPS, and the BMC, the distant administration controller normal in datacenter {hardware}, depends on it. “Roughly the identical,” Francillon says of the server variant. For datacenter operators, he sharpens the main target additional: “If I take a look at cloud methods, servers, I’d be extra involved with the BMC,” pointing to published research demonstrating remote exploitation of BMC vulnerabilities that might permit an attacker to reinstall or absolutely compromise a server. The BMC is just not a separate concern from the ME: on server {hardware}, it’s the major community entry level into the SPS, making it each probably the most uncovered interface and probably the most consequential.

Each Intel and AMD processors include administration engines that function beneath the working system. The silicon is designed by American firms and topic to American authorized course of.

The backdoor the CLOUD Act would not use

That authorized course of has enamel that the majority European policymakers underestimate. The CLOUD Act, handed in 2018, gave US authorities extraterritorial attain to knowledge held by American firms. FISA Part 702 permits intelligence businesses to compel US individuals and corporations to offer entry to communications. Each are well-known in European sovereignty discussions. They function via the entrance door: a authorized order served on an organization that controls knowledge. Much less well-known is RISAA 2024, a regulation that opens a unique entrance totally.

RISAA amended FISA’s definition of “digital communications service supplier” in ways in which transcend cloud operators and platform firms, and past the bilateral agreements that European policymakers have constructed their authorized defenses round. {Hardware} producers now fall inside scope. Intel and AMD will be compelled, through secret orders with gag clauses, to cooperate with US intelligence entry.

The mechanism via which that entry may very well be exercised is the administration engine: a persistent, privileged, network-connected runtime that operates beneath something the host working system can see or block. A SecNumCloud-certified operator will be legally remoted from American knowledge calls for. The processor inside its servers can not. “You’ve got truly bought a coverage mechanism by which any such machine wherever can ship any of its info,” Goodacre says.

RISAA’s two-year time period expired on April 20, 2026, however Congress prolonged it by 45 days whereas debating reforms. Whether or not it’s renewed, amended or allowed to lapse, the structure it targets doesn’t change.

SecNumCloud’s blind spot

France’s SecNumCloud is Europe’s most rigorous try to construct a cloud certification that’s legally resistant to American regulation. It didn’t emerge from nowhere. ANSSI, France’s nationwide cybersecurity company, was established in 2009 as a part of a broader effort to construct institutional muscle on digital sovereignty lengthy earlier than the time period turned trendy. When Edward Snowden revealed the size of NSA surveillance in 2013, France’s response was technical slightly than rhetorical: ANSSI printed the primary SecNumCloud framework in July 2014. A decade later, that framework has grown to almost 1,200 technical necessities.

On the time, SecNumCloud was a cybersecurity qualification, not a sovereignty instrument: it set necessities for structure, encryption requirements, entry controls, and incident response, however mentioned nothing about who managed the underlying infrastructure or whose legal guidelines utilized to it. The CLOUD Act modified that. Handed in 2018, it gave American authorities extraterritorial attain to knowledge held by US firms, and instantly a French cybersecurity framework had a geopolitical dimension it was not designed for. Model 3.2, launched in 2022, added Chapter 19: a set of express necessities focusing on extraterritorial regulation, mandating that solely EU operators might run the service, that no non-EU occasion might entry buyer knowledge, and that the supplier might function autonomously with out exterior intervention. It promised “immunity from extraterritorial legal guidelines.”

In December 2025, S3NS, a three way partnership between French protection and expertise group Thales and Google Cloud, working Google Cloud Platform expertise beneath French management, turned the primary “hybrid” cloud to obtain SecNumCloud qualification. The certification triggered heated debate: was this actual sovereignty, or American expertise with a European flag?

However the debate missed a extra elementary query. Does SecNumCloud’s certification attain so far as the silicon it runs on? Francillon is positioned to see each side of that query. He sits on the French Know-how Academy’s working group on cloud safety, a physique that advises on the technical foundations of frameworks like SecNumCloud. And he has spent years finding out firmware backdoors in educational literature and demonstrated them in observe.

He is aware of what the {hardware} can do, and he is aware of what the certification requires. His start line is that SecNumCloud offers genuinely priceless safety, and that the silicon hole doesn’t negate that. When requested whether or not SecNumCloud explicitly addresses Intel Administration Engine or AMD Platform Safety Processor vulnerabilities, his reply is unambiguous: “There is no such thing as a direct requirement for firmware backdoor prevention.”

