Methodology
Instrument v3.0
1. Overview
The Cloud Sovereignty Index (CSI) is a structured self-assessment instrument for evaluating the sovereignty posture of cloud services. It supports three distinct, source-faithful assessment modes:
Source traceability: Every question carries a source reference (framework name + clause identifier) linking it to the original control it is derived from. Questions are written to be simple and directly answerable — editorial rewrites of framework legalese — but each one is bullet-proof traceable to its source clause. The source reference is shown below each question in the questionnaire and in the Source columns of the XLSX workbook.
EU-CSF — EU Cloud Sovereignty Framework v1.2.1 (European Commission)
Output: SEAL 0–4 per objective and globally. Scoring follows EU-CSF §4 (weakest-link gate) and §5 (objective weights). For EU procurement compliance scenarios.
C3A — BSI Criteria enabling Cloud Computing Autonomy v1.0 (BSI)
Output: % Criterion met + % Additional Criterion met (customer-selected). Binary pass/fail per criterion — no SEAL, no partial credit. Scope: SOV-1 through SOV-6 (C3A §1.2).
CSI Composite (CSI editorial framework)
Output depends on variant:
EU/EEA: CSL 0–4 (Cloud Sovereignty Level) per objective and globally — the same 0–4 weakest-link model as EU-CSF's SEAL, under the CSI name.
Non-EU (Generalized): Sovereignty Ladder tier — Dependent, Managed Dependency, Strategic Autonomy, or Sovereign — based on percentage score, capped by the weakest sovereignty domain. "planned" answers earn 25% of question points.
Scope: cloud sovereignty only. Security attestation (ISO 27001, SOC 2, BSI C5:2026) is assumed and not assessed by this instrument. C5 is presupposed, not a CSI source.
Users may select one, two, or all three modes for the same assessment. Results for each mode are completely independent — there is no combined cross-mode score.
2. Objectives & Weights
Weights apply to EU-CSF and CSI Composite modes. C3A uses SOV-1 through SOV-6 only.
* C3A covers SOV-1 through SOV-6 but uses binary pass/fail — the % weight column does not apply in C3A mode.
3. Output Formats by Mode
3.1 SEAL Levels
The SEAL (Sovereignty Effectiveness Assurance Level) is defined in EU-CSF §3 and is the output of EU-CSF mode. CSI Composite EU/EEA assessments apply the identical 0–4 weakest-link model under the CSI name CSL (Cloud Sovereignty Level); the level definitions below apply to both. Non-EU assessments using CSI Composite (Generalized) produce a Sovereignty Ladder tier instead — see §3.3.
3.2 C3A — Attainment Bands
C3A produces a conformity verdict per criterion and an attainment band per objective and globally. No percentages are shown — each criterion is either met or not met:
| Band | What it means |
|---|---|
| Not Attained | Core structural gaps — majority of mandatory controls not implemented, or a Layer A criterion not met. |
| Partially Attained | Some controls implemented but significant gaps remain. |
| Substantially Attained | Most mandatory controls operational with isolated gaps. |
| Fully Attained | All applicable mandatory controls met. |
Layer A sovereignty gate: Six criteria — extraterritorial legal exposure (SOV-2-01), audit rights (SOV-2-02), state-of-defense takeover (SOV-2-03), customer data jurisdiction (SOV-3-01), disconnect capability (SOV-4-09), and reconnect capability (SOV-4-10) — are blocking gates. Failure in any answered Layer A criterion overrides the global band to Not Attained regardless of overall criterion count (DR-E26).
- Criterion band: base criteria (c3a_tier = "base") — binary pass/fail, always in denominator.
- Additional Criterion band: AC criteria (c3a_tier = "additional") — only customer-selected ACs are in the denominator (C3A §1.4). If no ACs are selected, the AC result is null.
Partial and Planned answers count as not-met in C3A mode (the source is binary). Both answer options are hidden when C3A is the only selected mode; a warning is shown in mixed-mode assessments.
There is no SEAL level in C3A mode.
3.3 CSI Composite — Levels by Variant
For EU/EEA assessments, CSI Composite uses the same 0–4 weakest-link scale and gate as EU-CSF, named CSL (Cloud Sovereignty Level) rather than SEAL (see §3.1).
