EDSO · European standard · certification across six assessment domains and four maturity levels

Prove digital sovereignty. Auditable. European.

EDSO is the European standard for digital sovereignty — with auditable certification across six assessment domains (D1–D6) and four maturity levels (L1–L4). The six domains form a provider's sovereignty profile. The four levels define the depth of the assessment and the strength of the evidence required.

Start self-assessment· 20 min Book a strategy call

European Digital Sovereignty Standard · Standard development and conformity assessment structurally separated

Why EDSO works in procurement, audits and supervisory contexts

NIS2 · DORA · EUCS · AI Act: Regulatorily aligned
Auditable, not declarative: Audit by independent conformity assessment bodies
Public register: Verifiable for buyers
Procurement-ready: Usable as MEAT award criterion

Three paths

What is your role?

EDSO addresses three groups with different entry paths. Select your role for the relevant next steps.

Providers

Cloud, SaaS and platform providers seeking to demonstrate digital sovereignty to buyers and supervisory authorities in an auditable way.

Certification for providers

Buyers

Public sector and regulated industries using EDSO as a reference framework in tenders and supplier assessments.

Use EDSO in procurement

Conformity assessment bodies

Auditors and advisory firms wishing to perform EDSO audits as a recognised conformity assessment body.

Assessor programme

Why now

Three forces are converging.

Regulation: NIS2, DORA and the EU AI Act require robust evidence across the IT supply chain.
Geopolitics: The US CLOUD Act and comparable regimes turn third-country dependencies into corporate risk.
Market: Buyers demand demonstrable European sovereignty — a unified standard has been missing.

Consequence: providers without auditable evidence are increasingly excluded from tenders — broad sovereignty claims no longer satisfy new regulatory and buyer-side requirements.

What EDSO actually assesses

Six assessment domains. Four certification tiers.

The assessment domains define what is assessed — together they form the sovereignty profile of a provider. The maturity levels define how deep and how binding the assessment is, and thus the strength of the resulting evidence.

Six assessment domains (D1–D6)

Juristische Verortung

Eigentum, Jurisdiktion, Konzernsteuerung, extraterritoriale Zugriffsrechte.

Infrastruktur

Standorte, Subunternehmerkette, Betriebs- und Supportorganisation.

Datenhoheit

Schlüsselhoheit, privilegierte Zugriffe, Log-Integrität, Anbieter-Vertraulichkeit.

Lieferkette

Hardware- und Software-Lieferkette, geopolitische Choke Points, EU-Alternativen.

Resilienz & Exit-Fähigkeit

Offene Standards, dokumentierte und getestete Exit-Pfade, RTO/RPO, Migrationsfähigkeit.

Governance

Verantwortung auf Leitungsebene, ISMS-Integration, Eskalationswege, Transparenzbericht.

Four maturity levels (L1–L4)

EU-aligned

Structured self-assessment. EU legal seat, minimum transparency, disclosure of material sub-processors. Use: sensitive standard projects.

EU-sovereign

External baseline audit by an accredited assessment body. EU governance, contractually guaranteed EU data residency, full dependency matrix. Use: regulated buyers.

Critical Sovereignty

In-depth external audit. Key authority, demonstrable exit strategy, audited supply chain. Use: critical infrastructure, NIS2/DORA-regulated functions.

Strategic Sovereignty

Full certification. Board-level risk management, tested exit scenarios, EU-resilient supply chain. Use: highest protection objectives, critical infrastructure control, security-related administration.

Simulate my level Standard in detail

The certification path

Four steps. Clearly defined effort.

Step 01
Self-assessment
Structured online questionnaire as the audit mode of certification level L1 (EU-aligned).
Duration
approx. 20 min.
Cost
EUR 500/month
Step 02
Application & scoping
Definition of the audit scope together with an accredited conformity assessment body. Binding quotation.
Duration
1–2 weeks
Cost
based on effort
Step 03
Audit & assessment
Domain audit against the EDSO reference framework. Review of evidence, architecture and contracts.
Duration
8–16 weeks
Cost
based on effort
Step 04
Certificate & listing
Issuance of the machine-readable certificate for the achieved maturity level (L1–L4) and entry of the certified service in the public EDSO register.
Duration
≤ 2 weeks
Cost
based on effort

Start certification application Fee schedule

What clients gain

Concrete value — precise, auditable, usable.

Auditable evidence in EU procurement (MEAT-capable award criterion).
Reduction of regulatory audit burden through a recognised reference framework.
Listing in the public EDSO register — visibility for buyers.
Machine-readable certificate, cryptographically verifiable.
SBOM, HYOK and exit guidance as immediate by-products.
Clear development path from L1 to L4 — stages instead of blanket verdicts.

EDSO is

An assessment framework for digital dependencies
A transparency instrument for procurement
A governance instrument for the C-level

EDSO is not

A political signalling instrument
An IT security certification (e.g. ISO 27001)
A consulting framework

Pioneer Partner programme · limited to 10 companies

Help shape the standard before the market follows.