The framework is just not designed to be a technical specification for hardware-layer safety. “The doc goals to be generic and never dive into technical particulars,” Francillon says. “Most of it’s organizational safety.” What SecNumCloud does require is that suppliers construct a correct risk mannequin, take into account mitigation mechanisms, and monitor administration gateways the place exterior tech assist may very well be exploited. The {hardware} layer was not addressed by oversight. It was neglected by design.

Francillon’s evaluation is just not a fringe view. Vincent Strubel, the director of ANSSI, the very company that designed and administers SecNumCloud, is equally express about what the framework does and doesn’t cowl. In a January 2026 LinkedIn post addressing SecNumCloud’s scope, he writes that each one cloud choices, hybrid or not, depend upon digital elements whose design and updates will not be 100% managed in Europe. If Europe have been ever lower off from American or Chinese language expertise, he argues, the consequence can be a world drawback of safety degradation, not simply in hybrid clouds, however in all places.

Strubel frames SecNumCloud fastidiously: it’s “a cybersecurity device, not an industrial coverage device.” It protects towards extraterritorial regulation enforcement and kill-switch eventualities. It was by no means designed to remove expertise dependencies on the {hardware} layer, and no actor, state, or enterprise absolutely controls all the cloud expertise stack anyway.

One expertise steadily cited in sovereignty discussions is OpenTitan, Google’s open supply safe aspect deployed on its server {hardware} and used throughout the S3NS infrastructure. Francillon is obvious about what it’s and, critically, what it isn’t. “OpenTitan is a safe aspect, a small chip on the aspect that can be utilized for safeguarding delicate keys, offering signatures, making attestations,” he explains. “It’s kind of like a TPM.” What it isn’t is a substitute for the primary processor. “The Linux and all of your functions won’t run on it.” OpenTitan sits alongside x86 infrastructure as an exterior root of belief, impartial of the ME. That issues as a result of the default embedded TPM lives contained in the ME, making it topic to the ME assault floor. OpenTitan sits exterior that boundary. The 2 deal with completely different issues totally, and conflating them, as sovereignty advocates generally do, obscures the place the residual publicity truly lies.

ANSSI’s personal technical position paper [PDF] on confidential computing, printed in October 2025, concludes that Intel SGX, TDX, and AMD SEV-SNP are “not ample on their very own to safe a complete system, or to fulfill the sovereignty necessities of SecNumCloud 3.2.” Bodily attackers are “explicitly out-of-scope” of vendor safety targets. Provide chain attackers are “explicitly out-of-scope.” The ME assault floor mentioned on this article falls into neither class: it’s a distant community risk, not a bodily one. The paper’s conclusion for customers involved about hostile cloud suppliers is stark: “Swap to a cloud supplier they belief, or use their very own {hardware} with bodily safety safety measures.”

The fortress with a structural flaw

Francillon doesn’t dispute that SecNumCloud leaves the ME unassessed. His argument is that this doesn’t matter in observe. “What I imply is that if there’s a backdoor to entry a room, it can’t be immediately used if the room is in a fortress. It’s a must to go the fortress partitions first.” Community isolation, monitoring, and risk modeling are the partitions. SecNumCloud’s operational necessities mandate that administration gateways be remoted, that exterior tech assist be monitored, that community segmentation prevents lateral motion. The Administration Engine backdoor might exist, however the framework makes it unreachable besides in what Francillon calls “very high-end assaults.”

That qualifier issues. Francillon is just not claiming excellent safety. He’s claiming that correct operational controls cut back the risk to a stage the place solely nation state actors with vital assets might exploit it. For many risk fashions, he argues, that’s ample. “Saying it’s ineffective to do SecNumCloud as a result of there may be ME, or no matter backdoor in some {hardware} we do not management, is a mistake,” he says. SecNumCloud improves safety over deployments with out such controls, he argues, supplied that {hardware} is fastidiously evaluated and firmware securely configured.

The fortress partitions have a structural flaw that Goodacre’s threat evaluation paperwork intimately. Company perimeter firewalls see the gadget’s site visitors, however as a result of the ME shares the host’s MAC and IP addresses, they can’t inform ME-originated flows other than professional host site visitors. “The perimeter can not attribute a move to host-versus-CSME origin with out out-of-band data,” Goodacre writes. A TLS-encrypted tunnel from the ME to an attacker server on port 443 seems to be, to the perimeter, like every other HTTPS connection the laptop computer makes. Community filtering reduces assault floor. It doesn’t remove the publicity.

