Cloud Sovereignty Index

Methodology

Instrument v1.0

1. Overview

The Cloud Sovereignty Index (CSI) is a structured self-assessment instrument for evaluating the sovereignty posture of cloud services. It is based on the EU Cloud Sovereignty Framework (EU-CSF) v1.2.1 and BSI Criteria Enabling Cloud Computing Autonomy (C3A) v1.0.

2. Objectives & Weights

SOV-1
Strategic Sovereignty
15%
SOV-2
Legal & Jurisdictional Sovereignty
10%
SOV-3
Data Sovereignty
10%
SOV-4
Operational Sovereignty
15%
SOV-5
Supply Chain Sovereignty
20%
SOV-6
Technology Sovereignty
15%
SOV-7
Security & Compliance
10%
SOV-8
Environmental Sustainability
5%

3. SEAL Levels

0
No Sovereignty
Service, technology or operations under exclusive control of non-EU third parties, governed entirely in non-EU jurisdictions.
1
Jurisdictional Sovereignty
EU law formally applies with limited practical enforceability; service, technology or operations under exclusive control of non-EU third parties.
2
Data Sovereignty
EU law applicable and enforceable, with material non-EU dependencies remaining; service, technology or operations under indirect control of non-EU third parties.
3
Digital Resilience
EU law applicable and enforceable, EU actors exercising meaningful but not full influence; service, technology or operations under marginal control of non-EU third parties.
4
Full Digital Sovereignty
Technology and operations under complete EU control, subject only to EU law, with no critical non-EU dependencies.

4. Scoring

Each question carries a point value and a SEAL contribution level (1–4).

  • Yes: full points awarded, counts toward SEAL
  • Partial: half points, does not count toward SEAL
  • No: 0 points, does not count toward SEAL
  • N/A: excluded from numerator and denominator

The weighted score formula is: Score = Σ (Score(SOVₙ) / MaxScore(SOVₙ)) × Weight(SOVₙ) × 100

SEAL per objective: the highest level L such that ALL criteria with seal_contribution ≤ L are answered Yes (weakest-link rule, per EU CSF §4).

5. Tiered Criteria & Country Adaptation

BSI C3A defines criteria at two levels: bloc-level (EU) and national-level (Germany in the source document). The national tier is a strictly higher bar than the bloc tier — it applies to a specific member state rather than the EU as a whole.

Nesting rule: National tier ⊆ Bloc tier. A cloud provider that satisfies the national-level requirement (e.g., "data stored in France") automatically satisfies the bloc-level requirement ("data stored in the EU"). The reverse is not true.

Questionnaire flow for EU/EEA assessments with a country selected:

  1. The national tier question is shown first (e.g., "…stored in France").
  2. If the answer is Yes → the EU-level requirement is auto-satisfied. Only the national tier is scored; no further question is shown for that criterion.
  3. If the answer is No, Partial, or N/A → the EU-level (bloc) fallback question is shown immediately below. The respondent can still satisfy the EU-level requirement independently. Both tiers are scored at their respective levels.

Scoring of tiered criteria:

  • National = Yes → national tier points and SEAL contribution counted; bloc tier auto-credited for SEAL at the lower contribution level (no double-counting of points).
  • National = No/Partial, Bloc = Yes → bloc tier points and SEAL contribution counted at the bloc level. National tier scored as answered (0 or half points).
  • Both = No → 0 points for both tiers.

Text substitution: Geographic placeholders are resolved at render time. {{COUNTRY}} → selected member state name (e.g., "France"). {{BLOC}} → "EU" (EU-CSF variant) or the country name (Generalized variant). {{NATIONAL_ADMIN}} and {{EMERGENCY_REGIME}} → country-specific values from the methodology dataset.

All adaptations and substitutions are documented in the Decisions Register.

6. Sources

Cloud Sovereignty Framework
European Commission, DG Digital Services · v1.2.1 · 2025-10
Criteria enabling Cloud Computing Autonomy
BSI · v1.0 · 2026-04-27

7. Limitations

This is a self-assessment instrument, not a certification. Per C3A §1.1: "The C3A Framework is not binding in itself." The score is an indicative measure. Results depend on the accuracy and honesty of responses. No liability is accepted for decisions made based on assessment results.