Standard · Levels
Four levels. A hierarchy of trust.
From the opaque black box to structural sovereignty — a graduated scale with clear minimum requirements per domain.
L0 — Opaque black box§
No verifiable transparency. Structurally unsuitable for sovereignty-critical workloads.
L0 means that none of the assessment domains reaches the transparency required for sovereignty. Ownership, jurisdiction, sub-contractors and technical architecture are neither documented nor independently auditable. Operational levers lie beyond the customer's reach — intervention is not possible in a crisis.
Typical profile: non-certified mass-market services, dark SaaS, shadow IT, tools with unclear provider structure. Certified services can also fall into L0 if they document security but not sovereignty.
Use cases: none. L0 is explicitly a finding, not a recommended level — it signals the presence of a structural sovereignty risk.
| Domain | Minimum requirement |
|---|---|
| D1 | Ownership or jurisdiction undocumented. |
| D2 | Access paths and key roles not transparent. |
| D3 | Closed stack, no documented exit paths. |
| D4 | Supply chain largely unknown. |
L1 — Transparency foundation§
Structurally intelligible, but still without operational levers on the customer side.
L1 marks the foundation of the sovereignty assessment. Ownership, jurisdiction, sub-contractors, architecture and supply chain are fully documented and independently auditable. The customer can understand what is being used — but cannot yet intervene operationally or control core levers themselves.
Typical profile: certified hyperscaler services with high technical maturity but without structural EU control; established SaaS providers with extensive documentation; mature European services in the build-out phase of their sovereignty functions.
Use cases: non-critical workloads, marketing, general office applications, collaboration for non-sensitive content.
| Domain | Minimum requirement |
|---|---|
| D1 | Ownership, jurisdiction, sub-contractors fully documented. |
| D2 | Access paths and key roles fully described, log inspection possible. |
| D3 | APIs and export paths documented, data export in open formats. |
| D4 | Full SBOM and hardware supply chain; choke points identified. |
L2 — Operational control§
The customer controls core operational levers themselves — keys, access, data location, exit.
L2 requires demonstrable operational control. Key sovereignty (e.g. HYOK), customer-side access revocation, enforceable data location and a documented exit path with proven migration capability are the minimum requirements. The customer can act strategically — not merely document.
Typical profile: sovereign EU services with a clear architecture, European providers with an open-source stack, regulated public-cloud offerings with genuine external key management and a documented migration reference.
Use cases: NIS2- and DORA-regulated functions, electronic health records, sector-critical workloads, public-sector standard applications.
| Domain | Minimum requirement |
|---|---|
| D1 | Contractually secured data-access rules under EU law; notification rights. |
| D2 | Key sovereignty (HYOK or equivalent); access revocation and data location enforceable. |
| D3 | Proven exit at acceptable cost and within acceptable timeframes; full SBOM. |
| D4 | Diversified sources for critical components; substitution strategy. |
L3 — Structural sovereignty§
Structural independence from individual providers and non-European jurisdictions.
L3 marks structural sovereignty. The service can be switched without loss of control or continuity; the technical and legal supply chain is diversified and EU-resilient. Sovereignty is no longer a property of the provider alone, but a property of the whole stack and its alternatives.
Typical profile: multi-cloud architectures fully based on open source, specialised KRITIS-grade providers with their own stack, state-backed digital infrastructures with documented diversification.
Use cases: critical infrastructure, security-relevant public administration, defence-adjacent applications, highest sovereignty protection goals.
| Domain | Minimum requirement |
|---|---|
| D1 | No extraterritorial access rights; structural EU independence. |
| D2 | Provider access to content data technically excluded; external notarisation. |
| D3 | Predominantly open source; reproducible migration to at least two competing targets. |
| D4 | Viable EU alternatives for every critical component. |
Which level for which use case?§
The following recommended minimum levels are indicative — the binding determination is made sector-specifically via protection goals and minimum levels per domain (see Aggregation principle).
| Use case | Recommended minimum level |
|---|---|
| Marketing CRM, newsletters, analytics-free external reach | L1 |
| General office and collaboration environments without special-category personal data | L1 |
| HR records, general HR systems | L2 |
| Financial accounting, ERP | L2 |
| NIS2-regulated services (energy, health, transport) | L2 (D2 ≥ L2) |
| DORA-regulated core functions in the financial sector | L2 (D3 ≥ L2) |
| Electronic health records (EHR) and hosting | L2 (D2 ≥ L3) |
| Authorities handling classified material (VS-NfD level) | L3 |
| Critical-infrastructure control systems | L3 |
| Security-relevant administration, defence-adjacent applications | L3 across all domains |