THE EMPEROR'S NEW CLOUD

Law 2: Mandate Compliance

Three categories must operate at Position 1, 2 or 3. Strict reading of laws Europe has already written.

Maps to Manifesto Demand 2.

Principle

Three categories of workload must operate at Position 1, 2, or 3 across every layer of their applicable sovereignty stack: DORA-regulated financial services, NIS2-regulated essential and important entities, and European public procurement above threshold. The mandate is binary, full-stack, and enforced through existing European legal instruments interpreted strictly. By 2030, every workload in scope meets the test or is non-compliant. The mandate does not apply to general European businesses, to European consumers, or to commercial activity outside the regulated categories.

Compliance is the demand that lets European companies grow. Europe has written the laws (DORA, NIS2, GDPR, MiCA, the AI Act, the Cyber Resilience Act, the public procurement directives) without building the infrastructure those laws assume. Mandate Compliance closes the gap by activating the strict reading of the existing laws for the existing in-scope categories. No new regulatory expansion is required.

Mechanism

The mandate operates by activating the strict reading of laws already on the European statute book, applied to the three in-scope categories.

DORA-regulated entities. Approximately five thousand financial-services firms across the EU, regulated under the Digital Operational Resilience Act for ICT third-party concentration risk, exit-plan readiness, and supply-chain due diligence. DORA enters supervision in January 2025 with full enforcement following. Sovereignty requirements are derived from Articles 28-30 read strictly.

NIS2 essential and important entities. Tens of thousands of operators of essential services and important entities across critical sectors (energy, transport, banking, health, water, digital infrastructure, public administration, others) regulated under the second Network and Information Security Directive. NIS2 has been in force from October 2024 with member-state transposition completing through 2025. Sovereignty requirements are derived from Article 21 (cybersecurity risk-management measures, supply-chain due diligence) read strictly.

European public procurement. Every EU institution, every member-state government, every public-sector body, every EU-funded research programme, every public procurement vendor bidding for contracts above threshold under the public procurement directives. The procurement directives permit national-security and strategic-autonomy exceptions that can be exercised consistently across member states to require sovereign infrastructure for in-scope contracts.

DORA Article 28 (third-party concentration risk), NIS2 Article 21 (supply-chain due diligence), GDPR Articles 44-49 (international transfers under Schrems II for in-scope personal-data processing), the AI Act high-risk classifications (for AI systems used by in-scope entities), the CRA secure-by-design and SBOM requirements (for manufacturers serving in-scope buyers), and the public procurement directives all permit a strict-reading interpretation that requires sovereign infrastructure for in-scope workloads. The mandate is the binding interpretive instruction. Regulators apply the strict reading. Procurement officers comply.

The mandate covers every layer of the applicable sovereignty stack. Partial mandates leak. Mandate only the application layer and the data centre is foreign. Mandate only the data centre and the chips are foreign. Mandate the cloud and the cables and the payment processor remains foreign-jurisdictional. Every unmandated layer is a chokepoint. The mandate must reach every layer.

Where sovereign supply does not yet exist at a layer (silicon is the cleanest case), the mandate operates in two phases under the Phased Compliance pattern. Phase 1 requires sovereign conformance at every layer where sovereign supply exists today, with the missing layer permitted at Position 4 under a documented exception. Phase 2 raises the requirement to full-stack conformance the moment sovereign supply becomes available, with the upgrade date signalled in advance so private capital can plan against it. The threshold ratchets upward over time.

The mandate sets eligibility rules for in-scope workloads. It does not give money to specific firms. Within the eligible pool, multiple sovereign suppliers compete on price, capability, and service. This is the European version of Buy American, applied through eligibility rules rather than subsidy. (See Law 5 on the state-aid carve-out for cases where pooled European investment is required upstream of market-creation.)

Outcomes

Mandated workloads produce predictable, regulated, jurisdictionally-clean demand that European suppliers can plan against. Five thousand DORA-regulated entities, tens of thousands of NIS2 entities, twenty-seven member-state public procurement budgets, Eurosystem operations, and European-anchored international institutions all become anchor customers under the mandate. This is the Anchor Demand pattern at scale.

That anchor demand produces predictable cashflow with regulatory moat: foreign suppliers cannot enter the mandated market. Predictable cashflow with a moat is utility-grade investable. Capital that previously refused European sovereign infrastructure prices it as utility yield. (See Law 3 for the full investment architecture.)

