SCOPE

Sovereignty Control & Operational Posture Evaluation

An open framework for assessing digital sovereignty maturity. 12 dimensions. 5 levels. One clear picture of your organization's sovereignty posture.

Built to make sovereignty trade-offs explicit and comparable.

Framework v0.9

Start Assessment Browse Matrix

Digital Sovereignty Control Matrix

Level	Identity	Keys	Residency	Processing	Legal	Audit	Network	Compute draft	Supply Chain draft	Exit draft	Incidents draft	Governance draft
L0 Unaware	IAM-L0 No formal identity management; shared credentials and absent access controls expose the organisation to unquantified risk	KEYS-L0 No encryption policy exists. Default provider-managed encryption may be active but is neither understood nor governed. Key custody, rotation, and lifecycle management are entirely unconsidered.	RES-L0 No awareness of where data is physically stored, processed, or replicated. The organisation has no data residency policy and data may reside in any region at the provider's discretion.	PROC-L0 No awareness of where or how data is processed; the provider operates without restrictions on processing location, method, or access	LEGAL-L0 No legal review of cloud service agreements. Click-through Terms of Service accepted without scrutiny. No Data Processing Agreements in place. The organisation has no visibility into its contractual exposure.	AUDIT-L0 No logging strategy exists. Default provider logs may be active but are neither reviewed nor governed. There is no retention policy, no audit trail, and no forensic capability.	NET-L0 No awareness of network infrastructure dependencies; DNS, CDN, and connectivity are unmanaged or entirely delegated without oversight	COMP-L0 No awareness of where or how compute workloads execute; runtime environments are unmanaged and undocumented	SUPPLY-L0 No visibility into software dependencies or third-party components; no SBOM exists and supply chain risks are unquantified	EXIT-L0 No exit plan exists; the organisation has not considered the possibility of migrating away from current providers	IR-L0 No incident response plan exists; security incidents are discovered accidentally and handled ad-hoc with no defined process	GOV-L0 No governance framework exists for digital sovereignty; compliance is reactive and ad-hoc with no organisational accountability
L1 Dependent	IAM-L1 Identity is managed through a cloud provider's native IAM service with limited organisational control over the identity lifecycle and data residency	KEYS-L1 Provider-managed encryption is acknowledged and documented. The organisation relies entirely on the cloud provider for key generation, storage, and rotation. Key material remains under provider custody with no customer-controlled options exercised.	RES-L1 Data resides in provider-default regions with no residency guarantees. The organisation is aware that data location matters but relies entirely on the provider's infrastructure decisions, which typically favour US or multi-region deployments.	PROC-L1 Provider controls the processing pipeline on shared multi-tenant infrastructure; the organisation has basic awareness but no technical isolation or enforceable processing constraints	LEGAL-L1 Standard provider contracts accepted as-is. Basic DPAs signed using provider templates. No negotiation leverage exercised. US or foreign jurisdiction clauses accepted without challenge.	AUDIT-L1 Logging is active through provider-managed services (CloudWatch, Azure Monitor, GCP Cloud Logging). The provider controls log format, storage location, retention defaults, and access mechanisms. Export options are limited or unused.	NET-L1 Network infrastructure is fully managed by a single cloud or ISP provider with no organisational control over routing, DNS, or CDN configuration	COMP-L1 All compute workloads run on a single SaaS or PaaS provider with no portability or fallback capability	SUPPLY-L1 Basic dependency tracking exists but relies entirely on provider-managed tools with no independent verification or policy enforcement	EXIT-L1 Basic data export capability exists but no structured exit plan; migration would require significant effort and extended downtime	IR-L1 Incident response depends entirely on external providers; the organisation relies on its cloud or managed service provider to detect and respond to security events	GOV-L1 Compliance is managed through provider-supplied certifications and attestations with no independent organisational governance of sovereignty
L2 Contractual	IAM-L2 Identity management is backed by formal contractual obligations including DPAs, data-residency clauses, and federation standards, but the provider still controls the identity store	KEYS-L2 BYOK options are contractually available and the DPA addresses key handling obligations. However, the provider retains technical access to key material through platform architecture. Contractual controls exist but technical sovereignty over keys is not yet achieved.	RES-L2 Data residency is governed by contractual agreements. DPAs specify EU/EEA or Swiss storage, and SCCs with supplementary measures are in place. However, enforcement is contract-based rather than technically verified, and providers may process metadata or support data outside agreed regions.	PROC-L2 Data processing agreements define scope, purpose limitation, and sub-processor governance, but technical processing controls remain with the provider	LEGAL-L2 Negotiated DPAs and Standard Contractual Clauses in place. Legal review of sub-processors conducted. However, providers retain the right to unilateral ToS changes and liability caps remain limited.	AUDIT-L2 Log retention and export requirements are formalised in DPAs and service contracts. Automated log export to organisation-controlled storage is operational. However, the provider still generates and initially processes all log data, retaining access to logs and metadata.	NET-L2 Network infrastructure controls are defined through contracts and SLAs with providers, including DNS management rights, CDN configuration authority, and data-residency commitments for network metadata	COMP-L2 Compute environments are governed by contracts specifying region selection, resource guarantees, and processing constraints	SUPPLY-L2 Supply chain requirements are formalised through contracts with vendors and internal policies for dependency management	EXIT-L2 Contracts include portability clauses, data export in open formats, and defined transition assistance from providers	IR-L2 Incident response SLAs are contractually defined with providers, and the organisation has basic internal playbooks and notification procedures	GOV-L2 A formal compliance programme exists with documented policies, regular assessments, and contractual compliance requirements for providers
L3 Controlled	IAM-L3 The organisation operates a self-managed identity provider as the authoritative source, federating outward to cloud services while retaining technical control over authentication, directory data, and access policy enforcement	KEYS-L3 Customer-managed keys are implemented with HSM-backed storage. Key material resides in EU/Swiss jurisdiction under customer control. The provider cannot access plaintext key material. Key rotation, revocation, and lifecycle management are fully under customer governance.	RES-L3 Data residency is technically enforced through geo-fencing, region-locked replication, and active monitoring. The organisation operates within defined data sovereignty zones and conducts regular audits to verify that data does not leave approved jurisdictions.	PROC-L3 Confidential computing, jurisdiction-restricted processing, technical isolation, and comprehensive audit logging provide verifiable control over data processing	LEGAL-L3 Custom enterprise agreements with EU/Swiss governing law. Bilateral termination rights and data portability clauses enforced. Escrow arrangements protect against provider failure. CLOUD Act risk mitigated through contractual and structural measures.	AUDIT-L3 The organisation operates a self-managed SIEM (e.g., Wazuh, ELK/OpenSearch) with logs stored in a sovereign jurisdiction. Tamper-proof log storage, real-time alerting, and provider log forwarding to the organisation's SIEM are operational. Independent forensic capability is established.	NET-L3 The organisation self-manages critical network components including DNS, firewalls, and CDN edge nodes, with multi-provider redundancy and infrastructure-as-code governance	COMP-L3 The organisation self-manages containerised workloads on Kubernetes or equivalent orchestration, with tested multi-provider deployment capability	SUPPLY-L3 Full SBOM generation with automated vulnerability scanning, private package registries, and verified dependency provenance	EXIT-L3 Tested migration plans exist for all critical providers with validated runbooks, rehearsed procedures, and confirmed alternative environments	IR-L3 Self-managed security operations centre with independent detection, investigation, and containment capabilities across all environments	GOV-L3 Integrated sovereignty governance with a cross-functional board, sovereignty-aware procurement, and continuous compliance monitoring across all dimensions
L4 Autonomous	IAM-L4 Fully self-hosted identity infrastructure with zero external provider dependency; the organisation holds complete, exclusive control over all authentication, authorisation, and identity lifecycle operations	KEYS-L4 Full cryptographic sovereignty is achieved through self-hosted HSM infrastructure and on-premises key management. Zero provider access to key material at any stage. The organisation controls the complete key lifecycle from root key generation through destruction, with no external dependencies.	RES-L4 Complete control over data's physical location through self-hosted infrastructure or a sovereign cloud provider with no foreign-jurisdiction parent company. No cross-border transfers occur, and the organisation has full authority over hardware, facilities, and administrative access.	PROC-L4 Self-hosted processing infrastructure with full hardware and software stack control, zero provider access during processing, and air-gapped options for the most sensitive workloads	LEGAL-L4 Full contractual sovereignty achieved. Infrastructure is self-hosted or operated by sovereign cloud providers under exclusively local jurisdiction. No foreign law exposure. Open-source stacks eliminate vendor lock-in and the need for proprietary licensing agreements.	AUDIT-L4 Fully self-hosted logging infrastructure on organisation-owned hardware. Cryptographically signed audit trails with independent timestamping. Air-gapped log archive for critical records. Complete forensic capability with no provider log dependency - all telemetry is generated by organisation-controlled agents.	NET-L4 Fully sovereign network infrastructure with own AS number, IP space, BGP peering at European IXPs, self-hosted DNS (authoritative and recursive), and organisation-operated DDoS mitigation with no single external dependency	COMP-L4 Fully sovereign compute infrastructure with organisation-owned or co-located hardware, confidential computing capabilities, and complete runtime independence	SUPPLY-L4 Fully audited sovereign supply chain with source-level review of critical dependencies, maintained forks of essential components, and end-to-end provenance guarantees	EXIT-L4 Fully portable infrastructure with provider-agnostic architecture; switching providers is a routine operational procedure with minimal disruption	IR-L4 Fully sovereign incident response with advanced threat hunting, automated orchestration, threat intelligence sharing, and complete forensic independence	GOV-L4 Industry-leading sovereignty governance with active contribution to standards bodies, public transparency, and continuous improvement across all dimensions