Goodacre’s place is {that a} “Tier-3 supply-chain residual stays in each instances and is the irreducible value of shopping for any silicon that ships with a Ring -3 manageability engine.” He defines Tier 3 as nation state cyber providers working on the stage of compromising firmware in transit, mis-issuing CA certificates through in-country authorities, and modifying {hardware} at customs or courier hubs. The NSA’s Tailor-made Entry Operations division handled provide chain interdiction as routine enterprise, with express doctrinal desire for BIOS and firmware implants over disk-level malware.

His threat evaluation’s knowledge on fleet vulnerability is concrete. Industry telemetry from Eclypsium, analyzing manufacturing enterprise environments, discovered that roughly 72 % of units noticed remained susceptible to INTEL-SA-00391 years after public disclosure, and 61 % remained susceptible to INTEL-SA-00295. The identical reporting documented that the Conti ransomware group developed proof-of-concept Intel ME exploit code with the intent of putting in extremely persistent firmware-resident implants.

“Connecting an untouched-ME vPro laptop computer to company assets exposes the group to a category of compromise that defeats the host safety stack in its entirety,” Goodacre concludes. “The uncovered controls embody BitLocker full-disk encryption, FIDO2-protected sign-in, endpoint detection and response, the host firewall and the company VPN.”

The disagreement between Francillon and Goodacre is just not about whether or not the vulnerability exists. Each affirm it does. Each affirm AMD faces the identical difficulty. Each affirm software program alone can not repair it. The disagreement is about whether or not operational controls, Francillon’s fortress partitions, make an architectural backdoor irrelevant in observe, or merely cut back its exploitability whereas leaving nation state actors with a path via.

For SecNumCloud operators processing delicate authorities or industrial knowledge, the excellence is just not educational. It’s value noting that SecNumCloud is designed for the next stage of safety than normal cloud certifications, however is just not meant for categorised or restricted authorities knowledge. The risk that may nonetheless slip via Francillon’s fortress partitions is exactly the risk SecNumCloud was designed to maintain out.

The hole no one names

Goodacre instructed The Register he examined consciousness of the Administration Engine with varied attendees on the CyberUK convention in April 2026. “Virtually nobody” knew about it, he experiences. The hole between the sovereignty rhetoric and the silicon actuality is just not being surfaced in coverage discussions, procurement choices, or public debate over what digital sovereignty means.

The controversy that does occur, hybrid versus non-hybrid, Google/Thales versus pure European suppliers, focuses on operational management and authorized construction. It doesn’t deal with the shared silicon basis. Strubel’s LinkedIn put up pushes again towards the framing: “Imagining this drawback is proscribed to hybrid cloud choices is pure fantasy that does not survive confrontation with info.” Each cloud supplier, hybrid or not, is determined by elements they do not absolutely management. The excellence is not hybrid versus sovereign. It’s what you are defending towards, and whether or not the controls you are implementing deal with that risk.

There is no such thing as a instant answer. RISC-V, the open supply processor structure European sovereignty advocates level to as a long-term different, stays years from aggressive efficiency in datacenter workloads. “It would take a long time,” Francillon says flatly. Arm is a cautionary precedent: it took almost 20 years from the primary server makes an attempt earlier than Arm achieved any significant datacenter presence.

Can sovereignty exist on compromised silicon?

For Goodacre, the underside line is straightforward: the Tier-3 provide chain residual is “the irreducible value of shopping for silicon with a Ring -3 manageability engine.” Francillon argues that operational controls, together with community isolation, monitoring, and risk modeling make the backdoor unreachable besides in very high-end assaults. Strubel acknowledges {hardware} dependencies are actual however maintains that SecNumCloud offers priceless safety for what it does cowl: authorized management, kill-switch resistance, protection towards cyberattacks and insider threats.

The disagreement is just not about technical info. It’s about threat tolerance and risk mannequin calibration. For European CIOs selecting SecNumCloud-certified suppliers, the query to ask distributors is: how do you deal with Intel Administration Engine and AMD Platform Safety Processor in your risk mannequin? The reply will make clear whether or not the seller treats the {hardware} layer as out of scope, or has carried out controls that cut back however don’t remove the publicity.

For European policymakers, the query is broader. Can digital sovereignty exist on non-sovereign silicon? The present frameworks don’t reply that query. They certify operational controls, authorized construction, and autonomous execution functionality. They don’t certify silicon-layer immunity, as a result of the {hardware} is American or Chinese language, topic to American or Chinese language regulation, designed with administration engines that European authorities didn’t specify, can not legally compel on their very own phrases, and can’t change.

Whether or not that could be a hole value addressing, or a threat value accepting because the unavoidable value of taking part in world expertise provide chains, is a query Europe might want to reply for itself. ®