EDSO — European Digital Sovereignty Standard

Standard · Foundations

What EDSO is.

Definition, scope and position within the European regulatory framework.

1. The operational definition§

Digital sovereignty is the ability of a state, an organisation or an actor to dispose of digital assets, processes and infrastructures in such a way that strategic decisions can be taken, changed or reversed at any time, without external interference.

This definition is deliberately operational. It dispenses with ideological terms and names the measurable criterion: controllability over time. From this definition, EDSO derives four independently auditable assessment domains.

What EDSO is — what EDSO is not§

EDSO is

  • A European assessment and certification standard for digital sovereignty
  • A governance instrument for procurement, risk management and IT portfolios
  • A complementary standard to NIS2, DORA, AI Act, EUCS, BSI C5, ISO 27001
  • An independent institution with separate bodies for protection goals and assessment

EDSO is not

  • Not a security standard
  • Not an origin label
  • Not consulting
  • Not a protectionist instrument

3. Why origin is not enough§

A provider based in the European Union is not automatically sovereign. Sovereignty is a structural property of the entire stack — of the software in use, of key ownership, of the supply chain and of the legal control structure. A European letterhead does not change that.

A provider based in Frankfurt that runs its platform entirely on a proprietary US stack, whose keys are managed by the parent company and whose source code is maintained in a non-European repository, is not a sovereign provider. It is a reseller. Legal, operational and technical levers of control lie outside the provider and outside the EU.

“Made in EU” is an origin label. Sovereignty is a property of controllability. The two notions are not the same. EDSO assesses only the second question.

The operational consequence is clear: a procurement decision based solely on the provider's seat is not sovereignty-tested. It is a decision about origin. EDSO supplies the missing structural assessment.

4. Why sovereignty must be measurable§

Procurement. Public contracting authorities and operators of essential services need legally robust award criteria. The notion of the “most economically advantageous tender” (MEAT) allows sovereignty to be anchored as a qualitative award criterion — but only where that criterion is objectively verifiable. EDSO supplies precisely that verifiability.

Risk management. Sovereignty becomes a manageable variable in an IT portfolio only when it is measurable as a KPI. A portfolio with documented domain and overall levels allows comparison, consolidation and targeted re-architecture.

Strategy. Switchability is long-term bargaining power. A provider that cannot be replaced cannot be negotiated with. Sovereignty structurally creates the bargaining position that makes any strategic IT decision sustainable in the first place.

5. Position within the European regulatory framework§

Existing European regulation addresses security (NIS2, BSI C5), operational resilience (DORA) and algorithmic risk (AI Act). These frameworks are useful within their sectoral and functional scope — but they do not measure structural controllability. Who retains control over keys, data location or migration paths in a crisis is a question these standards do not answer.

EDSO closes precisely this gap. EDSO does not compete with NIS2, DORA or the AI Act; it supplies the missing sovereignty dimension. Only the combination of security, resilience and sovereignty assessment yields a procurement-robust and regulatory-grade statement about a digital service.