Schwarz Digits’ New Sovereign Stack Standard ES³ Builds on the EU’s Cloud Sovereignty Framework – both Align with EuroStack Principles
Hannover, 21 April 2026
Hannover Messe, the largest industrial manufacturing trade show in Europe, is the shop window for European productivity. The word “sovereignty” was everywhere on the first day, and for a reason: there can be no industrial/economic value added in Europe’s future without sovereign handling of data and applications integrated into production processes. Simple as that.
Yet what “sovereignty” means in the context of e.g. European cloud computing had not been really defined nor measured. Cloud computing powers nearly everything today. And as more and more cloud services vendors, including non-European hyperscalers, rush to market with their version of a “sovereign” offerings, the question for decision-makers across industry and the public sector has become acute: how does one actually measure sovereignty in a service like cloud?
There are two frameworks that now provide the most concrete answers to that question. The first is the Cloud Sovereignty Framework (CSF), published by the European Commission in October 2025. The second, unveiled at the Hannover Messe on the first day (20 April 2026), a derivate of the CSF, is the European Sovereign Stack Standard (ES³) from Schwarz Digits, the digital arm of Germany’s Schwarz Group (the parent of Lidl and Kaufland retail shop chains). Both pursue a shared objective – making digital sovereignty measurable, transparent, and actionable – but they differ meaningfully in scope, methodology, and target audience. And both, it turns out, are closely aligned with the vision articulated last September by the EuroStack initiative (here), our pan-European vision that calls for building a comprehensive, competitive European digital infrastructure founded on private investment that does not rely on public sector subsidies and government regulation.
This post unpacks what each framework does, where they converge, where they diverge, and why their combined momentum is a powerful signal for European technological self-determination.
The EU Cloud Sovereignty Framework: Setting the Baseline
The CSF (Version 1.2.1 – still due to be finalised and amended) was born out of a practical need: the European Commission required an objective way to evaluate cloud providers bidding for an initial €180 million-worth of sovereign cloud procurement contracts spanning a period of six years
– the largest of its kind in EU history, yet only the first step in what will inevitably be a larger procurement effort on Europe’s behalf. Drawing on Gaia-X, CIGREF’s Trusted Cloud Referential, and existing EU legislation such as NIS2 and DORA, the CSF establishes a comprehensive vocabulary and measurement system for cloud sovereignty.
At its core, the framework is built around eight Sovereignty Objectives (SOV-1 to SOV-8): strategic sovereignty, legal and jurisdictional sovereignty, data and AI sovereignty, operational sovereignty, supply chain sovereignty, technology sovereignty, security and compliance, and ecological sustainability. Each objective is weighted to reflect the Commission’s strategic priorities – supply chain sovereignty carries the highest weight at 20%, followed by strategic, operational, and technology sovereignty at 15% each, whilst legal, data and AI, and security dimensions each account for 10%, and environmental sustainability 5%.
The assessment system operates on two complementary axes. The Sovereignty Effectiveness Assurance Levels (SEAL) provide a five-tier scale from SEAL-0 (no sovereignty whatsoever, with services under exclusive non-EU control) to SEAL-4 (full digital sovereignty, requiring a complete EU supply chain from chips to software). These SEAL levels function as minimum thresholds: a provider that fails to reach the required SEAL level for a given objective is ineligible, full stop. On top of this, a weighted Sovereignty Score provides a quantitative ranking tool, allowing for nuanced comparison between providers that clear the minimum bar.
In the Commission’s recent procurement round, most awarded providers – including STACKIT (Schwarz Digits’ own cloud platform), Clever Cloud, OVHcloud, and Scaleway – reached SEAL-3 (Digital Resilience), meaning their services are broadly immune from non-EU supply chain disruption. The minimum eligibility bar was set at SEAL-2 (Data Sovereignty). Typically, European Cloud Services vendors with a legal registered office and data centres in EU Europe are set to earn SEAL-3 classification; and next to OVH, Stackit, Scaleway, Clevercloud, there are Outscale, Exoscale, IONOS, Upscale, Elastix, evroc, Aruba, even Swiss Infomaniak. Europe is full of proper SEALs.