Scroll horizontally to see all dimensions

DSCM-IAM

Governance & Compliance

Dimensions

DSCM-IAM complete

Identity & Access

Control over user identities, authentication mechanisms, and access management systems

DSCM-KEYS complete

Cryptographic Keys

Control over encryption keys, key management systems, and cryptographic operations

DSCM-RES complete

Data Residency

Control over where data is physically stored, processed, and replicated

DSCM-PROC complete

Data Processing

Control over how data is processed, transformed, and accessed by compute workloads

DSCM-LEGAL complete

Legal & Contractual

Legal frameworks, contractual protections, and jurisdictional control over service agreements

DSCM-AUDIT complete

Logging & Audit

Control over audit trails, log storage, monitoring systems, and forensic capabilities

DSCM-NET complete

Network Infrastructure

Control over network topology, DNS, CDN, and connectivity infrastructure

DSCM-COMP draft

Compute & Runtime

Control over compute environments, runtime platforms, and execution infrastructure

DSCM-SUPPLY draft

Supply Chain

Control over software supply chain, dependencies, and third-party components

DSCM-EXIT draft

Exit Strategy

Preparedness for migrating away from current providers, avoiding vendor lock-in

DSCM-IR draft

Incident Response

Control over security incident detection, response, and recovery processes

DSCM-GOV draft

Governance & Compliance

Organizational governance structures and compliance frameworks for digital sovereignty

How It Works

Browse

Explore the 12 sovereignty dimensions and understand what each maturity level means for your organization.

Assess

Use the interactive assessment tool to rate your organization across all dimensions. Everything stays in your browser.

Export

Download your assessment as JSON for portability or as an image for presentations. Compare current vs. target state.