Cloud Sovereignty Index / Methodology / Decisions Register

Decisions Register

Every deviation from the source frameworks is documented here. 94 entries.

DR-S01 substitution pending-external-review

C3A's national tier is structurally generic; only the country name is Germany-specific in these criteria. The semantic content (jurisdiction, residence, control, residency, SOC location, capacity management) applies identically to any EU member state. Substitution preserves the criterion's intent without modification.

Authority: Editorial. Supported by C3A §1.2's framing of the catalogue as adopting EU CSF structure across member states.

DR-S02 substitution pending-external-review

EU CSF and C3A both anchor on EU as the trusted bloc. For non-EU users this anchor is not meaningful. The Generalized variant lets users define their own trusted bloc to preserve the framework's structure while being honest that the reference point has changed.

Authority: Editorial. The EU CSF does not contemplate non-EU users; this is an extension governed by DR-E01.

DR-A01 adaptation pending-external-review

C3A's German tier names the German federal administration as the auditing authority. Other EU member states have analogous national-level administrations but with different names and constitutional structures (federal vs unitary, central vs decentralised). The criterion's intent — that a national-level public administration can audit the provider — is universal; the institutional label varies. Where a country has multiple potential auditing bodies, the most common 'central administration' framing is used.

Authority: Editorial. Each country's specific administration name should ideally be reviewed by a national legal expert before locking the language.

DR-A02 adaptation pending-external-review

C3A encodes a Germany-specific constitutional concept (Verteidigungsfall). The criterion's intent — enabling national takeover of cloud operations during a national emergency — is universal across EU member states, but the legal trigger varies substantially. Some countries have multi-tier regimes (Spain, Poland), some have unitary regimes (France's état d'urgence), and some lack a directly equivalent concept. We preserve the intent and substitute each country's analogous regime, listing the closest constitutional anchor.

Authority: Editorial. The mapping of national emergency regimes is based on publicly available constitutional law summaries and should be reviewed by national legal experts before being locked. Countries marked '_default_for_others' need bespoke review.

DR-A03 adaptation pending-external-review

C3A's national tier raises the residency requirement (Germany) but keeps the citizenship requirement at EU level. This is a deliberate design choice in C3A: personnel sovereignty is a two-axis concept (citizenship + residency), and the national tier escalates only one axis. We preserve this structure rather than tightening citizenship to the chosen country, because that would be a stricter requirement than C3A's German tier itself imposes.

Authority: Editorial. This is a faithful reading of C3A §2.4.1; we make it explicit because users may otherwise expect both axes to escalate.

DR-A04 adaptation pending-external-review

C3A's informative references to BSI publications make sense for German users but are unhelpful for users in other countries who have their own national security frameworks. We retain the BSI references for honesty about the source, and add country-specific equivalents to be useful. This is informative only — does not affect scoring.

Authority: Editorial. The list of national equivalents should be expanded as users from additional countries provide feedback.

DR-D01 derivation pending-external-review

Neither source assigns SEAL levels to specific criteria. To compute SEAL per objective, we must derive a mapping. The mapping is anchored in CSF §3's definitions: SEAL-1 = formal jurisdictional sovereignty, SEAL-2 = data sovereignty with material non-EU dependencies, SEAL-3 = digital resilience with marginal non-EU control, SEAL-4 = full sovereignty with no critical non-EU dependencies. Each C3A criterion is mapped to the SEAL level that, if that criterion fails, the objective cannot reasonably be claimed to have reached.

Authority: Editorial. This is the single largest derivation in the instrument and the most important one to subject to external review.

DR-D02 derivation pending-external-review

CSF §5 references 'points allocated to the question proposed in the tender' but does not specify them — this is left to each tender. Since this instrument is not a specific tender, we assign default point values that produce reasonable intra-objective weighting. Because the CSF formula divides by Max.Score, the absolute point values cancel out at the objective level; only relative differences between questions within the same objective affect the score.

Authority: Editorial. Low-impact derivation due to the normalization in CSF §5's formula.

DR-D03 derivation pending-external-review

CSF §4 mandates that weaknesses lower the assurance level but doesn't specify the exact aggregation rule. The strictest interpretation — weakest-link — best matches the framing of SEAL as a 'minimum assurance level' (CSF §1: 'tenders that do not offer the required minimum levels of assurance consistently across all objectives will be rejected'). A claim of 'SEAL-3' must mean every requirement up to and including level 3 is satisfied; otherwise the claim is false.

Authority: Editorial, but tightly constrained by CSF §4 and §1's 'minimum assurance' framing.

DR-D04 derivation pending-external-review

Pure UX choice. Unbanded percentages are hard to interpret at a glance. The thresholds are calibrated so most realistic providers fall into Moderate or Strong, with Limited reserved for providers with multiple structural sovereignty deficits and Full reserved for providers achieving near-complete sovereignty.

Authority: Editorial. UX-only.

DR-D05 derivation pending-external-review

Real cloud services often partially meet a criterion (e.g., key management is offered for IaaS but not SaaS). A binary yes/no forces users to answer 'no' for partial cases, understating actual sovereignty. The score handles this gracefully via half-points; SEAL cannot, because SEAL is by design a binary gate (you either meet a level or you don't). This split treatment preserves both: granular scoring AND strict gating.

Authority: Editorial. Design choice for self-assessment honesty.

DR-X01 exclusion endorsed-by-source

C3A itself anchors these two criteria at EU level only, with no German national tier. The Disconnect criterion is about cutting non-EU connections (which is meaningful at bloc level but not national level — disconnecting from other EU countries makes no sense). The Source Code Availability criterion requires backup in the EU (which is meaningful at bloc level for resilience). We preserve C3A's design rather than inventing a national tier where the source doesn't have one.

Authority: Faithful to C3A.

DR-X02 exclusion pending-external-review

C3A explicitly excludes SOV-7. CSF includes it. To produce a complete 8-objective assessment matching CSF's structure, we need SOV-7 questions; we derive them from CSF's contributing factors directly.

Authority: Faithful to both sources.

DR-X03 exclusion pending-external-review

Same logic as DR-X02: C3A explicitly excludes the objective; CSF includes it; we use CSF directly.

Authority: Faithful to both sources.

DR-E01 extension pending-external-review

Non-EU companies running the unmodified EU CSF assessment would mechanically score near zero on jurisdiction, control, and personnel criteria, even with excellent national sovereignty. This is unhelpful and dishonest. The Generalized variant preserves the methodology while being explicit that the reference frame is the user's jurisdiction. It is presented as a *derived* framework, not as the EU CSF itself.

Authority: Editorial. Not endorsed by either source. Documented as a derived framework in the user-facing methodology.

DR-E02 extension pending-external-review

Disconnect-style criteria require a definition of 'inside vs outside' the trusted zone. EU users have this defined automatically (the EU). Non-EU users must define it explicitly, since 'their bloc' might be national, regional (EFTA, CPTPP), or alliance-based (Five Eyes). Forcing them to use EU as the bloc would be incoherent.

Authority: Editorial. Required by DR-E01.

DR-E03 extension pending-external-review

Self-assessment without evidence handling is too easy to game. Adding optional evidence and explicit unsupported-claim flags lets the user be honest about what's substantiated. A buyer reviewing the report can prioritize verifying unsupported claims.

Authority: Editorial. Not in source but consistent with both sources' emphasis on 'verifiable criteria' (C3A §1.1) and 'supporting evidence' (CSF §1).

DR-D06 derivation pending-external-review

A persistence layer creates two obligations: bound storage growth and bound residual privacy risk from data hoarding. 12 months balances institutional procurement cycles (some procurement processes run 6+ months end-to-end, so a TTL shorter than that would frustrate legitimate users) against not retaining assessment data indefinitely. The TTL refreshes on every write, so an actively-used assessment is never deleted out from under a user.

Authority: Editorial. Operational policy choice.

DR-E05 extension pending-external-review

Pattern A (browser-only state) was the v1 default but had two serious limitations: no multi-device resume without download/upload friction, and no shareable result links. For an instrument intended to be cited and shared in institutional contexts (procurement teams, multilateral banks), these were real costs. Pattern B trades architectural privacy (no data on a server) for policy-enforced privacy (data on a server, but with no identifying information attached and a published code path that anyone can audit). The trade-off is acknowledged on the privacy page.

