Decisions Register
Every deviation from the source frameworks is documented here. 21 entries.
C3A's national tier is structurally generic; only the country name is Germany-specific in these criteria. The semantic content (jurisdiction, residence, control, residency, SOC location, capacity management) applies identically to any EU member state. Substitution preserves the criterion's intent without modification.
Authority: Editorial. Supported by C3A §1.2's framing of the catalogue as adopting EU CSF structure across member states.
EU CSF and C3A both anchor on EU as the trusted bloc. For non-EU users this anchor is not meaningful. The Generalized variant lets users define their own trusted bloc to preserve the framework's structure while being honest that the reference point has changed.
Authority: Editorial. The EU CSF does not contemplate non-EU users; this is an extension governed by DR-E01.
C3A's German tier names the German federal administration as the auditing authority. Other EU member states have analogous national-level administrations but with different names and constitutional structures (federal vs unitary, central vs decentralised). The criterion's intent — that a national-level public administration can audit the provider — is universal; the institutional label varies. Where a country has multiple potential auditing bodies, the most common 'central administration' framing is used.
Authority: Editorial. Each country's specific administration name should ideally be reviewed by a national legal expert before locking the language.
C3A encodes a Germany-specific constitutional concept (Verteidigungsfall). The criterion's intent — enabling national takeover of cloud operations during a national emergency — is universal across EU member states, but the legal trigger varies substantially. Some countries have multi-tier regimes (Spain, Poland), some have unitary regimes (France's état d'urgence), and some lack a directly equivalent concept. We preserve the intent and substitute each country's analogous regime, listing the closest constitutional anchor.
Authority: Editorial. The mapping of national emergency regimes is based on publicly available constitutional law summaries and should be reviewed by national legal experts before being locked. Countries marked '_default_for_others' need bespoke review.
C3A's national tier raises the residency requirement (Germany) but keeps the citizenship requirement at EU level. This is a deliberate design choice in C3A: personnel sovereignty is a two-axis concept (citizenship + residency), and the national tier escalates only one axis. We preserve this structure rather than tightening citizenship to the chosen country, because that would be a stricter requirement than C3A's German tier itself imposes.
Authority: Editorial. This is a faithful reading of C3A §2.4.1; we make it explicit because users may otherwise expect both axes to escalate.
C3A's informative references to BSI publications make sense for German users but are unhelpful for users in other countries who have their own national security frameworks. We retain the BSI references for honesty about the source, and add country-specific equivalents to be useful. This is informative only — does not affect scoring.
Authority: Editorial. The list of national equivalents should be expanded as users from additional countries provide feedback.
Neither source assigns SEAL levels to specific criteria. To compute SEAL per objective, we must derive a mapping. The mapping is anchored in CSF §3's definitions: SEAL-1 = formal jurisdictional sovereignty, SEAL-2 = data sovereignty with material non-EU dependencies, SEAL-3 = digital resilience with marginal non-EU control, SEAL-4 = full sovereignty with no critical non-EU dependencies. Each C3A criterion is mapped to the SEAL level that, if that criterion fails, the objective cannot reasonably be claimed to have reached.
Authority: Editorial. This is the single largest derivation in the instrument and the most important one to subject to external review.
CSF §5 references 'points allocated to the question proposed in the tender' but does not specify them — this is left to each tender. Since this instrument is not a specific tender, we assign default point values that produce reasonable intra-objective weighting. Because the CSF formula divides by Max.Score, the absolute point values cancel out at the objective level; only relative differences between questions within the same objective affect the score.
Authority: Editorial. Low-impact derivation due to the normalization in CSF §5's formula.
CSF §4 mandates that weaknesses lower the assurance level but doesn't specify the exact aggregation rule. The strictest interpretation — weakest-link — best matches the framing of SEAL as a 'minimum assurance level' (CSF §1: 'tenders that do not offer the required minimum levels of assurance consistently across all objectives will be rejected'). A claim of 'SEAL-3' must mean every requirement up to and including level 3 is satisfied; otherwise the claim is false.
Authority: Editorial, but tightly constrained by CSF §4 and §1's 'minimum assurance' framing.
Pure UX choice. Unbanded percentages are hard to interpret at a glance. The thresholds are calibrated so most realistic providers fall into Moderate or Strong, with Limited reserved for providers with multiple structural sovereignty deficits and Full reserved for providers achieving near-complete sovereignty.