Without the mandate, the first European institution to switch to sovereign infrastructure pays a cost penalty while its competitors enjoy cheaper non-sovereign options. With the mandate, the first sovereign supplier into a previously-unsovereign layer gets immediate access to the entire mandated customer base. The collective-action trap is dissolved. The economics flip from “build it and they might come” to “build it and they must come.”

Regulated entities that today carry the burden of compliance with European law on non-European infrastructure (DORA exit plans, NIS2 supply-chain mappings, GDPR transfer impact assessments) replace it with operational compliance. The map disappears because the territory is European.

Each domain paper applies the mandate to its stack. Paper 5 to the cryptographic migration. Paper 12 to the stablecoin stack. Paper 16 to the cable stack. Paper 18 to the military stack. Paper 21 to the identity stack. Paper 22 to the medical stack. Paper 24 to the open-source platform stack. The mandate’s specification varies by stack. The mandate’s logic is constant.

Operational specifications

Four-tier procurement architecture. Tier 1: public-sector spending (EU institutions, member-state governments, public bodies, EU-funded research, public procurement vendors above threshold). Tier 2: regulated sovereignty-critical entities (DORA, NIS2 essential, CRA-regulated, Eurosystem, European-anchored international institutions). Tier 3: all European code or infrastructure that benefits from open exchange, with default-mirror baseline and conditional escalation to primary-host where bilateral reciprocity fails. Tier 4 (universal mirror): rolling mirror of public open-source globally for commons preservation. Tier 1 and Tier 2 require primary-host; mirror-only is not permitted because the audit trail must be sovereign. (Paper 24 Component 3.)

Phased compliance specification. Year 1 of the mandate: every layer with current sovereign supply must be sovereign for in-scope workloads, with documented exceptions for layers without supply. Years 3-5: ratchet thresholds upward, narrow exceptions, require sovereign supply for additional layers as it emerges. Year 5-8: full-stack conformance required for all in-scope workloads. Targets calibrated to the supply pipeline. The Cyber Resilience Act enforcement window (December 2027) and the Multiannual Financial Framework cycle (2028-2034) provide the structural calendar.

Compellability-derived exclusion. Any entity compellable under non-European law (per Law 1) is excluded from the mandated market by definition. The exclusion is automatic and does not require enforcement against individual procurement officers. The Stack Compliance Body certifies eligibility; procurement officers procure from the certified list.

The Stack Compliance Body. A European body that certifies offerings against the Define Sovereignty (Law 1) at every layer of their applicable sovereignty stack, and against operational readiness for the workload class certification is sought for. Readiness is a real test, not paperwork: the body verifies that the offering performs the workload at the required scale, with the required reliability, under realistic operating conditions. Certifications are issued per offering per stack per workload class. The body’s certified list is the procurement-eligible list for the three in-scope mandated categories. The body operates under the same institutional model as the European cryptographic standards body (Law 4): non-alienable European foundation, statutory mission, secondee staffing from member-state agencies, multi-party oversight. The body’s full operational design sits at the intersection of Define Sovereignty (which it tests against) and Mandate Compliance (which depends on its certifications) and is operationally lodged here because Mandate Compliance is the law that operationalises its output.

Buy European as procurement instrument. The mandate’s procurement instrument in public-sector spending is Buy European: a preference rule that aligns with WTO Government Procurement Agreement exceptions where applicable and operates through market definition where strict preference is not.

Where this sits in the series

  • Paper 2: The Sovereignty Stack. Mandate applied to the software stack: firmware, hypervisors, DNS, certificate authorities, software supply chain.
  • Paper 5: The Quantum Resilience Paradox. Mandate applied to the post-quantum cryptographic migration. DORA-regulated financial services as the first wave.
  • Paper 8: The Pipeline Europe Never Built. EuroStack three pillars (Buy European, Sell European, Fund European).
  • Paper 12: The Stablecoin Stack. Mandate applied to the seven-layer stablecoin stack.
  • Paper 16: The Submarine Cable Question. Mandate applied to the four-layer cable path.
  • Paper 20: The AI Europe Rents. Mandate applied to the AI stack.
  • Paper 24: The Open Source Sovereignty Gap. Four-tier procurement architecture. CRA enforcement window as the forcing function.
  • Paper 26: The Sovereign Incentive Model. Mandate → cashflow → investable asset class.