For non-EU (Generalized) assessments, CSI Composite uses the Sovereignty Ladder model:
| Tier | % Threshold | Description |
|---|---|---|
| Dependent | 0–40% | Initial controls. Significant jurisdictional and resilience gaps remain. |
| Managed Dependency | 41–70% | Core controls operational. Data localisation and access controls meet baseline. |
| Strategic Autonomy | 71–90% | Comprehensive controls active. Auditability, key management, and independence demonstrated. |
| Sovereign | 91–100% | Full posture. All critical controls met, tested continuity, minimal external dependencies. |
No weakest-link gate applies in Generalized mode. A single "no" on a strict EU criterion does not collapse the score. Fallback questions provide alternative routes to partial credit for CSI Composite Generalized assessments. They are CSI Composite-only and appear in the questionnaire only when the parent criterion is answered No — hidden otherwise. Active fallbacks: SOV-4-01-FB (personnel residency), SOV-4-03-FB (multi-homed BGP connectivity), SOV-4-09-FB (disconnect tabletop exercise), SOV-6-01-FB1 (local build capability), SOV-6-01-FB2 (documented exit and tested data export).
3.4 Framework Faithfulness & Criterion Attribution
The CSI question catalog is fully transparent about the relationship between each criterion and its source framework. EU-CSF v1.2.1 (§4) defines contributing factors — high-level principles per sovereignty objective — but does not specify assessment questions. Any tool based on EU-CSF must operationalize those factors into testable criteria; CSI documents every such design choice. BSI C3A v1.0, by contrast, defines explicit MUST/SHOULD requirements that are used verbatim or minimally paraphrased.
Every criterion carries one of three fidelity labels, visible as a coloured chip in the questionnaire interface below each question:
- Direct The question text is verbatim or minimally paraphrased from a named criterion or contributing factor in the source document. No substantive editorial judgment was required.
- Inferred The question operationalizes the intent of a source contributing factor, but the source document does not specify a testable criterion at this level of detail. CSI had to make a design choice to bridge the gap between a principle and a measurable control. The specific contributing factor and the reason for the derivation are documented inline in the questionnaire (tap the amber ▾ badge on any Inferred question to expand the rationale) and in the Decisions Register.
- CSI An editorial addition not present in either source framework. Used for LMIC fallback questions, AI-sovereignty criteria, and Generalized-variant adaptations where neither EU-CSF nor C3A provides a control but the underlying sovereignty objective still applies.
Why Inferred criteria are necessary
The 15 Inferred criteria in the EU-CSF questionnaire are not gaps in the framework — they are the unavoidable consequence of EU-CSF's design. EU-CSF §4 lists principles such as "Ensuring that bodies having decisive authority over your services are located within EU jurisdiction" or "Ease of migrating workloads or integrating with alternative EU-controlled solutions without vendor lock-in." These are principles, not questions. To build an assessment questionnaire consistent with EU-CSF, CSI must translate each principle into a specific, answerable criterion. Every such translation is documented so that assessors can judge whether they agree with the operationalization. If a contracting authority interprets a contributing factor differently, the fidelity rationale provides the reference point for comparison.
Attribution breakdown — instrument v2.2
| Framework questionnaire | Total criteria | Direct | Inferred | CSI addition |
|---|---|---|---|---|
| EU-CSF v1.2.1 | 55 | 37 (67%) | 17 (31%) | 1 (2%) |
| C3A v1.0 | 49 | 49 (100%) | 0 | 0 |
Full list of 15 Inferred EU-CSF criteria with derivation rationale
| Criterion | Title | Derived from EU-CSF contributing factor |
|---|---|---|
| SOV-1-02 | Registered Office | SOV-1: "bodies having decisive authority within EU jurisdiction" — registered office is the standard legal proxy for jurisdictional anchoring |
| SOV-2-02 | Audit Rights | SOV-2: "legal/contractual channels through which authorities could compel access" — audit rights are the customer-side enforcement mechanism; closest named CF is in SOV-7 |
| SOV-2-03 | State of Defense Takeover | SOV-2: "applicability of international regimes that may restrict usage" + SOV-1: "ability to sustain operations against suspension requests" — C3A defines the specific constitutional trigger |
