Frequently Asked Questions

What is the Cloud Sovereignty Index?

It is a structured self-assessment instrument that lets organisations evaluate how well a cloud service supports their digital sovereignty goals. You answer a set of questions about a cloud provider or deployment, and the tool produces a weighted score from 0–100% and a SEAL level from 0 (No Sovereignty) to 4 (Full Digital Sovereignty).

Why does this tool exist?

Cloud sovereignty is increasingly relevant for public administrations, regulated industries, and any organisation that needs to retain meaningful control over its data and operations in the cloud. Existing frameworks (BSI C5, EU-CSF) are technically sound but require significant expertise to apply. This tool makes those criteria accessible as an interactive questionnaire with plain-language questions and immediate scoring.

Is this a certification or a legal opinion?

No. This is a self-assessment instrument, not a certification. Per the BSI C3A §1.1: "The C3A Framework is not binding in itself." The score is indicative only and depends entirely on the accuracy and honesty of the answers provided. The result carries no legal weight and should not be treated as a substitute for formal audit, legal advice, or procurement due diligence.

Are you affiliated with BSI, the European Commission, or any standards body?

No. The Cloud Sovereignty Index is an independent project. We are not affiliated with the German Federal Office for Information Security (BSI), the European Commission, ENISA, or any other standards body. We reference and apply their published frameworks — specifically BSI Criteria Enabling Cloud Computing Autonomy (C3A) v1.0 and EU Cloud Sovereignty Framework v1.2.1 — but we do not speak on their behalf. See the Methodology page for a full list of source documents.

Why does the source material reference Germany?

The BSI C3A criteria were developed by Germany's federal cybersecurity authority (BSI) and were written with German public administration as the reference context. This means some criteria — such as "data must be stored within a specific jurisdiction" or "the provider must be registered under national law" — originally referred to German territory or German law.

This tool systematically replaces those references with geographic placeholders ({{COUNTRY}}, {{BLOC}}, etc.) that are resolved at assessment time based on the country you select. So when you run an assessment for France, the questions will read "…stored in France" and "…registered under French law." This substitution is a simulation of how the criteria would apply — national legislation and administrative structures will differ. The Decisions Register documents every such adaptation.

What is the difference between the EU assessment and the Global assessment?

The EU / EEA assessment uses the EU Cloud Sovereignty Framework (EU-CSF) as its primary lens. Questions reference the EU as the bloc-level jurisdiction. For EU or EEA member states, you can additionally select a specific country to unlock a second tier of criteria: these are the national-level questions, which are strictly more demanding than the EU-level requirement. For example, "data stored in the EU" (EU tier) vs. "data stored in France" (national tier).

The Global assessment adapts the same criteria for any country outside the EU/EEA. The "bloc" level is replaced by your selected country's jurisdiction. Only the bloc-level (country-level) questions are shown — there is no second tier because the source framework does not define sub-national criteria in the global context.

How accurate is the country-level adaptation for non-EU countries?

The geographic substitution is a best-effort adaptation. The underlying criteria were written for the EU regulatory environment. Concepts like "supervisory authority" or "emergency regime" map directly to most legal systems, but details of national law will differ significantly. For non-EU countries, treat the score as a directional indicator of how a cloud provider would fare under equivalent criteria, not as a precise regulatory compliance measurement. Country-specific legal review is always needed for compliance decisions.

If I select France (EU), which questions appear?

For each tiered criterion, you first see the France-specific (national tier) question. If you answer Yes, the EU-level requirement is automatically satisfied and no further question is shown for that criterion. If you answer No, Partial, or N/A, the EU-level fallback question appears immediately below, so you can still satisfy the EU-level requirement even if you cannot meet the stricter France-level bar.

What do the answer options mean?

• Yes — the criterion is fully met. Full points, counts toward SEAL level.
• No — the criterion is not met. Zero points, does not count toward SEAL.
• Partial — the criterion is partially met. Half points, but does not count toward SEAL (the SEAL level uses a weakest-link rule).
• N/A — the criterion does not apply to this deployment. Excluded from both numerator and denominator, so it does not penalise the score.

