Digital Sovereignty in Practice: New Benchmarks for Businesses

Ensuring digital sovereignty is becoming increasingly important for companies amid growing digitalization and geopolitical tensions. The use of cloud services, AI applications, and globally distributed IT infrastructures is leading to growing dependencies on individual providers as well as on non-European legal systems. At the same time, the regulatory framework at the European level is becoming more stringent, particularly through requirements regarding IT security, data processing, and resilience. Against this backdrop, the question comes into focus as to what extent companies can actually retain control over their data, systems, and technological dependencies and structure them in a legally compliant manner.

I. Background: Digital Sovereignty from a Corporate Perspective

From a corporate perspective, digital sovereignty describes the ability to operate and control digital infrastructures, data, and applications independently, securely, and in accordance with the applicable legal framework. At its core, the goal is to limit dependencies on individual providers, non-European legal systems, and opaque technology stacks, while maintaining actual control and access sovereignty.

The topic is particularly relevant for companies with extensive cloud usage, international data processing, or AI-supported business models, as well as for operators of critical infrastructure and companies in highly regulated industries (such as the financial sector, healthcare, or energy). Export-oriented companies and corporations with global IT structures are also increasingly confronted with requirements arising from differing legal systems and access regimes, such as the tension between European data protection law and non-European access powers.

The current situation is characterized by increasing regulatory complexity coupled with ongoing legal uncertainties (as we reported in Data Protection Update No. 237). Instruments such as the EU-US Data Privacy Framework, standard contractual clauses, or sector-specific security requirements address individual aspects but do not offer a definitive solution to the question of comprehensive digital sovereignty. Companies therefore face the challenge of translating fragmented requirements into a consistent governance and risk management framework, even though uniform assessment criteria have not yet been established for this purpose

II. European Standards: Cloud Sovereignty Framework

At the European level, the European Commission has developed the Cloud Sovereignty Framework, a structured reference framework for assessing digital sovereignty in the cloud context. The goal is to supplement existing security requirements with specific sovereignty criteria, thereby providing, for the first time, a systematic assessment model for cloud services. The framework builds on existing initiatives and regulatory regimes such as NIS-2, DORA, and Gaia-X, integrating them into a unified assessment model.

At the core of the approach are eight dimensions of sovereignty that address different levels of corporate control, including, in particular, legal and jurisdictional integration, data and AI sovereignty, operational independence, as well as supply chain and technology sovereignty. As the overview on page 3 of the framework shows, this is based on a comprehensive understanding of sovereignty that goes well beyond classic data protection and security aspects and, in particular, also takes dependencies in the value chain into account.

Methodologically, the framework combines minimum requirements with a differentiated evaluation system: so-called “Sovereignty Effectiveness Assurance Levels” (SEAL) define minimum standards that a cloud provider must meet to be considered at all. In addition, a “Sovereignty Score” is calculated, which enables a comparative ranking of different providers and serves as an award criterion, particularly in procurement processes.

Even though the Cloud Sovereignty Framework does not yet constitute a directly binding legal framework, there are already signs that it will gain significance as a de facto standard for public procurement and, in the future, for regulated industries as well. For companies, this creates a benchmark against which their own cloud and IT strategies must increasingly be measured.

This is also evident in the European Commission’s current procurement practices. As part of a large-scale procurement process (up to 180 million euros over six years), several European providers – including StackIT, Scaleway, OVHcloud consortia, and Proximus with partners – were selected to provide sovereign cloud services. The selection was based on the Cloud Sovereignty Framework and was deliberately aimed at diversification and limiting non-European influence.

III. Additional Assessment Approaches for Digital Sovereignty

In addition to the Cloud Sovereignty Framework, other models are currently emerging that seek to make digital sovereignty measurable and comparable. These approaches share the common goal of translating a concept that has thus far been heavily politicized into concrete, verifiable criteria, but differ in methodology, scope, and level of detail.

1. ES³ Model by Schwarz Digits

In mid-April 2026, Schwarz Digits introduced the “European Sovereign Stack Standard” (ES³), a practice-oriented maturity model for assessing the digital sovereignty of IT services. The starting point is the observation that, to date, there has been a lack of uniform and actionable criteria to reliably assess sovereignty in a corporate context and make providers comparable.

