EDSO · European standard · certification across four domains

Prove digital sovereignty. Auditable. European.

EDSO is the European standard for digital sovereignty — with auditable certification across four assessment domains (D1–D4) and four maturity levels (L0–L3). Recognised as a reference framework in European procurement and compliance.

Start self-assessment· 20 min · free Position paper (PDF)Book a strategy call

European Digital Sovereignty Standard · Standard development and conformity assessment structurally separated

Why EDSO works in procurement, audits and supervisory contexts

NIS2 · DORA · EUCS · AI Act: Regulatorily aligned
Auditable, not declarative: Audit by independent conformity assessment bodies
Public register: Verifiable for buyers
Procurement-ready: Usable as MEAT award criterion

Three paths

What is your role?

EDSO addresses three groups with different entry paths. Select your role for the relevant next steps.

Providers

Cloud, SaaS and platform providers seeking to demonstrate digital sovereignty to buyers and supervisory authorities in an auditable way.

Certification for providers

Buyers

Public sector and regulated industries using EDSO as a reference framework in tenders and supplier assessments.

Use EDSO in procurement

Conformity assessment bodies

Auditors and advisory firms wishing to perform EDSO audits as a recognised conformity assessment body.

Assessor programme

Why now

Three forces are converging.

Regulation: NIS2, DORA and the EU AI Act require robust evidence across the IT supply chain.
Geopolitics: The US CLOUD Act and comparable regimes turn third-country dependencies into corporate risk.
Market: Buyers demand demonstrable European sovereignty — a unified standard has been missing.

Consequence: providers without auditable evidence are increasingly excluded from tenders — broad sovereignty claims no longer satisfy new regulatory and buyer-side requirements.

What EDSO actually assesses

Four domains. Four levels.

Every organisation receives a precise baseline across four domains and a defined development path across four levels (L0–L3).

Assessment domains

Legal & organisational transparency

Ownership, jurisdiction, sub-processors, extraterritorial access rights.

Operational transparency & data control

Key authority, data residency, privileged access, log integrity.

Technical sovereignty & interoperability

Open standards, SBOM, documented exit paths, portability.

Sustainability & supply chain resilience

Hardware and software supply chain, geopolitical choke points, EU alternatives.

Maturity levels

Opaque black box

No auditable transparency. Structurally unsuitable for sovereignty-critical workloads.

Foundation of transparency

Ownership, architecture and supply chain documented and auditable. Use: non-critical workloads.

Operational control

Key authority, access revocation, data location and exit path demonstrated. Use: NIS2/DORA-regulated functions.

Structural sovereignty

Structural EU independence across the entire stack. Use: critical infrastructure and the highest protection objectives.

Simulate my level Standard in detail

The certification path

Four steps. Clearly defined effort.

Step 01
Self-assessment
Online questionnaire to establish a baseline. Provides a substantiated indication of the achievable maturity level.
Duration
approx. 20 min.
Cost
free of charge
Step 02
Application & scoping
Definition of the audit scope together with an accredited conformity assessment body. Binding quotation.
Duration
1–2 weeks
Cost
based on effort
Step 03
Audit & assessment
Domain audit against the EDSO reference framework. Review of evidence, architecture and contracts.
Duration
8–16 weeks
Cost
see fee schedule
Step 04
Certificate & listing
Issuance of the machine-readable certificate and entry in the public EDSO register.
Duration
≤ 2 weeks
Cost
annual fee

Start certification application Fee schedule

What clients gain

Concrete value — precise, auditable, usable.

Auditable evidence in EU procurement (MEAT-capable award criterion).
Reduction of regulatory audit burden through a recognised reference framework.
Listing in the public EDSO register — visibility for buyers.
Machine-readable certificate, cryptographically verifiable.
SBOM, HYOK and exit guidance as immediate by-products.
Clear development path from L0 to L3 — stages instead of blanket verdicts.

EDSO is

An assessment framework for digital dependencies
A transparency instrument for procurement
A governance instrument for the C-level

EDSO is not

A political signalling instrument
An IT security certification (e.g. ISO 27001)
A consulting framework

Pioneer Partner programme · limited to 10 companies

Help shape the standard before the market follows.

Pioneer Partners form the EDSO founding council, influence criteria and weightings and receive the L1 audit included. Founding conditions are fixed for three years.

Option A

EUR 4,950 net

one-off

Option B

12 × EUR 500 net

monthly

Benefits (identical for both options): L1 audit included (including annual fee on successful certification), seat on the founding council, “Pioneer Partner” title, co-design of criteria and roadmap.

Become a Pioneer Partner Book a strategy call

Sponsorship & neutrality

Structurally separated: standard development, assessment, sponsorship.

EDSO is operated as a neutral, independent brand by Mission TOP 5 GmbH (Munich). Standard development (advisory council) and assessment (audits) are strictly separated from sponsorship and commercialisation. Initiators: Dan Bauer and Oliver Lucas.

Supported by: Prof. Dr. C. Stummeyer (THI), H. Heesen, St. Willkommer (tech-division), H. Meischner (FACT-Finder), St. Schultz (PAYBACK), C. Hagemeyer (Scale Commerce), B. Scheffer (Websale), R. Hünermann (Odoscope), U. Neumeier, A. Ertl, T. Endres and many more.

Position paper (PDF)

Frequently asked questions

What decision-makers want to know first.

How does EDSO differ from the European Sovereign Stack Standard (ES³)?: ES³ was issued by Schwarz Digits — a cloud provider that itself operates in the market being assessed. EDSO is designed as an independent organisation with a multi-stakeholder supervisory board from industry, civil society, academia and the public sector. In substance both refer to the EU Cloud Sovereignty Framework and use a four-stage maturity model with a minimum principle; EDSO assesses across four management-grade domains (D1–D4) instead of nine dimensions, publishes the full methodology openly and does not exclude any provider — including hyperscalers — by definition, but rather makes differences visible. ES³ is therefore a possible certification candidate under EDSO, just like SecNumCloud, BSI C5 or DigiD.
How does EDSO differ from ISO 27001, BSI C5 or EUCS?: ISO 27001, C5 and EUCS address IT security. EDSO addresses digital sovereignty — i.e. data authority, supply chain, legal jurisdiction and exit capability. The two are complementary.
How long does a certification take?: Self-assessment in around 20 minutes. From application to issued certificate typically 3–6 months, depending on maturity level and scoping.
Who performs the audit?: Accredited conformity assessment bodies that are structurally independent from the sponsoring organisation. Standard development and assessment are organisationally separated.
What happens if a maturity level is not reached?: You receive a detailed report with gaps and concrete remediation actions. Re-certification is possible without a full repeat of the audit effort.
What does a certification cost?: Self-assessment is free of charge. Audit costs depend on maturity level and scope; standardised annual fees are documented in the fee schedule.

View all FAQs

Next step