Digital sovereignty: Why we need CSF and our own matrix
- Klaus Becker
- 14 hours ago
- 2 min read
"Digital sovereignty" is everywhere right now. What I often find lacking is:
What should I use which tool for, and what shouldn't I use?
Two things that should be kept separate:
1. EU Cloud Sovereignty Framework (CSF, Version 1.2.x - Oct 2025) The CSF is a measurement and evaluation tool. It answers the question:
How sovereign is a specific cloud service according to clearly defined criteria?
With its eight dimensions (legal, data, operations, supply chain, etc.) and measurable maturity levels, the CSF is ideal for procurement, tenders, and due diligence. However, it provides profiles, not target visions.
2. Our OAKAI Sovereignty Working Matrix. The matrix is not a replacement for the CSF, but a translation aid. It answers a different question:
What kind of digital sovereignty do we need for which workload?
Instead of 8 parallel axes, it deliberately works with fewer maturity levels :
Compliance
control
Technological independence
Jurisdictional sovereignty
Strategic / geopolitical autonomy
The OAKAI work matrix is not an official framework, but a working and decision-making logic derived from CSF, BSI C5 and practical CIO experience.
dimension | Level 1 Compliance | Level 2 control | Level 3 Technology | Level 4 jurisdiction | Level 5 Strategically |
Data | GDPR, EU region | BYOK/HYOK, deletion concepts | Portable, open formats | No extraterritorial access rights | EU data spaces |
Operation | Certified (ISO, C5) | Exit-capable | Interchangeable components | Operation without third countries | Fully EU-operated |
technology | Proprietary allowed | API access | Open Source / Open Standards | Forkable without legal risks | EU-IP / EU Roadmap |
Law & Jurisdiction | EU law applicable | Transparent Legal Requests | Contract mechanisms | No CLOUD Act exposure | Exclusively EU law |
Supply chain | transparency | Dual Sourcing | Interchangeable suppliers | No critical non-EU single point | EU value creation |
Governance | Provider governance | Customer checks | Technical feasibility | Regardless of foreign law | Strategic autonomy |
This is not a certification model, but a decision-making model for architecture, roadmaps, and board discussions.
For example, an HR system needs a different level of sovereignty than collaboration or marketing websites.
Why both?
The CSF measures.
The OAKAI work matrix prioritizes.
Or to put it another way:
The CSF tells you how sovereign something is. The Matrix tells you how sovereign it must be.
Only together does "digital sovereignty" become something operational and not just a buzzword.
In your next architecture or board meeting, ask yourself just one question:
Where do we need maximum sovereignty and where do we not?
Without this answer, the basis for a decision is missing.
Sources: - CSF: https://commission.europa.eu/document/download/09579818-64a6-4dd5-9577-446ab6219113_en?filename=Cloud-Sovereignty-Framework.pdf BSI - C5: https://www.bsi.bund.de/dok/7685384
Comments