Framework

Control Matrix

Twelve sovereignty dimensions, five maturity levels. Every cell opens into criteria, evidence, and regulatory mappings.

Dimensions Maturity Identity Keys Residency Processing Legal Audit Network Compute draft Supply Chain draft Exit draft Incidents draft Governance draft
L0 Unaware IAM-L0 No formal identity management; shared credentials and absent access controls expose the organisation to unquantified risk KEYS-L0 No encryption policy exists. Default provider-managed encryption may be active but is neither understood nor governed. Key custody, rotation, and lifecycle management are entirely unconsidered. RES-L0 No awareness of where data is physically stored, processed, or replicated. The organisation has no data residency policy and data may reside in any region at the provider's discretion. PROC-L0 No awareness of where or how data is processed; the provider operates without restrictions on processing location, method, or access LEGAL-L0 No legal review of cloud service agreements. Click-through Terms of Service accepted without scrutiny. No Data Processing Agreements in place. The organisation has no visibility into its contractual exposure. AUDIT-L0 No logging strategy exists. Default provider logs may be active but are neither reviewed nor governed. There is no retention policy, no audit trail, and no forensic capability. NET-L0 No awareness of network infrastructure dependencies; DNS, CDN, and connectivity are unmanaged or entirely delegated without oversight COMP-L0 No awareness of where or how compute workloads execute; runtime environments are unmanaged and undocumented SUPPLY-L0 No visibility into software dependencies or third-party components; no SBOM exists and supply chain risks are unquantified EXIT-L0 No exit plan exists; the organisation has not considered the possibility of migrating away from current providers IR-L0 No incident response plan exists; security incidents are discovered accidentally and handled ad-hoc with no defined process GOV-L0 No governance framework exists for digital sovereignty; compliance is reactive and ad-hoc with no organisational accountability
L1 Dependent IAM-L1 Identity is managed through a cloud provider's native IAM service with limited organisational control over the identity lifecycle and data residency KEYS-L1 Provider-managed encryption is acknowledged and documented. The organisation relies entirely on the cloud provider for key generation, storage, and rotation. Key material remains under provider custody with no customer-controlled options exercised. RES-L1 Data resides in provider-default regions with no residency guarantees. The organisation is aware that data location matters but relies entirely on the provider's infrastructure decisions, which typically favour US or multi-region deployments. PROC-L1 Provider controls the processing pipeline on shared multi-tenant infrastructure; the organisation has basic awareness but no technical isolation or enforceable processing constraints LEGAL-L1 Standard provider contracts accepted as-is. Basic DPAs signed using provider templates. No negotiation leverage exercised. US or foreign jurisdiction clauses accepted without challenge. AUDIT-L1 Logging is active through provider-managed services (CloudWatch, Azure Monitor, GCP Cloud Logging). The provider controls log format, storage location, retention defaults, and access mechanisms. Export options are limited or unused. NET-L1 Network infrastructure is fully managed by a single cloud or ISP provider with no organisational control over routing, DNS, or CDN configuration COMP-L1 All compute workloads run on a single SaaS or PaaS provider with no portability or fallback capability SUPPLY-L1 Basic dependency tracking exists but relies entirely on provider-managed tools with no independent verification or policy enforcement EXIT-L1 Basic data export capability exists but no structured exit plan; migration would require significant effort and extended downtime IR-L1 Incident response depends entirely on external providers; the organisation relies on its cloud or managed service provider to detect and respond to security events GOV-L1 Compliance is managed through provider-supplied certifications and attestations with no independent organisational governance of sovereignty
L2 Contractual IAM-L2 Identity management is backed by formal contractual obligations including DPAs, data-residency clauses, and federation standards, but the provider still controls the identity store KEYS-L2 BYOK options are contractually available and the DPA addresses key handling obligations. However, the provider retains technical access to key material through platform architecture. Contractual controls exist but technical sovereignty over keys is not yet achieved. RES-L2 Data residency is governed by contractual agreements. DPAs specify EU/EEA or Swiss storage, and SCCs with supplementary measures are in place. However, enforcement is contract-based rather than technically verified, and providers may process metadata or support data outside agreed regions. PROC-L2 Data processing agreements define scope, purpose limitation, and sub-processor governance, but technical processing controls remain with the provider LEGAL-L2 Negotiated DPAs and Standard Contractual Clauses in place. Legal review of sub-processors conducted. However, providers retain the right to unilateral ToS changes and liability caps remain limited. AUDIT-L2 Log retention and export requirements are formalised in DPAs and service contracts. Automated log export to organisation-controlled storage is operational. However, the provider still generates and initially processes all log data, retaining access to logs and metadata. NET-L2 Network infrastructure controls are defined through contracts and SLAs with providers, including DNS management rights, CDN configuration authority, and data-residency commitments for network metadata COMP-L2 Compute environments are governed by contracts specifying region selection, resource guarantees, and processing constraints SUPPLY-L2 Supply chain requirements are formalised through contracts with vendors and internal policies for dependency management EXIT-L2 Contracts include portability clauses, data export in open formats, and defined transition assistance from providers IR-L2 Incident response SLAs are contractually defined with providers, and the organisation has basic internal playbooks and notification procedures GOV-L2 A formal compliance programme exists with documented policies, regular assessments, and contractual compliance requirements for providers