The CSF’s primary arena is public procurement. It was designed for use in tender specifications, where sovereignty criteria sit alongside traditional quality and price metrics. Its strength lies in its political legitimacy, its clear definitions, and its role as a potential blueprint for future EU legislation.
ES³: From Policy Blueprint to Industry Standard
This is where Schwarz Digits’ European Sovereign Stack Standard enters the picture. ES³ explicitly builds on the CSF – it adopts its structure, values, and principles – but translates them into what Schwarz Digits describes as a more granular, practice-oriented maturity model aimed squarely at industrial companies, SMEs, and regulated sectors, not just public buyers.
The differences begin with dimensionality. Where the CSF defines eight sovereignty objectives, ES³ adds a ninth dimension: Artificial Intelligence. Given the speed at which AI is reshaping enterprise IT – and the sovereignty questions it raises around training data, model provenance, and inferencing infrastructure – this addition feels very timely.
ES³ also introduces a finer assessment grain. Each of its nine dimensions is evaluated across three distinct levels: the regulatory level (covering contracts and service-level agreements), the organisational level (addressing processes and governance), and the technological level (examining concrete implementation). This three-layered approach means that a provider cannot simply paper over technological weaknesses with strong contractual language – each layer must stand on its own merits.
The maturity model itself defines four cumulative stages. At the Basic stage, there is heavy dependence on external providers, processes are reactive, and the organisation has no standardised understanding of sovereignty. At the Initial stage, digital dependencies are documented and initial contingency plans exist. At the Advanced stage, sovereignty is anchored as a strategic goal within the organisation, with tested alternatives for critical services. At the Future-Proof stage – the highest level – the organisation achieves near-complete digital autonomy and unimpaired operational freedom.
A crucial design principle underpins the model: the minimum principle. The overall ES³ rating always corresponds to the lowest achieved level across all nine dimensions. This “weakest link” approach prevents organisations from compensating for glaring gaps in one area with high scores in another – a design philosophy that aligns with the CSF’s own SEAL minimum thresholds but applies it even more stringently.
Independent verification is supposedly built in from the outset. The auditing firm BDO has verified the maturity model (presumably as an external contractor), ensuring that assessments are neutral, traceable, and objective. Schwarz Digits also offers a presales tool called ES³ Lens, which analyses an organisation’s current sovereignty maturity and recommends appropriate solutions from STACKIT’s portfolio. Partner services available through the STACKIT cloud receive sovereignty badges based on their verified ES³ rating – a kind of digital Nutri-Score for cloud sovereignty. Underpinning the entire catalogue are more than 100 individual assessment criteria.
Where ES³ and the CSF Converge
The common ground between the two frameworks is substantial and intentional. Both share the same foundational eight sovereignty objectives, covering the full spectrum from strategic autonomy to ecological responsibility. Both employ a tiered assessment model that distinguishes clearly between varying degrees of sovereignty. Both insist on minimum thresholds – neither framework allows a provider to claim sovereignty simply by excelling in one area whilst being wholly dependent in another. And both aim to bring clarity and objectivity to a market where the term “sovereign cloud” has been applied to offerings of wildly varying credibility.
The philosophical alignment runs deeper still. The CSF was designed to move sovereignty from abstract political rhetoric to concrete, measurable procurement criteria. ES³ pursues exactly the same ambition, but for the private sector. Together, they form something close to a complete assessment ecosystem: the CSF for public buyers, ES³ for industry and the Mittelstand. Some may argue ES³ resembles a fork from CSF, introduced by a single services vendor, while the European Commission is by definition more neutral – but, as mentioned, they are close in spirit and substance, both pay in on a more substantial, fact-based discussion about digital sovereignty
Where They Differ
The most significant differences lie in scope, granularity, and application.
Target audience. The CSF is a procurement instrument, designed for use in EU public tenders where sovereignty criteria feed directly into bid evaluation. ES³ targets industrial enterprises and SMEs navigating their own digital sovereignty journeys – organisations that may not participate in public procurement at all but face equivalent strategic dependencies.
