Domain · D4
Sustainability & supply-chain resilience
„How robust is the technical and geopolitical supply chain?"
1. Strategic relevance§
Sustainability and supply-chain resilience extends the assessment beyond the provider to the entire ecosystem on which the service rests. Even a sovereignly run provider is vulnerable if it relies on monopolised semiconductors, individual open-source maintainers or geographically concentrated data centres.
This domain addresses geopolitical choke points and silent dependencies — components that remain invisible in normal operation and can bring the service to a halt in a crisis.
D4 is the domain of strategic foresight. It demands robust diversification and realistic recovery assumptions.
2. Core criteria§
- Full SBOM of the software in use
Components, versions, maintainers, countries of origin — continuously current.
- Hardware supply chain
Semiconductors, network and storage components with manufacturer, production location and alternative sources.
- Code-base dependencies
Identification of critical dependencies on individual repositories, registries or maintainers.
- Geopolitical choke points
Components with concentrated origin (semiconductor manufacturing, fibre routes, DNS resolvers) and fallback strategies.
- Diversification of critical components
At least two independent sources for every security- or availability-critical component.
- Source-code escrow
Deposit of critical components with a trusted third party for re-commissioning in a failure scenario.
- Availability of European alternatives
Documentation of for which components EU alternatives are available, partially available or not available.
3. Audit questions (excerpt)§
- Which supply-chain components are geographically or legally concentrated?
- Are there at least two independent sources for every critical component?
- Is the SBOM complete, current and machine-readable?
- Which open-source components depend on individual maintainers or a single code forge?
- Is there a documented recovery procedure in case of failure of a geopolitically critical component?
- Is there a source-code escrow agreement for security-critical components?
- Which EU alternatives can realistically substitute each component within which time frame?
4. Accepted evidence§
- Current SBOM with maintainer and origin information
- Hardware bill of materials with production locations and alternative suppliers
- Risk assessment of geopolitical choke points
- Source-code escrow agreements with the depository
- Substitution plan for critical components
5. Level thresholds in this domain§
| Level | Minimum requirement in D4 |
|---|---|
| L0 | Supply chain largely undocumented; no SBOM. |
| L1 | Full SBOM and hardware supply chain documented; choke points identified. |
| L2 | Diversified sources for critical components; documented substitution strategy. |
| L3 | Resilient to geopolitical choke points; viable EU alternatives for every critical component. |
6. Relation to existing standards§
| Standard | What is covered | Where EDSO goes further |
|---|---|---|
| NIS2 | Supply-chain security required | Geopolitical concentration risks not systematically audited |
| Cyber Resilience Act (CRA) | Security requirements for components | Sovereignty aspects not addressed |
| Supply-chain due diligence laws | Human-rights and environmental due-diligence duties | Technical sovereignty supply chain not covered |
7. Typical audit findings§
- SBOM only for in-house development, not for third-party components
- Dual sourcing for semiconductors, but in fact from the same foundry
- Critical open-source dependency on a single maintainer without a backup maintainer
- Source-code escrow without a documented recovery exercise
- EU alternatives named but functionally not equivalent