Authority: Editorial. Operational and UX choice. Audited via published Worker source code.

DR-E06 extension pending-external-review

A research tool gains citation strength from a usage corpus over time. Pattern A made this impossible; Pattern B makes it trivial. An opt-in approach with full disclosure preserves user privacy while building a public dataset that itself becomes a research artifact ('Cloud Sovereignty Index Public Corpus, vintage 2026-Q4'). Default-off and full-disclosure are non-negotiable: users must affirmatively choose to contribute, and must know exactly what's contributed.

Authority: Editorial. Audited via published Worker source code (the anonymization is enforced by the public_corpus VIEW in D1, which strips company_name, answers, evidence, and timestamp precision).

DR-A05 adaptation pending-external-review

The original phrasing 'non-[BLOC] law' is too broad and becomes meaningless for non-EU countries (e.g., 'non-Laos law'). The criterion's intent is to identify laws from a third jurisdiction — neither the provider's nor the customer's — that could compel adverse action. Examples: US CLOUD Act applying to US-headquartered providers serving non-US customers; export control laws restricting hardware supply. The rewrite makes this intent explicit without changing the scoring weight or SEAL contribution.

Authority: Editorial. Scope: global. No change to scoring weight or SEAL level.

DR-A06 adaptation pending-external-review

The C3A source references 'German federal administration' as the auditing authority. DR-A01 already generalised this for EU countries via national_admin_label. The same fix applies globally: non-EU countries also have a national_admin_label in countries.json (e.g. Laos → 'Lao PDR Government'). Using {{NATIONAL_ADMIN}} unifies the treatment and avoids the incorrect 'federal administration' label for unitary states (e.g. Laos, France, Japan). Fallback for countries without a defined label: 'the competent national authority'.

Authority: Editorial. Scope: global. No change to scoring weight or SEAL level.

DR-A07 adaptation pending-external-review

The EU-CSF two-tier model (national → bloc fallback) reflects EU two-level governance: satisfying a national law (Germany) implies compliance with the supranational law (EU). Outside the EU, there is no supranational bloc. For Generalized variant, {{BLOC}} resolves to the country name, making national and bloc tiers identical questions about the same jurisdiction. The fix is to suppress the bloc cascade for Generalized variant when a country is selected. This also prevents duplicate entries in the priority improvements gap report.

Authority: Editorial. Scope: Generalized variant only. EU-CSF tier cascade is unchanged.

DR-A08 adaptation pending-external-review

ENISA-recognised schemes apply only within the EU. ISO 27001 is globally applicable; outside the EU, equivalent recognised certifications include SOC 2 Type II, ISO 27017, or nationally recognised schemes. The rewrite preserves the criterion's intent (documented security controls under a recognised framework) while removing an EU-specific authority reference.

Authority: Editorial. Scope: global. No change to scoring weight or SEAL level.

DR-A09 adaptation pending-external-review

GDPR applies only to EU/EEA data subjects. For Generalized variant, the equivalent is the applicable national data protection law (e.g. PDPA in Thailand, PIPL in China, PDPB in India). The rewrite acknowledges GDPR for EU context while generalising to any national equivalent, keeping the criterion meaningful for all jurisdictions.

Authority: Editorial. Scope: global. No change to scoring weight or SEAL level.

DR-A10 adaptation pending-external-review

NIS2 is EU-specific legislation. The criterion's intent is compliance with whichever mandatory cybersecurity and incident reporting regime applies in the customer's jurisdiction. The rewrite names NIS2 as the EU example while opening the criterion to equivalent national frameworks (e.g. Cyber Security Act in Singapore, CIRCIA in the US), avoiding a forced N/A for all non-EU customers.

Authority: Editorial. Scope: global. No change to scoring weight or SEAL level.

DR-A11 adaptation pending-external-review

DORA is EU-specific legislation for financial entities. The underlying intent is compliance with whichever ICT third-party risk management regime applies in the relevant financial sector jurisdiction. The rewrite names DORA as the EU example while generalising to equivalent national frameworks (e.g. MAS TRM Guidelines in Singapore, SR 13-19 in the US), consistent with the approach taken for NIS2 in DR-A10.

Authority: Editorial. Scope: global. No change to scoring weight or SEAL level.

DR-A12 adaptation pending-external-review

Same rationale as DR-A06: the C3A source uses 'German federal administration' because Germany is a federal state. This is incorrect for unitary states (e.g. Algeria, France, Laos). Using {{NATIONAL_ADMIN}} resolves to the correct national authority label per country. The supplementary_info was also updated to remove the word 'federal' for the same reason.

Authority: Editorial. Scope: global. No change to scoring weight or SEAL level.

DR-E07 evidence pending-external-review

A Yes answer with no supporting evidence reference has limited value in a customer–provider dialogue. The evidence columns operationalise C3A §1.1's 'verifiable criteria' framing and EU-CSF §1's 'supporting evidence' framing. The evidence_type dropdown enables downstream analysis of evidence quality distribution across providers without requiring scoring engine changes.

Authority: Editorial. Scope: XLS export and future report display only. No change to scoring engine, weights, methodology, or data schema in the stored assessment.

DR-E11 extension endorsed-by-source

Without an explicit scope statement, users may expect the tool to assess security controls broadly. The scope note prevents misinterpretation and clarifies why C5 controls are absent from the questionnaire.

Authority: Faithful operationalization of C3A §1.2 presupposition. Supersedes DR-E04.

DR-E12 extension pending-external-review

A CSP may need to demonstrate compliance against multiple frameworks simultaneously. Combining results would mislead; independent outputs per mode are the honest design. A user wanting only EU-CSF SEAL should not see CSI Composite results conflated with it.

Authority: Editorial. Both EU-CSF and C3A are source-faithful when run independently.

DR-E13 extension endorsed-by-source

C3A §1.3 explicitly requires pass/fail evaluation. Offering partial credit would deviate from the source standard and produce results incompatible with a real C3A audit.

Authority: Source-faithful. C3A §1.3.

DR-E14 derivation pending-external-review

C3A does not define a numeric aggregation method, but 'pass/fail per criterion' implies a percentage of criteria met as the natural summary statistic. This is the simplest faithful aggregation.

Authority: Derivation from C3A §1.3–1.4. Disclosed as editorial derivation.

DR-E15 extension pending-external-review

C3A §1.4 requires the customer to select which ACs apply before the assessment. The AC catalog is verbatim from C3A §2.x. Without cataloging ACs, the C3A mode would be incomplete.

Authority: Source-faithful extraction from C3A §2.1–§2.6. Text is verbatim or close paraphrase from C3A source.

DR-X04 exclusion endorsed-by-source

C5:2026 has 168 controls. Selecting 5 created a misleading framing. Per the v2.0 design: 'C5 is presupposed, not a CSI source.' The scope statement (DR-E11) replaces the Track B panel. All 5 removed questions were CSI editorial, not sourced verbatim from EU-CSF or C3A.

Authority: Editorial removal. Consistent with the scholar-faithful design principle of v2.0.

DR-E16 extension stable

The SEAL weakest-link gate is calibrated for EU procurement compliance. For global organisations it creates a cliff effect — a single 'no' on an EU-specific criterion collapses the whole score, obscuring genuine progress. The maturity model reflects incremental sovereignty improvements while preserving the strict EU-CSF and C3A frameworks unchanged. Developed markets (e.g. Japan, South Korea) with mature controls will naturally score Advanced or Pioneering without any special-casing.

Authority: CSI Editorial Board

DR-E17 extension stable

Showing fallback questions unconditionally adds noise for providers that meet the primary criterion. Conditional display reflects their intent: they are alternatives of last resort. text_generalized avoids surfacing German-standard references (C5:2026) to non-EU users for whom the standard is irrelevant, while keeping source fidelity for EU/EEA assessments.

Authority: CSI Editorial Board

DR-E18 exclusion stable

Including a question referencing 'standalone European organisation' in a non-EU CSI Composite assessment would confuse and mislead non-EU clients. The question provides no scoring signal for a CSP headquartered outside Europe. C3A is the appropriate scope for this criterion.