What is the SEAL level?

SEAL stands for Sovereignty Evaluation and Assurance Level. It is a 0–4 scale: 0 = No Sovereignty, 1 = Jurisdictional Sovereignty, 2 = Data Sovereignty, 3 = Digital Resilience, 4 = Full Digital Sovereignty. Each criterion contributes to a specific SEAL level (1–4). The SEAL level for an objective is the highest level L such that every criterion with seal_contribution ≤ L has been answered Yes — a single failed criterion at level 1 drops the objective to SEAL 0. The overall SEAL is the lowest SEAL across all objectives (weakest link across all dimensions).

Why is my overall score high but my SEAL level low?

The percentage score and the SEAL level measure different things. The score is a weighted average of how many points you earned across all questions — partial answers count toward it. The SEAL level is a strict threshold: a single No or Partial on a foundational criterion (SEAL contribution level 1) drops the objective to SEAL 0, regardless of how well you scored on everything else. This is intentional — the SEAL level is designed to identify the most critical sovereignty gaps, not be averaged away.

Who is this tool designed for?

The instrument is designed to be used by anyone who needs to evaluate a cloud service's sovereignty posture:

• Cloud customers (public administrations, enterprises, NGOs) assessing a provider or a planned procurement.
• Cloud providers doing a self-assessment of their own offering before a customer engagement.
• Auditors and consultants producing a third-party assessment of a deployment on behalf of a client.
• Researchers and policymakers comparing sovereignty postures across providers or jurisdictions using the public corpus.

Does the service model (IaaS, PaaS, SaaS…) change anything in the assessment?

From a sovereignty scoring perspective: no. The same set of criteria and the same scoring logic applies regardless of whether you are assessing an IaaS, PaaS, or SaaS service. The BSI C3A and EU-CSF criteria were written to be applicable across service models — sovereignty properties such as jurisdiction of data storage, legal access by third parties, or portability are relevant for all of them.

In practice, different service models place different responsibilities on the customer vs. the provider. An IaaS customer controls the software stack; a SaaS customer does not. Some questions may therefore be more or less applicable in practice — use N/A where a criterion genuinely does not apply to the deployment you are assessing.

What data do you store?

We store your answers, the assessment metadata you provided (variant, country, service model, role), and the optional company name. All of this is stored under a random 128-bit UUID that you receive in the URL. That URL is the only access control — anyone who has it can read and modify the assessment.

We do not collect email addresses, IP addresses, browser fingerprints, or cookies. See the full Privacy page for details.

How long is the data kept?

Assessments that have not been accessed for 12 months are permanently deleted. There is no account, no login, no recovery path — if you lose the URL, the data is inaccessible. Save your URL or export a copy of your answers from the result page.

What is the public corpus?

When submitting an assessment, you can opt in to share an anonymised version of your results with the public corpus. If you do, we publish: your score, SEAL level, variant, country, service model, role, and the month/year of submission (not the exact date). Company name is never included. The corpus is browsable at /corpus and is intended for researchers and policymakers studying aggregate cloud sovereignty postures.

Can I audit your privacy claims?

Yes. The backend Workers code that handles data storage and the scoring engine are published as open source. You can verify that we do not log IPs, do not set cookies, and that the anonymisation applied to corpus entries matches what we describe. Link on the Privacy page.

Can I fill in the questionnaire offline or share it with my cloud provider?

Yes. From the setup page you can download a blank Excel template (.xlsx). The template includes a Setup sheet (country selection, company name), an EU Assessment sheet, a Global Assessment sheet, and a Privacy notice. Fill in the answer column for each question (accepted values: yes, no, partial, n/a), then upload the file on the same page to get a scored result instantly.

Why would I send the template to my cloud provider?

Some of the questions ask about internal controls, data processing agreements, or technical capabilities that only the provider can answer accurately. You can send the blank template to your provider's pre-sales, compliance, or security team and ask them to complete the answer column. Once returned, upload the file on the setup page to generate your assessment. You retain full control — nothing is submitted until you review and confirm.