| SOV-3-01-C1 | Data Residence — Transparency | SOV-3: "strict confinement to EU jurisdictions" — location transparency is the prerequisite for verifying confinement; not named separately in the CF |
| SOV-3-01-C5 | Data Residence — Provider Data | SOV-3: "strict confinement to EU jurisdictions" — provider operational data is not named explicitly but is subject to the same confinement principle |
| SOV-3-02-AC | External Key Management — SaaS | SOV-3: "only customer has effective cryptographic control" — extends the key-management principle to SaaS delivery, which EU-CSF does not distinguish by service type |
| SOV-3-03-C | External Identity Provider CSI | CSI editorial addition following C3A §2.3.3. EU-CSF does not name IdP integration as a contributing factor. The CSP can bypass the IdP at the infrastructure layer regardless of configuration; IdP provides identity portability and lock-in avoidance, which is an EU-CSF SOV-4 (portability/migration) concern, not a SOV-3 cryptographic-access concern. Included as a complementary sovereignty control. |
| SOV-3-03-AC1/2/3 | IdP — Open Standards / Stateless / Dynamic Claims | SOV-3: customer-controlled access — C3A-specific technical implementations; EU-CSF states the principle without specifying authentication architecture |
| SOV-3-04-AC1 | Logging — Real-Time Open API | SOV-3: "visibility into when, where, by whom data is accessed" — real-time API access is the technical implementation of that visibility |
| SOV-3-04-AC2 | Logging — Granular Filtering | SOV-3: "visibility into when, where, by whom data is accessed" — granularity is the operational prerequisite for meaningful auditability at scale |
| SOV-3-AI-01-AC | AI — Training Data Jurisdiction | SOV-3: "AI models developed, trained, hosted, governed under EU control" — training data jurisdiction is the prerequisite for verifying EU-controlled training; EU-CSF names the objective, this question operationalizes the disclosure needed to verify it |
| SOV-3-AI-02-AC | AI — Inference Location | SOV-3: "AI models hosted under EU control" — inference is the moment customer data is actively processed through the model; EU-CSF names the hosting/processing principle, this question requires contractual enforcement of in-EU inference |
| SOV-3-AI-03-AC | AI — Right to Opt Out of Training | SOV-3: "AI models governed under EU control, minimizing dependency on non-EU stacks" — customer opt-out ensures sovereignty over how data shapes model behaviour; the CF implies governance control but does not specify this mechanism |
| SOV-3-AI-04-AC | AI — Model Provider Control Chain | SOV-3: "minimizing dependency on non-EU technology stacks" — knowing the model provider's jurisdiction and ownership is the prerequisite for assessing whether the dependency constitutes a non-EU stack risk; EU-CSF names the risk, this question operationalizes the supply-chain disclosure |
| SOV-3-06 | Verifiable Data Erasure | SOV-3: "mechanisms guaranteeing irreversible removal of data, with verifiable evidence" — EU-CSF names this explicitly in the CF; this question operationalizes it as a specific evidence requirement (cryptographic proof, audited logs, or third-party attestation) |
| SOV-4-03 | Redundant Connectivity | SOV-4: "EU operators manage without non-EU vendor involvement" — connectivity is the network infrastructure prerequisite; not named as a CF |
| SOV-4-03-AC | Connectivity Independent of CSP Structure | SOV-4: operational independence — independence from the CSP's corporate structure reduces single-event concentration risk |
| SOV-4-04 | Security Operations Centre | EU-CSF places SOC under SOV-7 CF: "SOCs operating under EU jurisdiction" — placed under SOV-4 following C3A §2.4.4; see DR-E28 |
| SOV-4-05 | Ingress Data Control | SOV-4: "EU operators manage without non-EU involvement" — ingress gateways are the network-layer enforcement mechanism; not named in EU-CSF CFs |
| SOV-4-05-AC1/2 | Ingress — Physical Devices / Documentation | SOV-4: operational independence — C3A-specific implementation and disclosure requirements not present in EU-CSF |
| SOV-4-06 | Update Threat Analysis | SOV-4: "full technical documentation enabling long-term autonomy" — threat-aware update analysis is how autonomy is maintained against supply-chain attacks |
| SOV-4-07 | Data Exchange Monitoring | SOV-4: "operational support from within EU" — monitoring provides runtime verification that EU-bounded operations remain bounded |