Authority: CSI Editorial Board

DR-E19 extension stable

Enables direct cross-reference between XLSX rows and source framework criterion IDs without manual lookup. Supports external audit and procurement workflows.

Authority: CSI Editorial Board

DR-E20 exclusion stable

C3A fidelity requirement. v2.0 IDs were sequential CSI editorial IDs that diverged from C3A source numbering, preventing direct auditor cross-reference to the BSI document.

Authority: CSI Editorial Board

DR-E21 extension stable

C3A §2.3.1 defines five criteria (C1-C5). Inclusion of all five criteria is required for complete coverage of the C3A §2.3.1 provider data residence requirement.

Authority: CSI Editorial Board

DR-E22 extension pending-external-review

EU CSF v1.2.1 SOV-3 is titled "Data & AI Sovereignty" and lists AI pipeline governance as a contributing factor. C3A predates the EU AI regulatory landscape. CSI Composite v2.1 adds these as ACs so EU/EEA and LMIC clients can voluntarily assess AI sovereignty posture.

Authority: CSI Editorial Board

DR-E23 extension pending-external-review

"State of defense" is a German constitutional concept (GG Art. 115a) inapplicable in most LMIC legal frameworks. Non-EU organisations need an equivalent sovereignty test for emergency-powers takeover readiness.

Authority: CSI Editorial Board

DR-E24 extension pending-external-review

C3A SOV-4-03 and SOV-6-01 assume market conditions (multiple independent ISPs; source code held locally) that do not obtain in many LMIC markets, particularly for resold hyperscaler services.

Authority: CSI Editorial Board

DR-E25 derivation stable

C3A Additional Criteria (c3a_tier='additional') rows carry applies_to_eu_csf=false because they are C3A-specific extensions with no equivalent EU-CSF contributing factor. Consequently seal_contribution_eu_csf is absent for these rows. The absence is intentional, not an omission: these criteria do not participate in the EU-CSF SEAL weakest-link gate. They do participate in the CSI Composite SEAL gate (seal_contribution_csi is populated) when selected as part of a C3A or CSI Composite assessment. AI Additional Criteria (SOV-3-AI-xx-AC) are the counter-example: they apply_to_eu_csf=true and therefore carry both seal_contribution_eu_csf and seal_contribution_csi.

Authority: CSI methodology

DR-E26 derivation stable

Sovereignty authorities evaluate binary operational viability, not continuous improvement scores. A provider with excellent supply-chain controls but no legal insulation from foreign law, no data jurisdiction guarantee, or no tested disconnect capability cannot meaningfully claim sovereignty — regardless of overall criterion count. The six Layer A criteria (SOV-2-01 extraterritorial legal exposure, SOV-2-02 audit rights, SOV-2-03 state-of-defense takeover, SOV-3-01 customer data jurisdiction, SOV-4-09 disconnect capability, SOV-4-10 reconnect capability) represent the minimum structural set for that claim. Failure in any answered (non-n/a) Layer A criterion overrides the global attainment band to Not Attained.

Authority: CSI methodology

DR-E27 derivation stable

For LMIC and non-EU contexts, the sovereignty progression is most usefully described as an operational trajectory: many organisations can realistically achieve strategic operational autonomy before full technological sovereignty. The four tiers — Dependent, Managed Dependency, Strategic Autonomy, Sovereign — communicate what each level means for operational sovereignty rather than using generic maturity language. Thresholds: 0–40% / 41–70% / 71–90% / 91–100%.

Authority: CSI methodology

DR-E28 adaptation pending-external-review

SOV-4-04 (Security Operations Centre) follows C3A §2.4.4 in classifying SOC operations as an Operational Sovereignty (SOV-4) criterion. EU-CSF v1.2.1 §4 places the equivalent contributing factor under SOV-7 (Security & Compliance). CSI retains C3A's placement because: (1) SOC as an operational continuity control is structurally coherent under SOV-4; (2) dual-categorisation would inflate SOV-7 scores for assessors using C3A or CSI Composite modes; (3) the EU-CSF fidelity label on SOV-4-04 is 'inferred' with a rationale directing readers to the SOV-7 CF origin. Assessors running pure EU-CSF mode should note that SOV-4-04 contributes to SOV-4 scoring, not SOV-7.

Authority: Editorial

DR-E29 extension pending-external-review

Five new questions added to close EU-CSF v1.2.1 §4 contributing-factor gaps identified by source comparison: SOV-1-05 (EU financing and investment anchoring), SOV-1-06 (EU strategic initiative alignment), SOV-1-07 (operational resilience against coercion), SOV-2-04 (IP jurisdiction), SOV-6-04 (EU HPC independence). These contributing factors were explicitly named in EU-CSF §4 but had no corresponding testable criterion in the v2.0/v2.1 catalog. All five carry eu_csf_fidelity=direct and applies_to_c3a=false, as C3A v1.0 §2 does not address these areas.

Authority: Source-faithful

DR-L1 adaptation stable

LMIC mode introduces two orthogonal scoring axes (autonomy and assurance) instead of a single score. Axis-assignment table: autonomy axis = questions tagged lmic_axis autonomy or both (P1 ownership, P2 jurisdiction, P5 stack substitutability, P6 reversibility); assurance axis = questions tagged lmic_axis assurance or both (P7 payment/continuity, P4 resilience, P8 security, P1 staff capability). SOV-5-08-LMIC and SOV-9-01 tagged both. SOV-8 sustainability set and disclosure-only items tagged none. Full axis assignment of ~34 existing recycled questions awaits csi-lmic-sourcing-map.md.

Authority: Plan v3 locked design decision 2

DR-L2 evidence stable

Tier B of the SOV-5-08-LMIC support substitutability ladder requires a control-plane rebuild runbook that has been exercised (evidence_status: demonstrated on SOV-5-08-EV3). An unexercised runbook is paper reversibility. This gate mirrors the tested-exit standard that EBA/GL/2019/02 §15 and DORA Art. 28(8) expect for critical outsourcing exits. Vendor claims explicitly excluded per locked design decision 4.

Authority: Plan v3 locked design decision 1; maintainer decision 2026-06-11

DR-L3 adaptation stable

Upper stack-autonomy rungs (SOV-6-03, SOV-6-01, SOV-5-07-CADA) contribute points to the autonomy axis ONLY when autonomyRungsUnlocked() returns true. Predicate requires: (1) tested exit plan (SOV-6-12-LMIC), (2) viable provider (SOV-9-05-LMIC), (3) at least one support path (SOV-5-08-EV1 or SOV-5-08-EV3), and (4) local staff ratio >= LOCAL_STAFF_FLOOR_PCT (30%). When locked, rung questions are excluded from both numerator and denominator — not penalized twice.

Authority: Plan v3 locked design decision 3

DR-L4 adaptation stable

A SOV-5-08-LMIC resolved Tier C forces the exit time band to at minimum medium (4-10 months) regardless of other inputs. Tier C means re-platforming is required or no documented rebuild path exists — this is the technically-unfeasible exit scenario covered by Data Act Art. 25(4). See data/exit-bands.json and DR-L10 for band derivation.

Authority: Plan v3 Phase 4.2; DR-L10

DR-L5 adaptation stable

If SOV-5-09-LMIC is answered no (customization drift breaks API conformance or OSS currency not maintained), the SOV-5-08-LMIC ladder tier is capped at C regardless of other gates. The Tier B premise is that workloads port via standards-based APIs; if the operators customizations break that conformance, the portability promise is void. This cap is applied post-resolveLadderTier in scoreLmic() with a report annotation. Implementation note: the tier cap triggers on SOV-5-09-LMIC answered no as a whole; clause (c) (API-conformance breakage) is not separately answerable in the current single-question form. Revisit if SOV-5-09 is ever split.

Authority: Plan v3 §3.1 additional rule; maintainer decision 2026-06-11

DR-L6 adaptation stable

World Bank Procurement Regulations 7th ed. §5.54 formally governs works contracts under international competitive procurement. It is cited by analogy for cloud operations staffing in SOV-1-11-LMIC and SOV-1-12-LMIC, with EU-CSF §4 SOV-4 contributing factor 3 as the primary criterion source. The analogy is stated in the question rationale and UI disclosure. The Banks own regulations (7th ed.) impose a local-labor minimum and contemplate Rated Criteria for skills development in works procurement; the same Bank-endorsed mechanism is applied here to cloud services.

