A structured, vendor-neutral scoring methodology for CEO and CTO-level executives evaluating sovereignty risk across their infrastructure, data, and AI stack. 9 categories. 60+ controls. Objective weighted scoring.
Sovereign: "having the highest power or being completely independent." Applied to cloud infrastructure, it means one thing — you are the ultimate decision-maker at every layer.
The most dangerous misconception in the market today is that "having a server in your region" equals sovereignty. It does not. Data residency addresses one slice of one dimension. Genuine sovereignty means you are the decision-maker across all seven control dimensions.
For each dimension, ask: who is the ultimate decision-maker — you, or someone else?
| Control Dimension | What you must control | Hyperscaler "Sovereign Cloud" | True Sovereign Infrastructure |
|---|---|---|---|
| Data Centre Physical control |
Physical access, security policy, who enters, on-site audit rights | Vendor's facility. You have never seen it. You decide nothing about who enters. | Your facility or directly contracted co-lo. You set access policy. You hold audit rights. |
| Network Traffic control |
Switches, routers, BGP peering, firewall rules, VPN topology | Vendor's SDN. You configure settings in their console; the underlying network is theirs. | Your switches, your BGP peers, your ISP contracts. Every routing decision is yours. |
| Hardware Physical asset control |
Servers, CPUs, GPUs, firmware baselines, supply chain provenance | Vendor's servers — unknown provenance, unverifiable firmware, shared tenants. | Your hardware. Verified supply chain. Locked firmware baselines. |
| Setup Configuration control |
Architecture design, software stack, configuration decisions | You configure settings inside the vendor's console. Architecture is their template. | You designed it. Every choice declared as code you own and version-control. |
| Operation Access & people control |
Who has access, under what conditions, with what logging | Vendor staff operate your infrastructure. They access it without prior notification. | Your operations team. Every session is cryptographically logged. You authorise it. |
| Roadmap Feature & software control |
Software versions, updates, features, deprecation schedule | Features appear and disappear based on vendor's commercial priorities. | Open-source stack. You control the version, update schedule, and feature set. |
| Vendors Supply chain control |
Right to change any supplier without losing access to your systems | One vendor. Switching costs are prohibitive by design. You are captured. | Open standards throughout. You can replace any component. |
A hyperscaler "sovereign cloud" region addresses one narrow slice — where data is stored. The other six dimensions remain 100% under vendor control. That is not sovereignty. That is a preference setting with a national flag on it.
Every hyperscaler and commercial vendor now claims to offer "sovereign cloud." It has become a marketing label — used by the very organisations whose business model depends on you remaining dependent on them.
A truly sovereign infrastructure posture cannot be self-certified by a vendor who profits from your dependency. It requires an independent, structured assessment against clear, auditable controls.
This framework was developed from over a decade of deploying private infrastructure for governments and regulated enterprise. Use it as a self-assessment, a vendor evaluation tool, or the basis for a formal infrastructure audit.
Each control is scored Yes (1.0), Partial (0.5), or No (0). Category scores are multiplied by the category weight. Final score is a percentage from 0 to 100.
Fully implemented and independently verifiable. No vendor dependency.
Partially met — reliant on vendor SLA assurances, contractual clauses, or third-party tooling.
Not met. A third party holds control, jurisdiction, or capability that you do not.
| Score Range | Rating | Interpretation |
|---|---|---|
| 85 - 100 | Sovereign | Robust sovereign posture. Infrastructure under genuine organisational control across all key categories. |
| 65 - 84 | Partial Control | Material sovereign gaps exist. CLOUD Act exposure, data residency, and operational dependency need remediation. |
| 40 - 64 | At Risk | Significant sovereign exposure. High dependency on third parties for core infrastructure. |
| Below 40 | Critical Risk | Critical sovereign risk. The organisation does not meaningfully control its own infrastructure. Immediate strategic review required. |
Every category comes with its full weighting, key controls, and the risk exposure if the category is failed.
A vendor can unilaterally suspend your infrastructure. In a sanctions event, your infrastructure disappears overnight with no recourse.
Public Cloud Score: 0/20 — Vendor controls the control plane by design.
GDPR violations, CLOUD Act exposure, and sector-specific compliance breaches. Your regulated data may be accessible to foreign intelligence agencies under domestic US law.
Public Cloud Score: 0-5/20 — CLOUD Act applies regardless of region.
Vendor-held encryption keys create a fundamental key escrow risk. Cloud HSM "customer-managed" keys are still on vendor hardware. A supply-chain compromise of the vendor's KMS could expose all encrypted data.
A vendor EOL, sanctions event, or financial collapse leaves your critical services unrecoverable. Cloud egress costs and proprietary API lock-in deliberately make migration prohibitively expensive — by design.
Every prompt sent to a commercial AI API is potentially logged, retained, and used for model training. Classified data processed through API-based AI represents a severe information sovereignty breach.
Proprietary forks can restrict source access at any time (as Red Hat did in 2023). Vendor-controlled roadmaps can deprecate features you depend on. Without open-source freedom, you are renting software — not owning infrastructure.
A vendor's commercial priorities dictate your infrastructure evolution. Features appear and disappear based on their quarterly targets. Forced upgrades break your workflows on their schedule, not yours.
The US CLOUD Act compels US-headquartered companies to disclose data regardless of where it is stored — including EU data centres. A "sovereign region" on AWS or Azure does not change the parent company's legal obligations under US law.
If costs triple overnight — as VMware customers experienced after the Broadcom acquisition — you have no recourse. Egress fees make migration financially prohibitive by design. Open-source infrastructure carries no per-instance fees and can be replicated freely.
Indicative scores based on a typical deployment scenario.
| Control Category | Private Infrastructure | Public Cloud | Hybrid Cloud |
|---|---|---|---|
| Operational Control 20% | 20/20 — Full admin control | 0/20 — Vendor controls control plane | 10/20 — Mixed |
| Data Sovereignty 20% | 20/20 — Known location, no CLOUD Act | 2/20 — CLOUD Act applies | 12/20 — On-prem portion sovereign |
| Security Sovereignty 15% | 14/15 — Own KMS, PKI, firewall | 5/15 — Vendor-managed HSM | 9/15 — Varies by placement |
| Survivability 15% | 14/15 — Fully operable independently | 3/15 — Proprietary lock-in | 9/15 — Private portion survivable |
| AI & Model Sovereignty 10% | 10/10 — On-prem GPU, open models | 2/10 — API logs, data transmitted | 6/10 — Depends on AI placement |
| Open Source Freedom 5% | 5/5 | 2/5 | 3/5 |
| Feature & Roadmap 5% | 5/5 | 1/5 | 3/5 |
| Legal & Compliance 5% | 5/5 | 1/5 | 3/5 |
| Replication & Cost 5% | 5/5 | 2/5 | 3/5 |
Indicative scores based on typical configuration. Actual scores depend on your specific contracts, architecture, and jurisdiction.
Our engineers can conduct a full sovereignty assessment against the 60-control framework — tailored to your specific infrastructure, regulatory context, and risk profile.