| SOV-4-08 | Data Exchange Gateways | SOV-4: "EU operators manage without non-EU involvement" — gateways are the physical control points for cross-boundary data flows |
| SOV-4-08-AC | Gateways — DFD to Authority | SOV-4: "subject exclusively to EU legal frameworks" — regulatory disclosure to cybersecurity authorities is implied; not named in EU-CSF |
| SOV-4-09-AC | Disconnect — Documentation to Authority | SOV-4: "ease of migration" — documentation obligation implied by EU oversight but not named in EU-CSF contributing factors |
| SOV-5-01-AC | Software Dependencies — Risk-Based Process | SOV-5: "software origin and supply chain visibility" — risk process operationalizes the visibility principle as organisational governance |
| SOV-5-02-AC | Hardware Dependencies — Risk-Based Process | SOV-5: "hardware geographic source and dependency" — same rationale as SOV-5-01-AC; C3A specifies the process that EU-CSF implies |
| SOV-5-03-AC | External Service Dependencies — Documented Process | SOV-5: "visibility into supplier chain, audit rights" — documented management process operationalizes EU-CSF visibility principle |
| SOV-5-04 | Export Restriction | EU-CSF places export restrictions under SOV-2 CF: "international regimes restricting usage" — placed under SOV-5 following C3A §2.5.4 supply-chain classification |
| SOV-5-05 | Capacity Management | EU-CSF SOV-4 CF: "EU operators manage without non-EU involvement" — placed under SOV-5 following C3A §2.5.5; capacity decisions are a supply-chain capacity control |
| SOV-6-02-AC | Continuous Service Delivery — Engineering Capability | SOV-6: "transparency and adaptability" + SOV-4: "operational know-how enabling long-term autonomy" — post-disruption engineering capability extends source code sovereignty |
No Inferred criterion changes the scoring formula of its source framework. Inference applies only to the question design — the SEAL gate logic, the weights, and the pass/fail rules are all faithful to source. All derivation decisions are recorded in the Decisions Register (DR-E25 through DR-E29).
4. Scoring
4.1 EU-CSF Scoring
- Yes: full points, counts toward SEAL gate
- Partial: half points, does not satisfy the gate (EU-CSF §4)
- No: 0 points, does not satisfy the gate
- N/A: excluded from numerator and denominator
Weighted score: Score = Σ (Score(SOVₙ) / MaxScore(SOVₙ)) × Weight(SOVₙ) × 100
SEAL level per objective: highest level L such that ALL criteria with seal_contribution ≤ L are answered Yes. Overall SEAL = minimum across all objectives (weakest-link rule, EU-CSF §4).
Weights (from XLSX calculator): SOV-1 20%, SOV-2 10%, SOV-3 10%, SOV-4 15%, SOV-5 10%, SOV-6 15%, SOV-7 15%, SOV-8 5%.
4.2 C3A Scoring
- Yes: criterion met
- No / Partial: criterion not-met (partial counts as not-met — C3A is binary)
- N/A: excluded from applicable count
Output per objective: N criteria met out of M applicable → attainment band (see §3.2). No percentage is computed or shown.
AC criteria: only customer-selected ACs enter the applicable count. An assessment with no ACs selected reports no AC result.
Scope: SOV-1 through SOV-6 (SOV-7 and SOV-8 have no C3A questions).
4.3 CSI Composite Scoring
EU/EEA: Identical to EU-CSF (weakest-link gate, same weights, partial = half points, planned = 0 points).
Non-EU (Generalized) — Sovereignty Ladder
- Yes: full points
- Partial: 50% of question points
- Planned: 25% of question points — roadmap commitment with a documented timeline
- No: 0 points
- N/A: excluded from denominator
No weakest-link gate. Global tier derived from weighted percentage:
Score% = Σ (raw/max × weight) / Σ weight × 100
Tier = Dependent if <41%, Managed Dependency if 41–70%, Strategic Autonomy if 71–90%, Sovereign if ≥91%.
CSI Composite is an editorial framework. Its results do not constitute EU-CSF or C3A certification.
Evidence requirement for "Planned" answers: A "Planned" answer earns 25% of question points only when backed by a verifiable artefact — a board-approved roadmap document with a named milestone and target date, a signed project plan, an approved budget line, or a vendor contract with delivery date. "Planned" without a traceable artefact should be treated as "No" in any external review.
5. Tiered Criteria & Country Adaptation
BSI C3A defines criteria at two levels: bloc-level (EU) and national-level (Germany in the source document). The national tier is a strictly higher bar than the bloc tier — it applies to a specific member state rather than the EU as a whole.