Authority: Anchor verification addendum; maintainer decision 2026-06-11

DR-L7 adaptation under-review

The OpenStack Powered guideline vintage used as the Tier B portability anchor is 2020.11 — the latest board-approved version as of June 2026. The guideline cadence has slowed; this vintage is acceptable because the must-pass API capabilities it defines are exactly the portability surface Tier B relies on. This DR records the vintage explicitly so nobody accuses the tool of citing a stale program unknowingly. When a newer board-approved guideline is published, update SOV-5-08-EV2, SOV-5-08-LMIC lmic_anchors, and this DR entry.

Authority: Anchor verification addendum; maintainer decision 2026-06-11

DR-L8 evidence pending-external-review

SWIPO Code of Conduct requirement IDs (DP01, DP06, DP08, FR1, PLR01, PLR05, TR03(f), TR05) were verified against the Code structure as reproduced in published CSP transparency statements (Google Cloud transparency statement). The artifact is a provider self-declaration, not the Code itself. Citable material is the requirement-ID column which reproduces the Codes own numbering and text. The Code PDF should be vendored into docs/sources/ and all SWIPO cites re-pointed at it. Never cite a vendor response column as the standard.

Authority: Anchor verification addendum; maintainer decision 2026-06-11

DR-L9 adaptation stable

LOCAL_STAFF_FLOOR_PCT = 30. The 30% threshold is adopted from the World Bank local labor participation floor for internationally procured works contracts (Procurement Regulations 7th ed. §5.54, effective 1 Sep 2025). It is the Banks own number. Intellectual-honesty note: the Center for Global Development and others have argued the 30% rule has limited effectiveness as an economic-development instrument. The tool adopts the number for its institutional provenance and configurability — it is a Bank-endorsed floor, not an empirical optimum. The tool mimics §5.54s override mechanism: where a project SPD/PPSD establishes a different percentage, that figure governs. §5.54 formally applies to works contracts; this question uses the same mechanism by analogy for cloud operations staffing (see DR-L6). ADOPTED-FROM: World Bank PR 2025-07-18 + Procurement Regulations 7th ed. §5.54. SOV-1-12-LMIC point spread: lt30=0, b30_50=5, b50_75=7, gt75=10. Progression above the floor is a CSI editorial choice tracking the marginal sovereignty gain from deeper localisation; the 30% floor behavior of autonomyRungsUnlocked is unchanged (band b30_50 maps to staffPct=30 and satisfies the floor).

Authority: Threshold adoption addendum; World Bank PR 2025-07-18; Procurement Regulations 7th ed. §5.54; maintainer decision 2026-06-11

DR-L10 adaptation stable

data/exit-bands.json band boundaries are statutory envelopes from Regulation (EU) 2023/2854 Arts. 25/29, used as planning heuristics — not measured migration durations. Time-band boundaries (4 months / 10 months) are the statutory maximum durations for standard and technically-unfeasible switching. Real exits can be faster. Cost-band boundaries follow the three Art. 29 charge regimes (zero / cost-capped / uncapped). The CMA cloud market investigation (Appendix N, egress-fee evidence) is cited as empirical context on the methodology page but no CMA number is used as a threshold. ADOPTED-FROM: Regulation (EU) 2023/2854 Arts. 25(2)(a),(d),(g), 25(4), 29(1)-(4), 2(36).

Authority: Threshold adoption addendum; Regulation (EU) 2023/2854; maintainer decision 2026-06-11

DR-L11 adaptation stable

Absent evidence_status on a gate-feeding answer ranks as 'unverified' by design. A bare yes answer (evidence_status field omitted) cannot satisfy any gate. This enforces locked decision 4 (gates never pass on unestablished evidence) at the data layer: the omission of evidence_status is treated as the weakest possible evidence rank, not as a documented default. The UI must require the evidence selector for gate-feeding questions with helper text 'select how this is evidenced — unverified answers cannot satisfy gates.'

Authority: Punch-list item 3; maintainer decision 2026-06-12

DR-P0 adaptation stable

SEAL levels 1–4 are relabeled as 'Jurisdictional / Managed / Resilient / Autonomous' in CSI/LMIC display mode. The numeric mapping is 1:1; only the label changes. The EU term 'SEAL' is preserved in provenance links (the collapsible 'where this comes from' reference) so the mapping remains transparent and auditors can trace back to the EU-CSF source without seeing the EU term in the buyer-facing headline. For LMIC mode specifically, the Autonomy/Assurance axes are the primary output; the posture ladder is secondary and a single blended SEAL-like number is never surfaced (no-blend rule, DR-L2).

Authority: csi-presentation-layer-spec.md §4; maintainer decision 2026-06-12

DR-P1 exclusion stable

SOV-1-05 (EU Financing & Investment Anchoring) excluded from non-EU CSI/LMIC mode. EU-sourced financing is an EU-industrial-policy criterion — local financing of a CSP does not by itself increase a non-EU buyer's sovereignty. No meaningful non-EU analog exists. treatment: exclude_non_eu.

Authority: csi-presentation-layer-spec.md §2; maintainer decision 2026-06-12

DR-P2 exclusion stable

SOV-1-06 (EU Strategic Initiative Alignment) excluded from non-EU CSI/LMIC mode. Gaia-X and IPCEI-CIS are EU-specific industrial programmes with no non-EU equivalent. Participation signals alignment with EU sovereignty objectives, not sovereignty for a non-EU buyer. treatment: exclude_non_eu.

Authority: csi-presentation-layer-spec.md §2; maintainer decision 2026-06-12

DR-P3 adaptation stable

SOV-1-08 (Roadmap Influence — EU Stakeholder Governance) re-aimed for non-EU mode. The original asks whether EU stakeholders exercise determinative influence over the provider roadmap — meaningless for a non-EU buyer. Re-aimed to contractual or governance-body influence by the customer country's government or public-sector customers. Same sovereignty concern (external control over roadmap), different anchor. Both the question text AND the card title are re-aimed: non-EU mode renders csi_presentation.title ('Customer Influence Over Provider Roadmap') instead of the EU-anchored heading, so the title no longer reads 'EU Stakeholder Governance' for non-EU countries. treatment: re_aim.

Authority: csi-presentation-layer-spec.md §2; maintainer decision 2026-06-12

DR-P4 adaptation stable

SOV-1-09-CADA (Third-Country Subsidiary Legal Separation) adapted for non-EU mode: 'EU operations/data' → '{country} operations/data'; 'third-country' → 'foreign'. Control objective (legal separation from foreign affiliates) is jurisdiction-neutral. treatment: clean_adapt.

Authority: csi-presentation-layer-spec.md §2; maintainer decision 2026-06-12

DR-P5 adaptation stable

SOV-2-04 (IP Jurisdiction) re-aimed for non-EU mode. 'IP created/registered in EU' has no non-EU analog that means sovereignty. Re-aimed to: IP not subject to a foreign jurisdiction that could restrict the country's use through licensing terms, export controls, or government orders on the IP holder. treatment: re_aim.

Authority: csi-presentation-layer-spec.md §2; maintainer decision 2026-06-12

DR-P6 adaptation stable

SOV-2-05 (Data Access — Non-EU Authority Compelled Access) adapted: 'non-EU authorities' → 'authorities outside {country}'s jurisdiction'. Control objective (protection from extraterritorial compelled access) is jurisdiction-neutral. treatment: clean_adapt.

Authority: csi-presentation-layer-spec.md §2; maintainer decision 2026-06-12

DR-P7 adaptation stable

SOV-2-05-CADA (Third-Country Vulnerability Disclosure Prohibition) adapted: 'third country' → 'any foreign jurisdiction'. Control objective is jurisdiction-neutral. treatment: clean_adapt.

