The four-tier procurement model is the most concrete part here, but probably also the hardest to implement well, because “European provider” is not a simple yes/no category.

From reviewing around 180 EU and privacy-focused tools, I saw the same pattern repeatedly: a vendor can be EU-headquartered but US-funded, EU-owned but hosted on AWS or GCP, or open source but still using US sub-processors. Any of these can bring back the same “kill switch” or CLOUD Act exposure the top tier is meant to avoid.

So the model depends heavily on the definition of “sovereign.” If it only means “EU-registered company,” many providers in the top tier may still have US ownership, funding, or infrastructure underneath.

If it means ownership, hosting, and sub-processors all need to check out, then the real pool of qualifying providers is much smaller than it looks. But it’s totally possible to build using complete sovereign providers, it’s just in some cases the quality is a bit behind. I’m curious where the final criteria will land.

I doubt that’s a good idea. That’s a great case for their propaganda to spread the idea that the outside world (out side of Russia) is our enemy and blabla. That will lead to even more russians spending more time in their own informational vacuum. Even tho I am not a huge fan of russian tourists - letting them travel is a mild way of fighting their regime.