Nesting rule: National tier ⊆ Bloc tier. A cloud provider that satisfies the national-level requirement automatically satisfies the bloc-level requirement. The reverse is not true.
Questionnaire flow for EU/EEA assessments with a country selected (EU-CSF and CSI Composite):
- The national tier question is shown first.
- If the answer is Yes → the EU-level requirement is auto-satisfied.
- If the answer is No, Partial, or N/A → the EU-level (bloc) fallback question is shown.
In C3A mode, each tier is an independent criterion — national and bloc tiers are scored separately with no auto-satisfaction. This is faithful to the C3A source (which lists national and EU variants as distinct requirements).
Text substitution: Geographic placeholders are resolved at render time.
{{COUNTRY}} → selected member state name.
{{BLOC}} → "EU" (EU-CSF) or country name (Generalized).
{{NATIONAL_ADMIN}} and
{{EMERGENCY_REGIME}} → country-specific values.
For a non-EU (Generalized) assessment these adaptations are applied identically in the questionnaire and in the result/report: a question carrying a Generalized variant is shown — and scored — with its adapted, jurisdiction-neutral wording in both places, and a criterion that is EU-industrial-policy-only is excluded from both. The on-screen report, the PDF, and the exported risk register never fall back to the EU-native phrasing for a non-EU country.
All adaptations are documented in the Decisions Register.
Variant Assignment — Known Boundary Cases
UK (post-Brexit): The United Kingdom is not an EU member state and is placed in the non-EU group, receiving the Generalized variant (maturity tiers) rather than the EU-CSF SEAL gate. UK-GDPR and NCSC frameworks are substantively equivalent to their EU counterparts, but UK law is not EU law. If a UK cloud provider is targeting EU procurement, they should run the EU-CSF framework explicitly — the tool supports framework selection independently of country.
Non-EU clients running C3A: BSI C3A (v1.0) is a German/EU standard designed for EU cloud procurement. Non-EU organisations may use it as an aspirational benchmark, but the output (binary pass/fail, no maturity tier) should be interpreted as "compliance with EU cloud autonomy requirements" — not a local certification. C3A covers only SOV-1 through SOV-6.
Score interpretation for non-EU assessments: CSI Composite scoring weights and questions were designed with EU cloud sovereignty regulations as the reference point. A non-EU provider's score measures alignment with EU sovereignty expectations — not their compliance with their own national framework. A Managed Dependency tier score does not imply insecurity; it means certain controls required by EU regulators have not yet been implemented.
Reversibility and Exit Readiness
Cloud sovereignty is closely linked to reversibility — the degree to which a customer can exit a provider without being technically or operationally stranded. The framework addresses this across two distinct dimensions.
Dimension 1 — Provider-side operational independence (well-covered by SOV-4 and SOV-6)
Can the provider keep operating if external connections or vendors are severed? These criteria verify there are no hidden dependencies that would force discontinuation:
| SOV-4-09 / SOV-4-10 | Can sever all non-EU network connections without service impairment; process documented and tested annually (contribution 3) |
| SOV-6-01 | Source code + build toolchain held locally (max 24 h old); can operate without any external dependency (contribution 4 — highest) |
| SOV-6-02 / AC | Documented contingency strategies if a third-party software vendor is lost; internal engineering capability to patch independently (contribution 3–4) |
| SOV-6-03 | Internal tooling and talent to maintain and update the platform without vendor dependency (contribution 3) |
Dimension 2 — Customer-side exit & portability (covered by SOV-3, SOV-5 and SOV-6)
Can the customer take their data and identities elsewhere, with contractual terms that make exit real? These criteria ensure the customer retains the technical and contractual means to leave with data intact:
| SOV-3-02-C | Customer holds encryption keys outside the provider — can exit with all keys intact (contribution 3) |
| SOV-3-05-C | Client-side encryption: only the customer can decrypt; maximum data independence (contribution 4) |
| SOV-3-03-C + AC1/2/3 | Identity lives outside the provider via open standards; stateless auth prevents account lock-in (contribution 2–3) |
| SOV-6 exit/portability | Tested data export in open, documented formats; standards-based API/data-plane portability conformance (e.g. OpenStack Powered / RefStack) (contribution 3–4) |
| CADA Art. 25 / erasure | Switching, notice, transitional and data-retrieval periods, plus verifiable erasure after exit (contribution 3–4) |
| SOV-5-01/02/03-AC | Documented architectural flexibility to substitute software, hardware, and services (contribution 3 — Additional Criteria) |
Who must act — supplier, internal, or inherent
Every finding in the report is tagged by who must act: Provider / contract (require it from the provider or negotiate a clause), Internal (a control your own organisation must build and operate), or Residual / inherent. This is derived, not hand-set — from the control archetype and the resolved operator of each layer — so the same reversibility gap is an internal engineering action on a self-run open-source stack but a supplier contract ask against a hyperscaler. The result page leads with a "What to do next" summary split into those tracks, surfacing model procurement-clause templates for the supplier track.