Authority: csi-presentation-layer-spec.md §2; maintainer decision 2026-06-12

DR-P8 adaptation stable

SOV-3-01-C2 (Data Residence — Derived & Account Data in EU) adapted: '{{BLOC}}' → jurisdiction ladder ({country} → {trusted_jurisdiction}). The jurisdiction ladder is the appropriate substitute — in-country preferred, regional/treaty trusted jurisdiction as fallback. treatment: clean_adapt. This is the template-defining worked example for the presentation layer.

Authority: csi-presentation-layer-spec.md §3; maintainer decision 2026-06-12

DR-P9 adaptation stable

SOV-4-01-C3 (Operating Personnel — Standalone European Organisation) adapted: 'standalone European organisation' → 'standalone organisation established in {country} or {trusted_jurisdiction}'. Same operational-independence control, jurisdiction substituted. treatment: clean_adapt.

Authority: csi-presentation-layer-spec.md §2; maintainer decision 2026-06-12

DR-P10 adaptation stable

SOV-4-13-CADA (Infrastructure & Assets Located in EU) adapted: 'Union' → '{country} or {trusted_jurisdiction}'; 'non-EU infrastructure' → 'outside agreed jurisdictions'. Control objective (physical asset location) is jurisdiction-neutral. treatment: clean_adapt.

Authority: csi-presentation-layer-spec.md §2; maintainer decision 2026-06-12

DR-P11 adaptation stable

SOV-4-15-CADA (Migration Plan — Vendor Failure/Third-Country) adapted: 'third-country' → 'foreign jurisdiction'; 'EU customers' → '{country} customers'. Control objective (contingency planning for provider failure or foreign takeover) is jurisdiction-neutral. treatment: clean_adapt.

Authority: csi-presentation-layer-spec.md §2; maintainer decision 2026-06-12

DR-P12 adaptation stable

SOV-5-06-CADA (Subcontractor Transparency & Due Diligence) adapted: EU phrasing dropped from title/description; control is jurisdiction-neutral (sovereignty due diligence on subcontractors covers jurisdiction, beneficial ownership, and foreign-law exposure in any context). treatment: clean_adapt.

Authority: csi-presentation-layer-spec.md §2; maintainer decision 2026-06-12

DR-P13 adaptation stable

SOV-5-08-LMIC (Support Substitutability Ladder) adapted: 'third-country' references in ladder text replaced with 'foreign-jurisdiction'. Question is already LMIC-native; presentation block added for consistency and to surface the provenance link. treatment: clean_adapt.

Authority: csi-presentation-layer-spec.md §2; maintainer decision 2026-06-12

DR-P14 adaptation stable

SOV-6-04 (EU HPC Independence) re-aimed for non-EU mode. 'EU HPC independence' is an EU-industrial-policy framing. Re-aimed to independence from any single foreign HPC supply chain — the underlying sovereignty concern (concentrated foreign dependency that can be unilaterally restricted) is valid in any jurisdiction. treatment: re_aim.

Authority: csi-presentation-layer-spec.md §2; maintainer decision 2026-06-12

DR-P15 adaptation stable

SOV-7-07 (Independent EU Audit Capacity) adapted: '{{BLOC}}-based auditor' → 'auditor acceptable to the contracting authority, independent of the provider's foreign affiliates'. The control objective (independent audit access) is jurisdiction-neutral; what matters is independence from the provider's foreign affiliates, not the auditor's domicile. treatment: clean_adapt.

Authority: csi-presentation-layer-spec.md §2; maintainer decision 2026-06-12

DR-P16 adaptation stable

SOV-7-08 (Incident Disclosure & CSIRT Cooperation) adapted: 'GDPR/NIS2' → defined timelines; 'CSIRT' → '{national_csirt}' (resolved from country profile). Control objective (incident disclosure and national authority cooperation) is jurisdiction-neutral. treatment: clean_adapt.

Authority: csi-presentation-layer-spec.md §2; maintainer decision 2026-06-12

DR-P17 adaptation stable

Re-aimed question titles (csi_presentation.title) now surface on every non-EU (Generalized) display surface, not just the questionnaire card: the result-page objective accordion, the gap/'top improvement' callout, and the CSV export. A shared helper displayTitle(q, variant) in shared/src/tier-resolution.ts is the single source of truth (precedence: csi_presentation.title → title_generalized → title for Generalized; canonical EU title for EU-CSF). The CSV export also gained a 'source' column (doc + clause) so the cited source travels with the offline workbook. Prevents a non-EU user seeing an EU-anchored heading (e.g. 'EU HPC Independence') in one place and the re-aimed one ('Independence from Foreign HPC Supply Chain') in another.

Authority: maintainer decision 2026-06-14

DR-R1 derivation stable

Relevance is now archetype-driven (RELEVANCE_ENGINE_COOKBOOK.md). A question is anchored to a FACET of a LAYER via relevance.archetypes tags, not to a scenario; show_when is GENERATED from the tags by scripts/gen-relevance.ts (shared/src/archetypes.ts is the 7-archetype catalog). The decisive rule: ownership/operation/location triggers are ruled out when the client controls that facet, but REVERSIBILITY/SUPPORT_CONTINUITY (the `dependency` facet) are NOT — you can own and operate a platform and still be unable to self-patch licensed software (the VMware case). Facility derivation fixed so a third-party L1 is a commercial_lessor (landlord), not a provider, so colocation's provider-residency questions vanish (client owns the data layers) while physical-custody/jurisdiction questions remain. Coverage is measured by scripts/coverage.ts against the derived profiles; CI fails on broken_wiring or unjustified missing cells.

Authority: RELEVANCE_ENGINE_COOKBOOK.md; maintainer decision 2026-06-15

DR-R2 adaptation stable

CSI mode reframes the C3A-verbatim subject 'the cloud service provider' to the actor actually responsible at the question's concern layer (relevance.layer), via deriveOperatorLabel/operatorForLayer in shared/src/tier-resolution.ts — the 'frame on the fine value' half of the relevance model. Facility/hardware layers (L1/L2) resolve to 'the data center provider' when a third party owns the building (so SOV-8 sustainability addresses the colocation landlord) or 'your organisation' when client-owned; cloud layers (L3-L5) resolve to 'the cloud service provider' / 'your cloud operator' / 'your organisation' by the operation facet. C3A and EU-CSF stay source-faithful (never reframed). Relatedly, the self-managed-OSS skills risk (RISK-L3-SKILLS-01, fires when L3 is self_supported_oss + client_staff) had a procurement clause beginning 'The Provider shall…' — nonsensical when there is no vendor; reworded as an internal control (cross-training, run-books, annual recover exercise, pre-qualified fallback support) with a new realism_tag 'internal_control', and the report section retitled 'Procurement bridges & controls'. Extended 2026-06-19: reframeOperator originally only rewrote the canonical phrase 'the cloud service provider', leaving the looser 'the provider' phrasing as a phantom subject (~10-13 shown questions per self-operated scenario read 'Does the provider…' when there is no provider). Bare 'the provider' is now also re-aimed, but only for layer-anchored questions (relevance.layer set) where the concern-layer operator is unambiguously the question's subject — OFF for unanchored questions, whose 'the provider' usually names an external contractual party. Five strategic provider-relationship questions that re-aim cleanly (SOV-1-07, SOV-4-09-FB, SOV-6-04, SOV-7-02, SOV-7-08) were given an always-ask concern-layer anchor via a new gen-relevance spec `{ agnostic: layer }` (no show_when, never hides; layer chosen on the service operator L3/L5 so provider scenarios still resolve to 'the provider' with no reframe). A separate group of provider-relationship questions that are moot for a fully self-operated posture (SOV-1-04, SOV-1-08, SOV-1-09-CADA, SOV-5-06-CADA, SOV-7-07) was reviewed and deliberately left unchanged pending a relevance/fidelity decision (3 are CADA-sourced).

