Legal & organisational transparency

Legal and organisational transparency is the first level of assessment because it predetermines all the others. Who controls the provider and which jurisdiction it is subject to determines which operational levers can be controlled by the customer at all — regardless of technical maturity.

Ownership, control relationships and extraterritorial legal reach determine whether a service remains controllable in a crisis. These questions are not primarily technical — they are legal-structural and decide the sustainability of any further security control.

D1 is therefore an indispensable prerequisite for any meaningful assessment of D2 to D4. Without documented ownership and jurisdictional structure, all further statements about data control, switchability or supply chain are speculative.

• Ownership structure and ultimate beneficial owner

  An unbroken chain from the operating provider to the natural person or state owner. Silent participations, trustee constructions and multi-tier holdings must be disclosed.

• Jurisdiction and extraterritorial obligations

  Legal seat, group affiliation and applicability of foreign laws (including the US CLOUD Act, FISA 702, Chinese cybersecurity law) must be named and their effect set out.

• Sub-contractor chain

  Full chain of all sub-contractors with role, location and jurisdiction. Silent sub-processing relationships are not permitted.

• Governance and escalation structure

  Decision paths within the provider including escalation into the parent group. Who decides in a crisis on data disclosure, service shutdown or contract breach?

• Contractual data-access rules

  Contractually fixed rules on access by the provider, by sub-contractors and by state authorities — including notification duties and judicial contestability.

• Control relationships within the parent group

  Voting rights, veto rights and group instruction rights, where these can override operational decisions of the provider.

1. Who is the ultimate beneficial owner of the provider and its parent company?
2. Which jurisdiction is the provider subject to — and which extraterritorial laws apply?
3. Is a documented data-processing agreement, including location, on file for every sub-contractor?
4. Which contractual escalation paths exist for authority data requests from third countries?
5. Is there a written commitment to notify the customer of requests from non-European authorities before answering them?
6. Which voting, veto or instruction rights does the parent company hold over the operating provider?
7. Which internal rules exist for conflicts between EU law and third-country law?
8. Which individuals in which jurisdiction are authorised to shut down or transfer the service?

• Certified excerpts from commercial and transparency registers (provider and all relevant group levels)
• Original contractual data-access and escalation provisions
• Data-processing agreements with all sub-contractors
• Written opinions on extraterritorial legal reach (e.g. CLOUD Act assessment)
• Governance documentation, rules of procedure, group policies on data disclosure

• Sub-contractors in third countries without a documented data-processing agreement
• Parent company with binding instruction rights that effectively override the EU seat of the operating provider
• Contractual “best effort” clauses instead of a binding notification duty for third-country requests
• Ownership chain terminating at a holding company without disclosed UBO

• Overview of all four domains
• Aggregation principle
• Level system L0–L3
• Relation to other standards