The Residual / inherent track exists because some criteria are a foregone outcome once scoping says the provider operates out-of-country. A provider outside the assessed jurisdiction will not submit to the national authority, be taken over by the state, resist its own home government, or relocate data, inference, source code, administration, or connectivity in-country. Rather than put these as questions you can only answer "no", the tool auto-scores them silently and lists them in the transparency panel — the question is suppressed, never the gap, so the score is unchanged and honest. In the report they appear as residual risk: not a contract clause (telling a hyperscaler to "base a connectivity provider in-country" is not negotiable), but something to close by moving that layer to an in-country/sovereign provider, or to formally accept and document. When the provider is in-country these same criteria are genuinely answerable, so they are asked normally.
What this framework does — and does not — do
The instrument assesses both the technical reversibility above and the contractual controls that make exit enforceable — data-return SLAs and formats, API portability, termination/notice/transitional periods, data-deletion obligations, and licensing-change notice + no-penalty termination rights (SWIPO TR05). Where a control is missing, the report lists the model procurement clause to require or the internal control to build.
What it does not do is audit your signed contract or negotiate on your behalf: it measures whether the provider has built the controls and tells you which clauses to demand, but confirming your executed agreement reflects them — and any exit fees specific to your deal — remains your responsibility. This is consistent with C3A §1.2: structural sovereignty is assessed; the final legal review is yours.
6. Layer Architecture
The control matrix uses a six-layer model (L1–L6) that maps to established cloud architecture frameworks. No other sovereignty framework splits exactly at L3/L4 or elevates Operations to L5 — both are sovereignty-specific distinctions justified by EU law. Do not conflate this with a generic NIST stack.
L1 – Facility · L2 – Hardware · L3 – Virtualization
Canonical infrastructure stack per NIST SP 500-292 (NIST Cloud Computing Reference Architecture) and ITU-T Y.3500 (Cloud computing — Overview and vocabulary). These three layers are common to every major cloud framework and form the IaaS foundation.
L3 / L4 split — IaaS vs Managed / PaaS
The split between L3 (IaaS virtualization fabric) and L4 (managed services / PaaS) is sourced to EU Data Act (Regulation 2023/2854) Art. 23 vs Art. 30: Art. 23 mandates functional equivalence and open-interface obligations for infrastructure services (IaaS — L3); Art. 30 applies weaker open-interface obligations to application services, explicitly recognizing that proprietary managed services (L4) carry a different — and typically heavier — reversibility risk. This is the authoritative EU-law basis for treating L3 and L4 as distinct sovereignty dimensions.
L5 – Operations (NOC/SOC / privileged access)
Operations is elevated to its own layer — rather than embedded in L3/L4 — because EU-CSF v1.2.1 §4 (SOV-4), C3A §2.4, and CADA Annex II L2(h) all treat personnel, privileged-access governance, and NOC/SOC jurisdiction as a distinct control vector. A provider can be EU-resident and hold EU-resident data while routing all privileged operations through a foreign NOC — L5 captures that gap. General security frameworks (ISO 27001, BSI C5) embed operations in access-control domains; sovereignty frameworks separate it because operational control is a distinct governance risk.