Authority: maintainer decision 2026-06-15; extended 2026-06-19

DR-R3 extension stable

No-silent-structural-risk: when a question is hidden by the control profile (relevance.show_when is false), the questionnaire no longer drops it into a silent 'N questions hidden' count if a structural risk it maps to is live. For each fired risk (risk-register.json triggers, evaluated by the new shared firedRisks() in shared/src/report.ts) whose question_ids intersect the questions hidden in an objective, a read-only RiskCard is rendered inline with a 'Structural finding · score locked' badge and its severity_basis — the risk is recorded as an automated finding, not buried. Only genuinely out-of-scope questions (no live risk for that facet, e.g. jurisdiction questions hidden because the layer is in_country) remain in the quiet disclosure. A new invariant test (tests/no-silent-risk.test.ts) asserts that across the four reference deployment scenarios plus the sovereign baseline, every fired risk is bridged to at least one CSI-applicable question, so a structural risk can never become invisible to a CSI user. This surfaced two genuine leaks — RISK-L4-EGRESS-01 and RISK-L4-TERMINATION-01 fired on a provider-owned managed layer (the hyperscaler case) but were bridged only to LMIC-only questions; both were linked to the CSI exit-readiness question SOV-6-01-FB2.

Authority: maintainer decision 2026-06-16

DR-R4 derivation stable

Two posture-report quality fixes from scenario outcome review. (a) control_channel (shared/src/report.ts deriveControlChannel) now reflects WHO OPERATES a layer, not just ownership: a client-owned layer operated by a third party is no longer reported as green 'client'. Mapping: client+client_staff → client; provider-owned → foreign_provider if foreign/foreign_vendor else commercial; any other third-party operation → foreign_vendor if foreign reach (foreign location or foreign_vendor) else commercial (local SI, landlord, in-country provider ops). This fixes the 'sovereign-washing' under-report where a foreign vendor holds privileged access to client-owned kit (e.g. gov DC with foreign L5 support showed L5='client'). (b) Added RISK-L5-OPSDEP-01 (operational substitutability) triggering on L5.operation in {local_si, foreign_vendor, provider}, bridged to SOV-4-18-CSI + SOV-4-01 and clause PC-L5-OPSDEP, anchored to C3A §2.3 (Operational Substitutability) and ISO 22301 cl. 8.4.3. The risk register was jurisdiction-centric, so a fully local-SI-managed deployment surfaced almost no findings despite a real 'the SI holds all the keys' operational dependency; OPSDEP-01 now fires for any externally operated service regardless of jurisdiction. Verified across the four reference scenarios: hyperscaler scores lowest and the weakest-link CSL gate drops it to tier 'strategic_autonomy' while sovereign-leaning deployments reach 'sovereign'.

Authority: maintainer decision 2026-06-19

DR-R5 extension stable

Two result-presentation changes. (a) Structural findings consolidated: the no-silent-risk findings from DR-R3 are no longer rendered inline per-objective in the questionnaire. A risk's question_ids can span objectives (e.g. RISK-L1-ACCESS-01 bridges SOV-3-01 and SOV-2-03), and the per-objective inline rendering matched the risk in every objective whose hidden questions it intersected, so the same finding appeared twice (reported on the SOV-2 and SOV-3 pages of the colocation profile). A new pure helper unaskedFiredRisks(profile, criteria) in shared/src/report.ts returns fired risks that have NO visible CSI bridge question (computed once globally, deduped by construction), surfaced once in a 'Structural findings from your scope' summary on the review page (ScopeFindings.tsx island) — the pre-submit consolidation point, distinct from the per-layer report on the results page. The questionnaire keeps only the quiet hidden-count disclosure. The DR-R3 invariant (every fired risk is CSI-bridged) is unchanged and still tested. (b) Domain maturity radar: result.astro now renders an eight-axis SVG radar (DomainRadar.tsx, dependency-free, matching the hand-rolled ControlMatrixReport SVG) over SOV-1…SOV-8, each axis = that domain's CSL, filling the cross-section gap between the headline % and the per-layer posture. maxCsl is 3 for the Generalized variant (CSI tiers 0-3) and 4 for SEAL. Axes with no answered questions are drawn dashed/grey. CSI_MATURITY_NAMES/COLORS were extracted from ScoreHero.tsx into src/lib/csi-display.ts as the shared source for both. radarPoints geometry is unit-tested; unaskedFiredRisks dedup is regression-tested (colocation → RISK-L1-ACCESS-01 exactly once).

Authority: maintainer decision 2026-06-19

DR-R6 extension stable

Structural auto-answer engine + source-wording transparency, from a four-scenario assessment (regional CSP, mixed/hybrid, foreign SaaS, sovereign proprietary appliance). Some CSI questions ask a pure FACT that the declared control profile already fixes — provider jurisdiction (SOV-1-01/02/03), data residency (SOV-3-01/-C2/-C5), operating-personnel location (SOV-4-01/-C3/-FB), SOC location (SOV-4-04), infrastructure location (SOV-4-13-CADA). Asking them was friction, produced phantom 'the provider' wording in self-operated setups, and — because the show/hide engine dropped them from scoring — inflated the headline (a foreign-PaaS hybrid read 'Sovereign 91.5%'). shared/src/structural-answers.ts now derives these answers from the profile (STRUCTURAL_MAP, yes_when over the operating/data layers L2–L5, not just L1), and the worker merges them UNDER the user's answers before scoring (manual override wins), so they COUNT exactly like a typed answer. The questionnaire drops them from the asked flow; review.astro surfaces them in an editable 'Answers set by your declared infrastructure' panel (AutoAnswers.tsx) with the determining reason and source anchor. This supersedes the CSP-review direction of 'record as locked findings, not scored' (DR-R5 era discussion) — counted auto-answers are what keep the score honest (mixed → 81% CSL2 Strategic Autonomy; foreign SaaS lowest; the appliance's in-country data residency is now CREDITED instead of showing as not-assessed). Only pure facts are auto-answered; provider offerings / processes / commitments (BYOK, client-side encryption, audit cooperation, exit drills) stay asked. Folded in from the same assessment: (P2) JURISDICTION archetype extended to L3/L4 so SOV-2 process questions fire on a foreign operating layer, not only the facility; (P4) SOV-3-02-C/05-C/06 and SOV-6-01(+FB) gain REVERSIBILITY tags so they fire on a proprietary closed platform regardless of ownership; (P3) new RISK-L3-LOCKIN-01 (trigger L3.dependency=='proprietary_inaccessible', owner-independent) closes the 'own it but can't fork it' gap RISK-L3-HYPERSCALER-01 left (it required provider ownership). Separately, each reframed question now reveals a collapsible 'Original source wording' (the verbatim source criterion text, placeholders resolved but un-reframed) under the source anchor, so every CSI amendment is auditable.

Authority: maintainer decision 2026-06-20

DR-R7 derivation stable

CSI Generalized headline gated by weakest link + zero 'SEAL' in CSI. A live assessment read '74% / Strategic Autonomy' while a domain (SOV-6) sat at CSL 0 with a 13-item gap report — because the Generalized headline tier was a lenient coverage average (pctToMaturityLevel) while per-objective CSLs are strict weakest-link gates. scoreCsiComposite now computes weakest_link_csl over sovereignty-relevant objectives (max_score>0, EXCLUDING SOV-8 ESG and SOV-9) and gates the Generalized tier: globalCsl = min(pctToMaturityLevel(pct), min(3, weakest_link_csl)); pct_to_next_tier is null when gated (advancement = closing the blocker, not more %). global now carries weakest_link_csl + gating_objective_ids. The coverage % is retained and presented as 'sovereignty readiness'; ScoreHero shows an explicit 'assurance gate: held at {tier} by {objective}' caveat (and the old pct_to_next===null branch that wrongly printed 'Sovereign tier achieved' is fixed). result.astro's broken bottleneck logic (o.csl===globalCsl, which surfaced the wrong objectives) is replaced by a 'Blocking objectives — these gate your assurance level' callout listing the gating + CSL≤1 domains (excl SOV-8) with their top gap. The domain radar is mounted at maxCsl=4 (per-objective CSL is the 0–4 ladder; the prior maxCsl=3 clamped SOV-2 at CSL 4) and captioned as CSL/assurance. The existing EU-CSI weakest-link min also now excludes SOV-8/9. Separately, per user instruction, CSI must NEVER display 'SEAL' (it speaks in CSL / maturity tiers): removed SEAL from CsiCard, the result-page secondaryScore detail and CSI levelPrefix (EU-CSF/history keep SEAL), the per-objective accordion badge (new levelLabel='CSL' prop on ObjectiveAccordion), and the PDF CSI cover/scorecard/objective/methodology strings; CSI per-objective labels are now 'CSL N' (0–4), removing the 'Tier 4' undefined-label artifact. EU-CSF and C3A retain SEAL where source-correct.