Pioneer Partners form the EDSO founding council, influence criteria and weightings and receive the L1 review (structured self-assessment) included. Founding conditions are fixed for three years.

Option A

EUR 4,950 net

one-off

Option B

12 × EUR 500 net

monthly

Benefits (identical for both options): L1 certification (EU-aligned) based on the structured self-assessment included (including annual fee on a successful result and listing in the public EDSO register), seat on the founding council, “Pioneer Partner” title, co-design of criteria and roadmap.

Become a Pioneer Partner Book a strategy call

Frequently asked questions

What decision-makers want to know first.

How does EDSO differ from the European Sovereign Stack Standard (ES³)?: ES³ was issued by Schwarz Digits — a cloud provider that itself operates in the market being assessed. EDSO is designed as an independent organisation with a multi-stakeholder supervisory board from industry, civil society, academia and the public sector. In substance both refer to the EU Cloud Sovereignty Framework and use a four-stage maturity model with a minimum principle; EDSO assesses across six management-grade domains (D1–D6) instead of nine dimensions, publishes the full methodology openly and does not exclude any provider — including hyperscalers — by definition, but rather makes differences visible. ES³ is therefore a possible certification candidate under EDSO, just like SecNumCloud, BSI C5 or DigiD.
How does EDSO differ from ISO 27001, BSI C5 or EUCS?: ISO 27001, C5 and EUCS address IT security. EDSO addresses digital sovereignty — i.e. data authority, supply chain, legal jurisdiction and exit capability. The two are complementary.
How long does a certification take?: Self-assessment in around 20 minutes. From application to issued certificate typically 3–6 months, depending on maturity level and scoping.
Who performs the audit?: Accredited conformity assessment bodies that are structurally independent from the sponsoring organisation. Standard development and assessment are organisationally separated.
What happens if a maturity level is not reached?: You receive a detailed report with gaps and concrete remediation actions. Re-certification is possible without a full repeat of the audit effort.
What does a certification cost?: L1 certification (EU-aligned), based on the structured self-assessment, costs EUR 500 per month and, on a positive result, leads to a listing in the public EDSO register. The higher maturity levels L2 (external baseline audit), L3 (in-depth external audit) and L4 (full certification) are priced based on scope and effort and are carried out exclusively by accredited assessment bodies.
Wie lange ist ein EDSO-Zertifikat gültig?: Ein EDSO-Zertifikat ist zwölf Monate gültig; danach erfolgt eine verkürzte Re-Zertifizierung. Bei strukturellen Änderungen — etwa Eigentümerwechsel, Verlagerung von Hosting-Standorten oder neuen Subunternehmern — besteht eine sofortige Meldepflicht, damit das ausgewiesene Level jederzeit belastbar bleibt.
Gibt es K.-o.-Kriterien, die eine Zertifizierung ausschließen?: Ja. In D1 (Juristische Verortung) führen ein fehlender EU/EWR-Rechtssitz, eine intransparente Eigentümerstruktur oder ein nachweisbarer Drittstaat-Kontrollzugriff zur Ablehnung. In D5 (Resilienz und Exit-Fähigkeit) begrenzt eine fehlende oder nicht dokumentierte Exit-Strategie das erreichbare Level — unabhängig vom Ergebnis in anderen Domänen. Diese Kriterien sind nicht durch hohe Werte an anderer Stelle kompensierbar.
Welche vier Reifegrade gibt es — und wann ist welcher relevant?: L1 EU-aligned ist der strukturierte Self-Assessment-Einstieg für sensible Standardprojekte (indikative Selbsteinschätzung, kein Audit). L2 EU-sovereign ist das externe Basis-Audit durch eine akkreditierte Prüfstelle für regulierte Auftraggeber. L3 Critical Sovereignty ist das vertiefte externe Audit für KRITIS-nahe Projekte. L4 Strategic Sovereignty ist die vollständige Zertifizierung für höchste Anforderungen, insbesondere in öffentlichen Aufträgen. Höhere Reifegrade setzen die Erfüllung aller darunterliegenden voraus.
Strebt EDSO eine offizielle Normierung an?: Ja. EDSO ist als privatwirtschaftlicher Standard gestartet, mit dem Entwicklungspfad zur DIN-SPEC als Vorstufe zu einer offiziellen Norm. Der Einreichungsprozess ist für 2026/2027 vorgesehen. Spezifikation und Methodik werden öffentlich gepflegt, damit sie institutionell anschlussfähig bleiben.

View all FAQs

Next step

Two clear paths — pick the right one.

Start self-assessment

Around 20 minutes. You receive a first substantiated indication of your maturity level.

Start now

Book a strategy call

Personal positioning on the right maturity level and the Pioneer Partner programme.

Request appointment