L6 – Consumption (workload criticality)
L6 is a scoping dimension, not a traditional infrastructure layer. It captures workload ownership, data classification, and criticality context — information that infrastructure frameworks do not address but that determines which sovereignty controls are actually relevant. A level 0 answer on an L6 question means "this layer applies to the client"; it does not indicate a sovereignty failure at L6 itself.
| Layer | Name | Framework alignment |
|---|---|---|
| L1 | Facility | NIST SP 500-292 · ITU-T Y.3500 |
| L2 | Hardware | NIST SP 500-292 · ITU-T Y.3500 |
| L3 | Virtualization (IaaS) | NIST SP 500-292 · EU Data Act Art. 23 (functional equivalence duty) |
| L4 | Managed / PaaS | EU Data Act Art. 30 (open-interface duty for application services) |
| L5 | Operations | EU-CSF v1.2.1 §4 SOV-4 · C3A §2.4 · CADA Annex II L2(h) |
| L6 | Consumption | Scoping dimension — workload criticality and data ownership context |
CSI presupposes that the security baseline (BSI C5:2026 or equivalent) is met. The control matrix does not re-assess security controls; it assesses sovereignty governance on top of a security foundation. The layered model is used in the scoping flow (scenario picker → refine → readback) to derive a control profile — who owns, operates, and supports each layer — which determines which risk predicates and procurement bridges are relevant for the assessment.
Archetype-driven relevance
A question is relevant to your assessment based on the facet of a layer it interrogates, never on a scenario label. Each layer has four facets — ownership, operation, dependency, location — with a sovereign baseline (client-owned, client-operated, self-supported open source, in-country). Any deviation is a risk surface, and each question is tagged to one or more archetypes that fire on a specific facet deviation:
| Archetype | Fires on | Asks |
|---|---|---|
| JURISDICTION | location ≠ in-country | foreign-law reach over the asset, staff, or data |
| PHYSICAL_CUSTODY | not client-owned | landlord / hardware-holder physical access |
| DATA_RESIDENCY_SERVICE | provider owns a data layer | provider-offered sovereignty controls (residency, KMS, IdP, logging, erasure) |
| THIRD_PARTY_OPERATION | operated by non-client staff | external operator: personnel jurisdiction, control, disconnect |
| REVERSIBILITY | licensed/proprietary software or provider ownership | can you self-patch a zero-day, fork, and migrate away? |
| SUPPORT_CONTINUITY | external software under licence/support | continuity if the vendor exits or changes licensing |
| SELF_SUFFICIENCY | self-supported OSS, client-operated | prove in-house capability to run, patch, and exit it |
The decisive distinction: ownership, operation, and location questions are ruled out when you control that facet — but reversibility questions are not. You can own and operate a platform and still be unable to patch a zero-day because the software is licensed. So a third-party-owned facility is treated as a physical custodian (landlord), not a cloud provider, and its data-residency / service questions vanish when you own the data layers — while reversibility questions follow the software dependency, independent of who owns the kit.
Hidden questions never hide a risk. When a question vanishes because it is out of scope, the questionnaire checks whether a structural sovereignty risk it maps to is still live for your declared profile. If so, that risk is recorded as a read-only finding with a locked score and its source-anchored rationale — never dropped. These findings are consolidated into a single “Structural findings from your scope” summary on the review page (one entry per risk, even when it spans several objectives), rather than repeated inline page by page. Only questions with no live risk for that facet (for example, jurisdiction questions hidden because the layer is in-country) fall away quietly. An invariant test guarantees that, across the reference deployment scenarios, no fired structural risk can become invisible.
Domain maturity radar. The result page plots an eight-axis radar of per-domain maturity across the SOV-1…SOV-8 objectives, complementing the single headline score and the per-layer control posture. Axes with no answered questions are drawn dashed and are not scored.
Profile-determined questions are answered for you. Some questions ask a fact your declared infrastructure already fixes — whether the provider is under your jurisdiction, whether data is resident in-country, where operating staff sit. Putting these to you is needless friction (and, for a self-operated deployment, would ask about "the provider" when there is none). They are instead derived from your control profile, answered automatically, and listed in full on the review page ("Answers set by your declared infrastructure") with the reason for each and an override control. These derived answers count toward your score exactly like a typed answer — so a foreign provider cannot raise its score simply by not being asked the questions it would fail, and an in-country deployment is credited for the residency it genuinely has. Only pure facts are derived this way; anything that depends on a provider's offering, a process, or a commitment (key management, client-side encryption, audit cooperation, exit drills) is always asked.
Every amendment is auditable. Where this tool re-words a source criterion to fit your context, each question carries a collapsible "Original source wording" revealing the verbatim source sentence beneath its source reference.
