Application Trust Hierarchy: A Practical Guide to Applying Sovereignty Where It Matters Most

Takeaways: applying digital sovereignty

• Sovereignty is a board-level concern, shifting IT strategy toward economic security and independence.
• The European Commission Cloud Sovereignty Framework defines levels of assurance, creating an Application Trust Hierarchy for your portfolio.
• Digital independence requires classifying systems from Crown Jewels (full sovereignty) down to Regular Applications (jurisdictional compliance).
• Open source enables sovereignty, but operational control and support must also reside within the European jurisdiction.

The shift in European IT decision-making

Europe is taking the lead in defining what digital sovereignty truly means. The recently released Cloud Sovereignty Framework marks a turning point; it doesn’t just describe principles but provides a structured way to measure and assure sovereignty across eight clear objectives. This new clarity is reshaping how enterprises plan and execute modernization. The focus is no longer purely on efficiency but on building a balanced understanding of how far sovereignty should extend across different types of applications.

At SUSE, we’ve witnessed this change firsthand. Over recent months, questions once left to IT departments have reached the boardroom. IT modernization has become a strategic topic, where sovereignty is one of the key filters for decision-making. Boards now ask who operates the infrastructure, where the data resides, and under which laws the company’s digital assets fall. 

Sovereignty has become a defining feature of how European enterprises shape their technology future.

The before and after pattern in enterprise buying behavior

For years, technology decisions in large enterprises were driven by individual business units. Small, specialized teams had autonomy to choose vendors and platforms that best served their immediate needs. Economic efficiency, speed, flexibility and cost optimization ruled the agenda.

That model no longer fits the new reality. Today, CIOs, CISOs and CTOs set centralized rules that guide the entire organization. Technology choices are now beginning to be assessed against sovereignty and security criteria. The conversation has moved from project-level convenience to portfolio-level strategy.

The driver behind this shift is not just technical but political and economic. Europe’s growing ambition for digital autonomy has made company leaders rethink dependency and control. Economic efficiency as the only driver is being joined by economic security as a key consideration. The guiding question is no longer “How do we optimize IT?” but “How do we protect our independence?”

Modernization patterns reflect this change. Instead of gradual adoption and incremental updates, organizations are engaging in large portfolio realignments, consolidating vendors, and influencing ecosystems with sovereignty as the guiding principle. The goal is to re-articulate company and national risk, ensuring that strategic systems are under European control and compliant with the region’s sovereignty standards.

If sovereignty is now a board-level concern, how can organizations decide the required level of sovereignty for any given application?

Introducing the Application Trust Hierarchy

Every enterprise depends on a diverse range of applications, but not all of them carry the same weight when it comes to sovereignty. Understanding these differences is key to making informed and balanced decisions. The EU Commission’s framework defines five “Sovereignty Effectiveness Assurance Levels” (SEAL) that capture this gradient:

1. The Crown Jewels

At the top are the Crown Jewels – the national or corporate core assets that are fundamental for an economy to function or a company to operate. These include public identity systems, defense infrastructures, or central financial and industrial control systems. Any disruption here would have national or systemic consequences. These applications often require Full Digital Sovereignty (SEAL-4, the highest level), where both operations and control are fully within European hands. See the framework for a detailed understanding.

Here, Strategic Sovereignty (SOV-1) and Legal & Jurisdictional Sovereignty (SOV-2) are non-negotiable, ensuring that ownership, governance and legal enforcement remain fully under EU control. Operational Sovereignty (SOV-4) and Supply Chain Sovereignty (SOV-5) also play a major role, guaranteeing that neither technical operations nor dependencies can be disrupted by external influence. 

For example, a national payment platform or an electricity grid management system must achieve SEAL-4, meaning complete operational and legal control within the EU to avoid systemic risk.

2. Mission Critical Applications

The next tier is Mission-Critical Systems – such as those running banking, logistics, healthcare or energy operations. These are the digital arteries of modern life. When they are down, entire sectors and sometimes economies feel the impact within hours. For these systems, Digital Resilience (SEAL-3) is the goal, ensuring European control over continuity and operational integrity, even if some components originate elsewhere.

These workloads rely heavily on Data & AI Sovereignty (SOV-3) to ensure that information remains verifiably within European jurisdiction, and on Operational Sovereignty (SOV-4) to secure service continuity in times of disruption. Security & Compliance Sovereignty (SOV-7) ensures these platforms meet EU frameworks like NIS2 and DORA. 

For instance, a European bank processing real-time transactions or a national healthcare database managing patient records must operate at least at SEAL-3, providing digital resilience and auditable control even if some infrastructure components are global.

3. Business-Critical Applications

A level below are Business-Critical Applications – essential for the stability and competitiveness of a single company. Think of ERP systems, customer data platforms or supply-chain software. The data is crucial to the internal and compliance needs of the organization, and obligations need to be legally and contractually enforceable. Here, Data Sovereignty (SEAL-2) provides an effective balance between autonomy and efficiency.

