No critical non-EU dependencies

Why important?

Important for crisis scenarios / geopolitical risks.

How measured?

• 0 = Critical non-EU dependencies (DNS/PKI/identity/control plane etc.)
• 1 = Several critical dependencies, only partially mitigated
• 2 = Single critical dependencies or scope heavily constrained
• 3 = Mostly EU-based, but individual critical dependencies/uncertainties
• 4 = Only few non-critical non-EU dependencies + clear mitigations
• 5 = No critical non-EU dependencies (trust anchors/control plane) demonstrable
• N/A = no reliable evidence

Sources / Evidence

• https://aws.eu/de/
• https://www.aboutamazon.eu/news/aws/built-operated-controlled-and-secured-in-europe-aws-unveils-new-sovereign-controls-and-governance-structure-for-the-aws-european-sovereign-cloud
• https://aws.amazon.com/blogs/aws/opening-the-aws-european-sovereign-cloud/
• https://www.open-telekom-cloud.com/en/benefits/sovereignty
• https://www.oracle.com/europe/cloud/eu-sovereign-cloud/faq/
• https://aws.eu/de/esca/
• https://www.deloscloud.de/about-us/news.html
• https://news.microsoft.com/de-de/erste-souveraene-cloud-plattform-fuer-die-deutsche-verwaltung-auf-der-zielgeraden/

Validation questions (RFP)

• Which critical control-plane services depend on non-EU infrastructure (DNS, PKI, updates, identity, monitoring)?

Scores comparison