Authority: maintainer decision 2026-06-20

DR-R8 derivation stable

CADA scoring was non-functional: scoreCada counted every UNANSWERED CADA question as a gate failure (!ans || value!=='yes'), but the questionnaire hides ~12 of 29 CADA questions (relevance.show_when, applicability_condition, parent_criterion_id), and 7 CADA questions are tiered yet scoreCada read only the bare id — so tiered answers (incl. SOV-1-02 at Level 1) were invisible and the cumulative gate collapsed to UAL 0 for everyone, including an all-compliant in-country provider. Fix: (1) extracted a single shared isQuestionApplicable(q, profile, answers) in shared/src/relevance.ts (show_when + applicability_condition + parent gating) used by BOTH the questionnaire UI and the scorers, so the gate can never demand a question the UI hid; (2) scoreCada now gates only over APPLICABLE questions and reads tiered answers (national OR bloc OR bare == 'yes' passes); (3) threaded control_profile through scoreAssessment meta into scoreCada (worker passes the stored profile). applicability_condition (depends_on/value/when_unmet:'exclude') was previously dead everywhere — now honored in both UI and scorer. Result: all-visible-yes (in-country) → UAL 4; a foreign hyperscaler still fails honestly because in-country structural facts auto-resolve 'no'.

Authority: maintainer decision 2026-06-21

DR-R9 extension stable

Foreign-hyperscaler realism (Algeria gov on AWS / Laos gov on Azure: foreign provider, no local entity, nothing in-country). Two fixes. (a) Structural auto-answer DROP extended to ALL frameworks (was CSI-only): the worker already MERGES structural located-domestic answers (jurisdiction/residency/operator) for every framework, but the questionnaire only dropped them from the flow in CSI mode, so EU-CSF/C3A/CADA still asked the user in-country facts the profile already fixes ('nonsense in-country questions'). Now any framework drops STRUCTURAL_QUESTION_IDS when a control profile is set; the SOV-4-13-CADA 'agnostic vs structural' contradiction is resolved in effect (it is auto-answered/dropped). NOTE: deliberately did NOT add SOV-2-03/SOV-2-05/SOV-2-07 etc. to STRUCTURAL_MAP — those are genuine provider-OFFERING questions (can the provider resist foreign compelled access, escrow for state takeover, etc.), the crux for a foreign provider, so they stay asked per the module philosophy (pure facts only). (b) L1 facility recommendation framing: RISK-L1-ACCESS-01 bridged PC-L1-ACCESS ('retain physical access to your hardware for removal'), which is colocation-shaped and wrong for a hyperscaler where the customer owns no hardware (facility controls sit between CSP and DC). The dormant clause-level applies_when field is now ENFORCED in buildReport (bridges are profile-filtered, parallel to the applicability_condition activation): PC-L1-ACCESS narrowed to L1.ownership=='commercial_lessor'; new PC-L1-AUDIT (L1.ownership=='provider') grants audit/attestation rights over facility controls + change notice + a cooperative, binding exit/data-export procedure, explicitly NOT physical access. Mirrors the colocation-vs-hyperscaler split already in tier-resolution.ts (cloudIsProvider).

Authority: maintainer decision 2026-06-21

DR-R10 adaptation stable

Report/methodology correctness pass surfaced by the hyperscaler test. (1) Phantom SOV-9: 'Economic & Payment Continuity' is a zero-weight LMIC-only objective (applies_to_csi_composite:false) but the PDF rendered every per_objective entry, so it appeared as a phantom 'CSL 0' weakness ('Economic & Payment Continuity (SOV-9) —'). The PDF now filters objectives to max_score>0 for both CSI and EU-CSF (matches the web report and the weakest-link gate, which already exclude SOV-8/9). (2) Completed the CSI 'zero SEAL' rule on surfaces still leaking it: the framework cards on index.astro / start/[framework].astro / methodology/[framework].astro (CSL not 'SEAL 0–4'), the PDF CSI gap badge (new levelLabel param='CSL') and CSI EU/EEA cover/tier labels (new CSI_CSL_NAMES instead of SEAL_LABELS), and CSI-context prose in faq.astro and methodology.astro. EU-CSF/C3A retain SEAL where source-correct. (3) Corrected stale methodology: the FAQ/methodology 'exit' answer claimed data export SLAs, API portability, termination clauses, deletion obligations and notice periods are 'not assessed' — now false (CADA Art. 25 switching/notice/retrieval, verifiable erasure, OpenStack/RefStack portability conformance, tested data export, SWIPO TR05 licensing-change notice+termination). Rewritten to: technical reversibility AND the contractual controls are assessed and surfaced as Recommended Contract Clauses; what remains the customer's job is auditing the signed contract. (4) Fixed outdated maturity-tier names in faq.astro (Foundational/Developing/Advanced/Pioneering → Dependent/Managed Dependency/Strategic Autonomy/Sovereign, the csi-display canonical set) and noted the headline tier is capped by the weakest domain.

Authority: maintainer decision 2026-06-21

DR-R11 derivation stable

Reports made actionable by an explicit supplier-management vs internal-improvement split. Previously the owner of a finding was clear only via the procurement-clause realism_tag inside the collapsed control matrix; every answer-driven gap/blocker (EU-CSF/CSI/CADA) had no owner attribution, and a weak domain was restated up to 5x. Added shared/src/action-owner.ts: actionOwnerForQuestion(q, profile) → 'internal' if the question carries the SELF_SUFFICIENCY archetype, 'supplier' if any of the other six archetypes, else the resolved operator at relevance.layer via operatorForLayer (self-operated → internal, else supplier; no-profile default supplier). actionOwnerForClause → internal iff realism_tag==='internal_control'. No new data field — mirrors reframeOperator so the badge never contradicts the displayed 'your organisation/the provider' wording, and is profile-dependent by design (a reversibility gap is an internal engineering action on a self-run OSS stack but a supplier contract ask against a hyperscaler). NEW src/components/ActionTracks.tsx renders a 'What to do next' two-track summary (Require from your provider / Build & operate internally) in the CSI section, surfacing the PC-* clause templates (previously buried in the collapsed matrix). Owner pills added to EU-CSF blockers/maturity gaps, CADA priority actions, and ObjectiveAccordion action rows; PDF gap cards, CADA actions, and the per-layer clauses page gained the same owner label (internal_control clauses now render as 'Internal control', the page retitled 'What to Require & Build — by Layer'). De-dup: removed the CSI anti-patterns card and the EU-CSF bottleneck callout (both restated the blockers) and the PDF roadmap's duplicate top-3 gap list; kept radar (overview) + one ranked list + accordions (detail).

Authority: maintainer decision 2026-06-22

DR-R12 extension stable

Action items made fully explorable + exportable as a risk register, and the review page guarded against phantom 're-submit'. (1) ActionTracks items were summary snippets with '…'; each is now an expandable native <details> revealing the FULL clause/question text, source basis, and the concrete action (no hydration needed). (2) New src/components/RiskRegisterExport.tsx downloads a vendor-and-internal risk register: CSV (one sheet) and XLSX (two sheets — 'Provider & contract' = supplier clauses to add / evidence to demand; 'Internal actions' = controls to implement & document), built client-side via a lazy import('exceljs') so the result page stays light. result.astro precomputes a serializable riskRegister (RegisterRow[]): every fired procurement clause (full clause_text + source anchor + add-to-contract action) plus every CSI gap (full question text + supplementary 'expected evidence' + an owner-framed action), each classified supplier/internal via shared/src/action-owner.ts. The on-screen tracks show clauses + blocking-objective gaps (priority); the export carries the complete register. (3) review.astro now redirects an already-submitted assessment to /result instead of rendering a re-submittable page — the actual cause of the reported 'auto-submit' was re-opening /review for a finalized assessment (submit is otherwise strictly button-click; no form, no keyboard handler).