Authority: Editorial. UX-only.
Real cloud services often partially meet a criterion (e.g., key management is offered for IaaS but not SaaS). A binary yes/no forces users to answer 'no' for partial cases, understating actual sovereignty. The score handles this gracefully via half-points; SEAL cannot, because SEAL is by design a binary gate (you either meet a level or you don't). This split treatment preserves both: granular scoring AND strict gating.
Authority: Editorial. Design choice for self-assessment honesty.
C3A itself anchors these two criteria at EU level only, with no German national tier. The Disconnect criterion is about cutting non-EU connections (which is meaningful at bloc level but not national level — disconnecting from other EU countries makes no sense). The Source Code Availability criterion requires backup in the EU (which is meaningful at bloc level for resilience). We preserve C3A's design rather than inventing a national tier where the source doesn't have one.
Authority: Faithful to C3A.
C3A explicitly excludes SOV-7. CSF includes it. To produce a complete 8-objective assessment matching CSF's structure, we need SOV-7 questions; we derive them from CSF's contributing factors directly.
Authority: Faithful to both sources.
Same logic as DR-X02: C3A explicitly excludes the objective; CSF includes it; we use CSF directly.
Authority: Faithful to both sources.
Non-EU companies running the unmodified EU CSF assessment would mechanically score near zero on jurisdiction, control, and personnel criteria, even with excellent national sovereignty. This is unhelpful and dishonest. The Generalized variant preserves the methodology while being explicit that the reference frame is the user's jurisdiction. It is presented as a *derived* framework, not as the EU CSF itself.
Authority: Editorial. Not endorsed by either source. Documented as a derived framework in the user-facing methodology.
Disconnect-style criteria require a definition of 'inside vs outside' the trusted zone. EU users have this defined automatically (the EU). Non-EU users must define it explicitly, since 'their bloc' might be national, regional (EFTA, CPTPP), or alliance-based (Five Eyes). Forcing them to use EU as the bloc would be incoherent.
Authority: Editorial. Required by DR-E01.
Self-assessment without evidence handling is too easy to game. Adding optional evidence and explicit unsupported-claim flags lets the user be honest about what's substantiated. A buyer reviewing the report can prioritize verifying unsupported claims.
Authority: Editorial. Not in source but consistent with both sources' emphasis on 'verifiable criteria' (C3A §1.1) and 'supporting evidence' (CSF §1).
C3A §1.2 explicitly presupposes C5 compliance but doesn't operationalize this — a provider could complete a C3A audit without ever confirming C5. This instrument operationalizes the precondition as a Step 0 question with a transparency flag on the result, rather than leaving it as an unstated assumption.
Authority: Faithful operationalization of C3A §1.2.
A persistence layer creates two obligations: bound storage growth and bound residual privacy risk from data hoarding. 12 months balances institutional procurement cycles (some procurement processes run 6+ months end-to-end, so a TTL shorter than that would frustrate legitimate users) against not retaining assessment data indefinitely. The TTL refreshes on every write, so an actively-used assessment is never deleted out from under a user.
Authority: Editorial. Operational policy choice.
Pattern A (browser-only state) was the v1 default but had two serious limitations: no multi-device resume without download/upload friction, and no shareable result links. For an instrument intended to be cited and shared in institutional contexts (procurement teams, multilateral banks), these were real costs. Pattern B trades architectural privacy (no data on a server) for policy-enforced privacy (data on a server, but with no identifying information attached and a published code path that anyone can audit). The trade-off is acknowledged on the privacy page.
Authority: Editorial. Operational and UX choice. Audited via published Worker source code.
A research tool gains citation strength from a usage corpus over time. Pattern A made this impossible; Pattern B makes it trivial. An opt-in approach with full disclosure preserves user privacy while building a public dataset that itself becomes a research artifact ('Cloud Sovereignty Index Public Corpus, vintage 2026-Q4'). Default-off and full-disclosure are non-negotiable: users must affirmatively choose to contribute, and must know exactly what's contributed.
Authority: Editorial. Audited via published Worker source code (the anonymization is enforced by the public_corpus VIEW in D1, which strips company_name, answers, evidence, and timestamp precision).