Policy enforcement (guardrails)
Why important?
Technical enforcement of rules (ex ante) prevents invalid states and reduces misconfiguration.
How measured?
Scale 0–5 + N/A:
- 0 = No central guardrails / no policy enforcement mechanisms
- 1 = Manual/best effort, no enforceable policy
- 2 = Basic policies, but gaps/no central enforcement
- 3 = Central policy enforcement (e.g., org/SCPs, baselines) for core scope
- 4 = Strong guardrails + templates + monitoring/remediation integrated
- 5 = End-to-end guardrails (policy-as-code) + continuous compliance/evidence documented
- N/A = no reliable evidence
Sources / Evidence
Validation questions (RFP)
- Which policies can be technically enforced (e.g., mandatory encryption, region restrictions, network/egress rules)? Are there org-wide guardrails & exceptions?
Scores comparison
| Providers | Score | |
|---|---|---|
| Microsoft Sovereign Cloud | 4.0 | |
| Oracle EU Sovereign Cloud | 4.0 | |
| STACKIT | 3.0 | |
| Exoscale | 2.0 | |
| IONOS Cloud | 2.0 | |
| OVHcloud Public Cloud (inkl. SecNumCloud) | 2.0 | |
| Scaleway | 2.0 | |
| SysEleven OpenStack Cloud | 2.0 | |
| Cloud Temple Trusted Cloud | 3.0 | Console (Shiva) with IAM/RBAC. SecNumCloud requires access control. Policies configurable via console. Guardrails implied by SecNumCloud requirements. |
| Infomaniak Public Cloud | 2.0 | OpenStack RBAC/IAM (Keystone). Project-based quotas/limits. Infomaniak Manager for user management. No org-wide policy guardrails (OPA/Config) documented. |
| UpCloud | 2.0 | |
| noris Sovereign Cloud | 2.0 | |
| pluscloud open | 2.0 | |
| Hetzner Cloud | 1.0 | |
| AWS European Sovereign Cloud | N/A | |
| Delos Cloud | N/A | |
| T Cloud Public | N/A |