The CSI headline is weakest-link gated. The CSI Composite reports two numbers: a readiness % (weighted coverage of what you've implemented) and a maturity tier (Dependent → Sovereign). The tier is gated by the weakest sovereignty domain: a domain at the lowest assurance level (CSL 0–1) caps the headline, so a high coverage % cannot read "Strategic Autonomy" while a domain is still "Dependent". The result page lists those blocking objectives — raising them is what lifts the gate. SOV-8 (environmental/ESG) is excluded from the gate, as it does not bear on sovereignty attainment. CSI levels are reported as CSL (Cloud Sovereignty Level), never SEAL — SEAL is an EU-CSF concept.
7. Sources
BSI C5:2026 (Cloud Computing Compliance Criteria Catalogue) is a cloud security standard published by the German Federal Office for Information Security (BSI). It is presupposed by this instrument but is not a source for CSI questions or scores. In Generalized (non-EU) assessments, questions that reference C5:2026 controls display simplified plain-language text; the original C5 clause reference is available in the question guidance. These are sovereignty criteria that cite C5 clauses for traceability — they are not security questions imported from C5. C5 is the provenance reference for those clause numbers, not an additional scoring dimension. See: BSI C5 Catalogue.
8. Limitations
This is a self-assessment instrument, not a certification. Per C3A §1.1: "The C3A Framework is not binding in itself." The score is an indicative measure. Results depend on the accuracy and honesty of responses. No liability is accepted for decisions made based on assessment results.
Sovereignty is one axis, assessed assuming a security baseline — read the score that way.
Sovereignty ≠ security. This instrument scores sovereignty (control × jurisdiction per layer) and presupposes a security baseline (BSI C5:2026 or equivalent) that it does not verify. Security and operational maturity are assumed, not assessed. A mature external provider may be materially more secure, available, and resilient than an in-house build, so a low sovereignty score is not a verdict on safety. It must be complemented by a security/risk assessment (ISO 27001, SOC 2, BSI C5), which weighs the same decision on different axes and can point the opposite way — toward the external provider.
In-country / in-house is not automatically sovereign. The model does not reward localisation per se: supply-chain origin (SOV-5, the heaviest objective) and continuity under coercion (SOV-7) gate a self-built solution exactly as hard as a foreign one. A local operator running foreign hardware and non-exitable foreign licences scores low — location is not control.
Sovereignty is a deliberate, outcome-based tradeoff, not a maximisation target. Consistent with the World Bank's outcome-based view (Wong, Ng, Reynolds, Satola & Anthony, Moving toward an outcome-based approach for digital sovereignty, June 2026), blanket data localisation carries real cost (the World Bank cites OECD evidence of 15–55% higher hosting cost, especially for SMEs) and does not by itself create accountability, which also depends on regulatory and enforcement capacity. The instrument therefore treats accept-and-govern as a first-class outcome: a structural (inherent) gap surfaced against a foreign provider is a risk-based choice to make consciously per the workload's sensitivity — not a defect the tool expects every deployment to close.
- Fallback question scoring: Fallback questions (SOV-4-01-FB, SOV-4-09-FB) are hidden in the web questionnaire unless the parent criterion is answered No. If an XLSX import includes answers to fallback questions when the parent is already answered Yes, both are scored — this is intentional (a provider meeting the strict criterion inherently satisfies the fallback) and cannot unfairly inflate scores. Mechanically: unanswered questions are excluded from both numerator and denominator entirely (the scoring engine skips them). When parent=Yes and the FB question also has an answer, both contribute points — but the denominator increases by the same max_score, so the percentage ratio is unchanged. The FB question also carries a lower seal_contribution than its parent, so parent=Yes already satisfies the FB SEAL gate — no gate inflation is possible.
- "Planned" answer: 25% credit is available only in CSI Composite Generalized mode. It must be backed by a documented artefact. In EU-CSF and C3A modes, "Planned" scores as 0. Roadmap commitments do not satisfy compliance certification requirements.
- UK and post-Brexit jurisdictions: UK assessments use the Generalized variant. UK-equivalent standards (UK-GDPR, NCSC) are not automatically mapped to EU-CSF criteria.
- Per-objective progression: The "points to next tier" indicator is global only. Per-objective progression guidance is not yet available.
- Data export and contractual portability: The tool measures whether the technical sovereignty controls enabling exit are in place (encryption key ownership, source code backup, architectural substitutability), but does not assess contractual terms governing data return format, timelines, exit fees, or switching costs. Procurement due diligence should cover both dimensions. See the Reversibility and Exit Readiness callout in §5 for the full mapping.