The relevant sovereignty objectives are Supply Chain Sovereignty (SOV-5), ensuring visibility into where software is built and maintained, and Technology Sovereignty (SOV-6), promoting open standards and interoperability to prevent vendor lock-in. Environmental Sustainability (SOV-8) is also relevant here, as enterprises increasingly include sustainability in their procurement policies. 

For a manufacturer running production scheduling software, SEAL-2 offers the right balance providing data sovereignty and supply chain transparency while maintaining flexibility and cost efficiency.

4. Regular Applications

Finally, there are Regular Applications – common SaaS tools or internal utilities that support day-to-day productivity. These systems hold limited or no sensitive data and can tolerate temporary outages without major disruption. For these, Jurisdictional Sovereignty (SEAL-1) usually suffices, as compliance and general governance outweigh the need for full operational control.

The tier of “No Sovereignty” (SEAL-0), while technically part of the framework, must be considered a red flag for any business application or service, even development and experimentation: they pose considerable compliance and operational risks.

Applying the hierarchy

This hierarchy helps organizations map their entire IT landscape against the EU Commission’s framework. Rather than forcing black-and-white choices, the model enables organizations to build a nuanced strategy: deciding which applications deserve higher assurance and which can rely on global services. It turns sovereignty from an abstract concept into a structured, evidence-based design principle that companies can apply in practice.

As enterprises start defining which systems must remain under European control, one question naturally follows: what kind of technology foundation can make this sovereignty real in practice?

Open source and the path to European technological sovereignty

Open source plays a central role in Europe’s journey toward digital sovereignty. It provides the foundation for transparency, auditability and control, three qualities that no proprietary model can fully guarantee. Open source allows organizations to inspect, adapt and verify the technologies they depend on, ensuring that sovereignty does not remain an aspiration but becomes a practical, verifiable reality.

Yet, while open source software supports Technology Sovereignty (SOV-6) by nature more than proprietary software, true independence also relies on where and how that software is supported. Many enterprises assume that by adopting open source, they automatically gain sovereignty. But if their future development, operational support, maintenance or critical updates rely on non-EU entities, the dependency remains. This is where Operational Sovereignty (SOV-4) and Supply Chain Sovereignty (SOV-5) intersect with the open source conversation.

To achieve real sovereignty, companies need to look beyond code ownership to the entire lifecycle of support and operations. A truly sovereign setup means that the people, expertise, and infrastructure delivering support are also within the same geographical and legal jurisdiction. This ensures that security incidents, patching processes, or compliance obligations remain under EU law and oversight.

Organizations across Europe are now reassessing not only which technologies they use, but also how those technologies are maintained. Open source enables sovereignty, but sovereign support delivered by providers and experts within the same jurisdiction makes it sustainable. The combination of open technology and sovereign operations forms the backbone of a resilient, independent digital ecosystem.

In this light, digital sovereignty is not simply about restricting dependencies; it is about strengthening autonomy through open, verifiable and regionally supported solutions. Europe’s success will depend on how well organizations combine openness with ensuring that the freedoms open source provides are matched by the trust and continuity that sovereign suppliers deliver.

Learn more about SUSE’s approach to digital sovereignty and reach out to our team to discuss how we can help with practical applications of sovereignty principles.

Frequently asked questions: applying digital sovereignty

What is the EU Cloud Sovereignty Framework?

The EU Cloud Sovereignty Framework is a new mechanism defined by the European Commission that provides a structured, measurable way to assess a cloud service’s level of European control. It helps enterprises and public bodies determine how far a service is exposed to non-EU laws and if its operations and supply chain are truly resilient.

What are the four Sovereignty Effectiveness Assurance Levels (SEAL)?

The Sovereignty Effectiveness Assurance Levels (SEALs) are a five-point scale (SEAL-0 to SEAL-4) used to classify the required degree of sovereignty for any given application workload. They align with the Application Trust Hierarchy described in this post:

• SEAL-1 (Jurisdictional Sovereignty): For regular applications where compliance with EU law is the primary concern.
• SEAL-2 (Data Sovereignty): For business-critical applications requiring clear control over data location and processing.
• SEAL-3 (Digital Resilience): For mission-critical systems requiring robust European operational continuity and independence.
• SEAL-4 (Full Digital Sovereignty): For national or corporate Crown Jewels where both technology and operations must be fully under EU control.

How does open source help achieve digital sovereignty?

Open source helps meet Technology Sovereignty (SOV-6) requirements by providing transparency, auditability, and choice. However, true digital independence (like SEAL-4) still requires the operational support, maintenance and expertise surrounding that open source technology to be located within and governed by European jurisdictions.