EU root CA / trust services

Why important?

PKI/trust is core for identity, TLS and signatures.

How measured?

• 0 = Trust anchors / root CA non-EU (or unsuitable) without alternatives
• 1 = EU trust only claimed, details unclear
• 2 = EU trust for partial scope (some services), key paths unclear
• 3 = EU root CA/trust services for core scope, but not end-to-end
• 4 = EU trust services broadly documented (root CA, signing, possibly HSM) with few gaps
• 5 = End-to-end EU trust anchors (root CA/signing/key custody) + auditably evidenced
• N/A = no reliable evidence

Sources / Evidence

• https://www.aboutamazon.eu/news/aws/built-operated-controlled-and-secured-in-europe-aws-unveils-new-sovereign-controls-and-governance-structure-for-the-aws-european-sovereign-cloud
• https://www.ovhcloud.com/pl/bare-metal/secnumcloud/
• https://aws.amazon.com/blogs/security/announcing-initial-services-available-in-the-aws-european-sovereign-cloud/
• https://aws.amazon.com/blogs/aws/announcing-aws-kms-external-key-store-xks/
• https://aws.amazon.com/blogs/aws/opening-the-aws-european-sovereign-cloud/
• https://www.deloscloud.de/about-us/news.html

Validation questions (RFP)

• Which KMS/HSM options? Bring-your-own-key? Hold-your-own-key? Key custody & audit?

Scores comparison