How Europe’s Digital Sovereignty Frameworks Are Converging

This five-part series from SUSE’s Sovereign Solutions Team, published ahead of the upcoming EU Tech Sovereignty Package, equips IT leaders, procurement professionals, and policymakers with the practical blueprints and frameworks needed to turn digital sovereignty into actionable, long-term resilience. Stay tuned this week to read the entire series!

• Post 1: An Operational Definition for Digital Sovereignty

• Post 2: How Europe’s Digital Sovereignty Frameworks Are Converging

The convergence of digital sovereignty frameworks

There is a line that circulates reliably at digital sovereignty conferences: that there are as many definitions of sovereignty as there are people attempting to define it. The observation was accurate for a time. It is becoming less so.

Over the past year, a meaningful convergence has been taking place across the principal European frameworks for assessing digital sovereignty. While these tools originate from different institutions and serve distinct purposes, they now reflect a consistent architecture of concerns.

Key frameworks driving this convergence include:

• CISPE Sovereignty and Resilience Framework
• Germany’s ZenDiS Sovereignty Check (currently in development)
• BSI’s Cloud Computing Autonomy criteria
• European Commission’s Cloud Sovereignty Framework
• Assessment frameworks developed by Global Systems Integrators (GSIs) in the private sector

Understanding this convergence matters for anyone engaged in shaping or responding to the Cloud and AI Development Act. CAIDA does not need to construct a sovereignty standard from nothing. 

The foundational analytical work has largely been done. The legislative task is to codify what the frameworks are already converging on.

Two kinds of criteria

Before examining where the convergence lies, it is worth naming a structural distinction that runs through all of these frameworks, sometimes explicitly and sometimes not.

Organisational criteria in digital sovereignty frameworks

The first kind of criterion is organisational. These ask how sovereign the organisation using the technology is. Does it have visibility into its dependencies? Does it retain genuine decision-making authority over its own infrastructure? Does it have a realistic exit strategy if a provider relationship breaks down? 

The ZenDiS Sovereignty Check is a useful example: as a government entity that itself delivers IT solutions, ZenDiS is asking how organisations like it should assess and demonstrate their own posture, not simply which products to procure. Enterprises should find a practical guide to navigating these organisational assessments to ensure they aren’t just checking boxes, but building real autonomy.

Product and service criteria in digital sovereignty frameworks

The second kind is product and service criteria. These ask whether a given product or service increases or decreases an organisation’s sovereignty. The CISPE framework certifies individual cloud services against a defined set of controls. Notably, it assesses services rather than vendors: a provider can offer both sovereign and non-sovereign services, and even services that are open source, but not sovereign, and only the individual service receives certification. 

The Commission’s Cloud Sovereignty Framework takes a similarly granular approach, defining eight Sovereignty Objectives and five Sovereignty Effectiveness Assurance Levels against which cloud services can be assessed in procurement contexts.

Why we need both

Both kinds of criteria are necessary to move forward on sovereignty. Both buyers’ postures and vendors’ services should be evaluated in order to make more informed buying decisions going forward. And both sides should be held accountable when it comes to sovereignty claims. 

An organisation can score well on its own sovereignty assessment and still systematically undermine that position by procuring products that create dependencies it cannot audit or exit. Conversely, a market full of well-certified sovereign products is of limited value to organisations with no coherent strategies for using them. Genuine digital sovereignty requires both lenses applied together.

Where the frameworks agree

Across both types of framework, a consistent cluster of concerns recurs: data residency and legal jurisdiction, portability and the practical ability to exit, transparency over supply chains and dependencies, and resilience against extraterritorial legal overreach.

Running through all of them, as a structural prerequisite rather than an optional feature, is the question of open standards and open source software. In the ZenDiS criteria and the BSI’s C3A framework, open source appears not as a desirable characteristic but as a foundational condition, because proprietary systems, even when operated on European soil, introduce a dependency layer that the operator cannot audit, fork or replace without vendor cooperation. SUSE’s own research finds that 94% of IT leaders regard open source as very or extremely important to resilience. That figure is consistent with the logic these frameworks are independently encoding.

The Commission has indicated that it is finalising an updated version of its Cloud Sovereignty Framework to include specific criteria for performing sovereignty assessments more broadly, intended to support other entities wishing to reuse the approach. That positions the Commission’s framework as a reusable public good rather than simply an internal procurement tool, and it points toward the right direction of travel.

What remains contested

One area where genuine divergence persists is the origin question: to what extent does the location of a provider determine sovereignty outcomes? Legal exposure is real. If a provider is subject to laws that require it to hand over data or system access on demand, that risk is meaningful regardless of where its servers are physically located. If that’s not the case, then the adoption of open source and forward looking architectural choices can substantially offset jurisdictional risks. 

Building a future-proof digital sovereignty strategy requires acknowledging these risks while focusing on the technical ability to break free from influences that could compromise data integrity. The emerging European consensus treats origin as a meaningful input to a sovereignty assessment rather than a substitute for one, and that framing is correct.

What this means for the EU Tech Sovereignty Package

The convergence across these frameworks represents a significant opportunity. Rather than relitigating the definition of sovereignty in legislative negotiations, the EU Cloud and AI Development Act and the EU Open Source Strategy can build on an analytical foundation that Europe’s policy and standards community has already substantially constructed. 

The frameworks agree on what sovereign architecture requires. The question is whether it will make those requirements the legal standard, or leave them as reference material that procurement decisions can quietly set aside.

From regulation to reality

Understanding the legal frameworks is essential, but compliance is impossible without the right technical foundation. In the next post, we look at why the strongest hand in Europe’s deck isn’t a new law, it’s the technology we already own.