Authority: maintainer decision 2026-06-25

DR-R13 adaptation stable

Reason from the scenario: if scoping says the provider operates OUT-OF-COUNTRY, it is logically a foregone outcome that it will not submit to local authority, be taken over by the state, resist its own home government (CLOUD Act/FISA/CSL), or relocate data/inference/source/ops in-country. Such criteria are auto-scored 'no' SILENTLY and dropped from the form (extending the DR-R9 structural-answer engine from in-country FACTS to foreign-provider-precluded criteria) — the question is suppressed, never the gap, so the honest score is unchanged. A single data flag Question.foreign_provider_precluded marks the 15 such criteria: location/in-country (SOV-3-AI-02-AC inference, SOV-4-02 admin paths, SOV-4-03 connectivity, SOV-4-09/10 disconnect/reconnect, SOV-5-05 capacity, SOV-6-01/SOV-6-01-FB1 source code, SOV-7-06 patch, SOV-7-07 audit) and jurisdiction-submission (SOV-2-02 national-authority audit, SOV-2-03/SOV-2-03-CSI state takeover, SOV-2-05 foreign compelled access, SOV-2-05-CADA vuln disclosure). structural-answers.ts: providerForeign(p)=any service layer L3–L5 non-domestic; structuralAnswers/structuralDroppedIds emit a 'no' + drop for flagged criteria ONLY when providerForeign AND criteria supplied — an in-country provider is still asked. They surface in the AutoAnswers transparency panel and, in the report, as a third 'inherent' action owner (amber 'Residual / inherent' track + RiskRegisterExport sheet): 'inherent limitation of a global/foreign provider — not contractable; move this layer to an in-country/sovereign provider, or accept & document.' Disclosure/offering/contractual/customer-side criteria (e.g. SOV-2-01, SOV-3-AI-01/03/04, SOV-1-04/07, SOV-7-08) stay ASKED — a foreign provider can choose to satisfy them. Closure test (tests/foreign-provider-precluded.test.ts) asserts every in-country location-mandate criterion is reconciled (structural or flagged) and that flagged ones auto-clear+inherent for foreign / stay asked for in-country. Reasoning hardcoded in repo CLAUDE.md.

Authority: maintainer decision 2026-06-26

DR-R14 adaptation stable

Two parallel paths must agree (CLAUDE.md invariant): whatever the questionnaire decides about a question's TEXT for a profile, the result/report path must decide the same. The questionnaire already renders the csi_presentation.variants.non_eu wording in CSI-only mode for a non-EU country (excluding exclude_non_eu questions), but the result page (result.astro gapDetail), the PDF (report-pdf.tsx getQuestionMeta), and the risk-register export rendered the EU-native q.text via resolvePlaceholders — so a non-EU assessment (e.g. Ecuador) leaked EU wording ('within the EU', 'non-EU', 'member state') for the re_aim/clean_adapt questions (SOV-1-08, SOV-2-04, SOV-2-05, SOV-6-04, etc.). Fix: result.astro and report-pdf.tsx now compute the same presentation gate (CSI-only mode AND non-EU country) and prefer csi_presentation.variants.non_eu.text/title when shown, falling back to native text otherwise — the risk register inherits this via gapDetail. SOV-2-03 (State of Defense Takeover) had no presentation block and bled '{{BLOC}} member state', so a non_eu re_aim variant was added (generic state-of-defense / national-emergency wording with {{COUNTRY}}/{{NATIONAL_ADMIN}}). Scoring, gates, and provenance are unchanged — this is presentation only. New closure test tests/non-eu-presentation.test.ts asserts that for EVERY CSI-applicable question the text a non-EU user sees contains no EU token (EU/EEA/member state/non-EU/European Union), so the next residency/EU-worded criterion added without a non_eu variant fails loudly.

Authority: maintainer decision 2026-06-27

DR-R15 adaptation stable

QA of four extreme scenarios (foreign hyperscaler; sovereign in-house; in-country 'sovereign region' that is foreign-OPERATED; domestic operator on a foreign supply chain) surfaced three defects, now fixed. (1) action-owner: the pure jurisdiction/residency/operations FACTS in STRUCTURAL_MAP (SOV-1-01/02/03, SOV-3-01*, SOV-4-01*, SOV-4-04, SOV-4-13-CADA) were auto-cleared 'no' for a foreign provider but classified action-owner 'supplier', producing the nonsense 'Add to contract: require the provider to be under {country} jurisdiction / open a registered office / run the SOC in {country}'. New structuralNoIds(profile) + a rule-0b in actionOwnerForQuestion classify any structural-'no' fact as 'inherent' — the exact gap class the foreign_provider_precluded work targeted, reached via the un-flagged STRUCTURAL_MAP facts. (2) Residency conflated with jurisdiction: SOV-3-01/C2/C5 (data residence) and SOV-4-13-CADA (infra location) used nonDomestic (location!=in_country OR operation==foreign_vendor), so a foreign-vendor-OPERATED but in-country-LOCATED layer reported 'data not resident' — literally false. A new residentDomestic resolver tests LOCATION ONLY for these placement facts; the foreign-operation exposure is already captured by SOV-1 (control) and SOV-2-05 (compelled access). The 'residency mirage' case now correctly reads residency=yes, sovereignty=no (still gated CSL 0 via SOV-1/2/4/5, no longer via a falsified SOV-3). (3) Title bleed: report-pdf getQuestionMeta rendered raw EU q.title; now uses displayTitle(q,'Generalized') (csi_presentation.title -> title_generalized -> title); tests/non-eu-presentation.test.ts extended to assert titles, not just body, are EU-free. Plus a presentation-only rebalance (no score change) responding to the World Bank's outcome-based view (June 2026): a 'How to read this score' note on the result page + PDF + methodology §8 states sovereignty != security (a security baseline is assumed not verified; complement with ISO 27001/SOC 2/C5, which can favour an external provider), that in-country/in-house is not automatically sovereign (SOV-5/SOV-7 gate it identically — demonstrated by the supply-chain case scoring CSL 0), and that sovereignty is a deliberate outcome-based tradeoff (blanket localisation costs 15-55% for SMEs per OECD; accept-and-govern is a first-class outcome). The 'inherent' track is reframed from 'residual risk' to 'structural — a tradeoff to decide'.

Authority: maintainer decision 2026-06-27

DR-R16 adaptation stable

The blank XLSX template (src/lib/template-xlsx.ts) is the THIRD presentation path and was out of sync with the questionnaire/report after the csi_presentation work: it only emitted a 'generalized' row when the legacy q.text_generalized field was present (5 questions), so the ~12 CSI questions adapted via csi_presentation.variants.non_eu but lacking text_generalized rendered EU-native text/titles to a non-EU filler (7 outright bled 'EU'/'European'/'member state'), and the 2 exclude_non_eu questions still presented an answerable EU row. Fixed with a shared generalizedFor(q) helper (csi_presentation.non_eu.text -> text_generalized -> null; shown:false => excluded) plus displayTitle(q,'Generalized') for titles: single/tiered_ladder questions now emit eu_csf+generalized rows (eu_csf-only when excluded, so a non-EU country greys it out = dropped); the tiered 'national' row (the row a non-EU filler answers, since 'bloc' greys out for non-EU) takes the Generalized title and the re-aimed non_eu text — display-only, so tiered scoring at the national-tier key is unchanged. tests/template-non-eu.test.ts replicates the template's exact non-EU row resolution and asserts EU-free title+text for every CSI question (the closure invariant now covers all three paths). Separately fixed a pre-existing latent crash: addAssessmentSheet assumed q.tiers.bloc in its non-single branch, so the two tiered_ladder LMIC questions (SOV-1-12-LMIC, SOV-5-08-LMIC) threw — meaning the default /assess/template.xlsx (no fw, includes all questions) 500'd; the branch now routes any non-'tiered' question (single + tiered_ladder, both flat-text, both scored under the bare qid) through the single-style emission. Empirically verified by building the real workbook: 152 rows, 0 CSI non-EU-visible bleeders; the only remaining 'EU' mention is SOV-1-10-CADA, a CADA-only question that source-faithfully cites the European Commission's associated-third-countries list (Art. 18) and must not be neutralised.

Authority: maintainer decision 2026-06-27