L3 Controlled IAM-L3 The organisation operates a self-managed identity provider as the authoritative source, federating outward to cloud services while retaining technical control over authentication, directory data, and access policy enforcement KEYS-L3 Customer-managed keys are implemented with HSM-backed storage. Key material resides in EU/Swiss jurisdiction under customer control. The provider cannot access plaintext key material. Key rotation, revocation, and lifecycle management are fully under customer governance. RES-L3 Data residency is technically enforced through geo-fencing, region-locked replication, and active monitoring. The organisation operates within defined data sovereignty zones and conducts regular audits to verify that data does not leave approved jurisdictions. PROC-L3 Confidential computing, jurisdiction-restricted processing, technical isolation, and comprehensive audit logging provide verifiable control over data processing LEGAL-L3 Custom enterprise agreements with EU/Swiss governing law. Bilateral termination rights and data portability clauses enforced. Escrow arrangements protect against provider failure. CLOUD Act risk mitigated through contractual and structural measures. AUDIT-L3 The organisation operates a self-managed SIEM (e.g., Wazuh, ELK/OpenSearch) with logs stored in a sovereign jurisdiction. Tamper-proof log storage, real-time alerting, and provider log forwarding to the organisation's SIEM are operational. Independent forensic capability is established. NET-L3 The organisation self-manages critical network components including DNS, firewalls, and CDN edge nodes, with multi-provider redundancy and infrastructure-as-code governance COMP-L3 The organisation self-manages containerised workloads on Kubernetes or equivalent orchestration, with tested multi-provider deployment capability SUPPLY-L3 Full SBOM generation with automated vulnerability scanning, private package registries, and verified dependency provenance EXIT-L3 Tested migration plans exist for all critical providers with validated runbooks, rehearsed procedures, and confirmed alternative environments IR-L3 Self-managed security operations centre with independent detection, investigation, and containment capabilities across all environments GOV-L3 Integrated sovereignty governance with a cross-functional board, sovereignty-aware procurement, and continuous compliance monitoring across all dimensions
L4 Autonomous IAM-L4 Fully self-hosted identity infrastructure with zero external provider dependency; the organisation holds complete, exclusive control over all authentication, authorisation, and identity lifecycle operations KEYS-L4 Full cryptographic sovereignty is achieved through self-hosted HSM infrastructure and on-premises key management. Zero provider access to key material at any stage. The organisation controls the complete key lifecycle from root key generation through destruction, with no external dependencies. RES-L4 Complete control over data's physical location through self-hosted infrastructure or a sovereign cloud provider with no foreign-jurisdiction parent company. No cross-border transfers occur, and the organisation has full authority over hardware, facilities, and administrative access. PROC-L4 Self-hosted processing infrastructure with full hardware and software stack control, zero provider access during processing, and air-gapped options for the most sensitive workloads LEGAL-L4 Full contractual sovereignty achieved. Infrastructure is self-hosted or operated by sovereign cloud providers under exclusively local jurisdiction. No foreign law exposure. Open-source stacks eliminate vendor lock-in and the need for proprietary licensing agreements. AUDIT-L4 Fully self-hosted logging infrastructure on organisation-owned hardware. Cryptographically signed audit trails with independent timestamping. Air-gapped log archive for critical records. Complete forensic capability with no provider log dependency - all telemetry is generated by organisation-controlled agents. NET-L4 Fully sovereign network infrastructure with own AS number, IP space, BGP peering at European IXPs, self-hosted DNS (authoritative and recursive), and organisation-operated DDoS mitigation with no single external dependency COMP-L4 Fully sovereign compute infrastructure with organisation-owned or co-located hardware, confidential computing capabilities, and complete runtime independence SUPPLY-L4 Fully audited sovereign supply chain with source-level review of critical dependencies, maintained forks of essential components, and end-to-end provenance guarantees EXIT-L4 Fully portable infrastructure with provider-agnostic architecture; switching providers is a routine operational procedure with minimal disruption IR-L4 Fully sovereign incident response with advanced threat hunting, automated orchestration, threat intelligence sharing, and complete forensic independence GOV-L4 Industry-leading sovereignty governance with active contribution to standards bodies, public transparency, and continuous improvement across all dimensions

Scroll horizontally to see all dimensions

DSCM-IAM

Identity & Access
DSCM-KEYS

Cryptographic Keys
DSCM-RES

Data Residency
DSCM-PROC

Data Processing
DSCM-LEGAL

Legal & Contractual
DSCM-AUDIT

Logging & Audit
DSCM-NET

Network Infrastructure
DSCM-COMP draft

Compute & Runtime
DSCM-SUPPLY draft

Supply Chain
DSCM-EXIT draft

Exit Strategy
DSCM-IR draft

Incident Response
DSCM-GOV draft

Governance & Compliance