The model is based on a multi-level maturity approach (“Sovereignty Maturity Levels”), which classifies IT services into four levels – ranging from basic requirements (“Basic”) to fully sovereign, future-proof solutions (“Future-Proof”). The assessment is based on a comprehensive catalog of criteria with over 100 individual requirements that reflect various dimensions of digital sovereignty.

In terms of content, the ES³ model is closely aligned with the European Cloud Sovereignty Framework, but expands upon it with additional distinctions and greater operationalization. Of particular note is the independent consideration of artificial intelligence as a separate dimension of sovereignty, whereas in the European model it is classified merely as part of data sovereignty.

The practical value of the ES³ model lies primarily in its practical applicability: In the future, cloud and IT services – for example, within the Stackit Cloud environment – are to be classified using the model to provide companies with a robust basis for procurement decisions. As a result, the model is evolving into a potential market standard that goes beyond purely regulatory requirements and could gain particular significance for vendor evaluation in the private sector.

Nevertheless, it must be noted that this is a business-driven initiative whose acceptance will depend largely on the extent to which the model establishes itself as a cross-industry reference framework and can be reconciled with existing regulatory requirements.

2. Criteria Catalog of the Center for Digital Sovereignty (ZenDiS)

The Center for Digital Sovereignty in Public Administration (ZenDiS) takes a more organization-focused approach with its set of criteria, which evaluates digital sovereignty not only at the level of individual services but also holistically at the organizational and IT levels. The starting point is strategic goals such as the ability to switch providers, flexibility in design, and influence over providers, which are translated into concrete evaluation criteria and assigned to four categories: organization, applications, data, and operations.

This approach makes it clear that digital sovereignty depends significantly on governance, procurement, and technical flexibility and cannot be reduced to individual technologies. This is supplemented by a risk-based application of the criteria, which is guided by factors such as data criticality and dependencies, thereby enabling a flexible assessment

IV. Recommendations for Action for Companies

Against this backdrop, companies should not view digital sovereignty merely as an abstract guiding principle, but rather translate it into concrete measures and systematically integrate it into their IT, procurement, and compliance processes. The following starting points are particularly relevant:

• Carefully review cloud and IT contracts for access provisions and jurisdiction: Contracts with cloud and SaaS providers should be systematically reviewed to determine whether non-European access provisions exist (e. g., based on the U.S. CLOUD Act). In particular, it must be clarified where data is processed, who has access, and which technical and contractual safeguards (e. g., encryption, customer-managed keys, audit rights) are actually in place.
• Practically secure exit strategies and provider changes: Companies should not merely rely on “portability” in the abstract, but rather define and test concrete exit scenarios. This includes standardized data formats, documented migration processes, and contractually guaranteed support services from the provider in the event of a switch or a return to in-house operations.
• Make dependencies along the IT and supply chain transparent: It is advisable to conduct a structured analysis of one’s own IT landscape to systematically identify dependencies on individual providers, proprietary technologies, or non-European supply chains. In addition to software, this includes underlying infrastructure, support services, and third-party components in use.
• Integrate sovereignty criteria into procurement and governance processes: When selecting new IT and cloud solutions, criteria such as data location, provider structure, openness of interfaces, or exit capability should be mandatorily integrated into tenders and decision-making processes. In addition, it is recommended to embed corresponding requirements in internal guidelines and to assign clear responsibilities within the IT and compliance departments.

V. Outlook and Conclusion

Digital sovereignty is increasingly evolving from a political guiding principle into a concrete benchmark for IT strategies, procurement decisions, and compliance structures. With initiatives at the European and national levels, as well as market-based evaluation models, the first outlines of uniform standards are emerging, even if final harmonization has yet to be achieved. Companies are therefore advised to integrate relevant requirements into their governance and IT structures at an early stage to minimize regulatory risks and secure strategic flexibility.

Against this backdrop, the topic will also be the focus of our event “Digital Sovereignty – How Companies Strategically Use Data, Artificial Intelligence, and the Cloud” in Hamburg on April 21, 2026, where legal, technical, and strategic perspectives will be examined from a practical standpoint.

This article was created in collaboration with our student employee Emily Bernklau.