Number of dimensions. The CSF evaluates eight objectives. ES³ adds a dedicated AI sovereignty dimension – a reflection of how rapidly artificial intelligence has moved from the periphery to the centre of enterprise IT strategy.
Assessment depth. The CSF assigns a single SEAL level (0–4) per objective. ES³ evaluates each dimension across three layers – regulatory, organisational, and technological – yielding a considerably more granular picture. This three-layer approach means that an organisation can identify precisely where its sovereignty gaps lie: in its contracts, its processes, or its actual technology stack.
Scoring methodology. The CSF combines SEAL minimum thresholds with a weighted Sovereignty Score that allows for comparative ranking. ES³ uses a four-stage maturity model (Basic, Initial, Advanced, Future-Proof) governed by the minimum principle, where the weakest dimension determines the overall rating.
Verification. The CSF is operationalised through the Commission’s own procurement processes. ES³ is independently verified by the auditing firm BDO and includes a presales assessment tool and a badge system for partner solutions – mechanisms designed for the rhythms of commercial decision-making rather than public tendering.
Scoring scale. The CSF uses five SEAL levels (0–4), whilst ES³ uses four maturity stages. The CSF’s SEAL-0 (no sovereignty) has no direct equivalent in ES³, which begins its scale at Basic – implicitly assuming that any organisation engaging with the standard has at least some awareness of the sovereignty question.
The EuroStack Connection: A Shared Horizon
Both frameworks gain additional significance when viewed through the lens of the EuroStack initiative. Representing a coalition of European digital industry players, supported by some policymakers – and originally made visible by a cross-party group in the European Parliament – EuroStack calls for building European capabilities and assets across the full digital infrastructure supply chain spanning semiconductors, cloud, software, connectivity, AI, quantum computing, and data governance, relying on European capacity and competitive edge, with public sector demand contributing as anchor customer.
EuroStack’s objectives overlap meaningfully with the sovereignty dimensions measured by both the CSF and ES³. Our insistence on several criteria for European neutral jurisdiction over a truly competitive market, and security-by-design maps directly onto the legal and security sovereignty objectives. Our call for primarily open-source, federated technology stacks aligns with the supply chain and technology sovereignty dimensions. Our emphasis on energy efficiency and economic sustainability mirrors the need for economic welfare and prospering businesses. And its focus on data as a shared, yet lucrative, resource resonates with the data and AI sovereignty dimensions – the very area where ES³ has expanded beyond the CSF’s baseline.
Crucially, EuroStack is not merely a policy proposal; it is also an industrial strategy that calls for European public sector as well as corporations to strive for “buy European” when credible sovereign alternatives exist. The CSF and ES³ provide the measurement tools that make the procurement decision actionable – through objective, verifiable sovereignty assessments.
There is a further alignment worth noting. EuroStack explicitly aims to lower adoption barriers for SMEs – counteracting the risk that sovereignty compliance becomes a game only the largest players can win. ES³’s design for the ‘Mittelstand’ and its presales assessment tooling serve precisely this purpose. Meanwhile, the CSF’s tiered SEAL system allows providers of different sizes and capabilities to participate at appropriate levels, rather than facing an all-or-nothing bar that only mature hyperscalers could clear.
What This Means for European Sovereignty
The emergence of ES³ alongside the CSF marks a point of further maturity for the European digital sovereignty movement. Sovereignty has been much debated in political terms – a matter of aspiration, geopolitics, and occasionally anxiety. What we now have are two complementary, rigorously designed measurement frameworks that translate principle into practice.
For public institutions, the CSF provides the procurement language and legal architecture to demand verified sovereignty from cloud providers. For private enterprises, ES³ offers a practical model that can guide their decisions towards greater digital independence — including independent auditing, granular diagnostics, and a clear progression path. And for the broader European ecosystem, these tools feed directly into the EuroStack vision of a continent that builds, controls, and governs its own digital infrastructure rather than renting it from abroad. Of course, it is of primary importance that digital governance and sovereignty should be handled agnostically, not manipulated by a market vendor motivated by individual private interests. We think this is well handled here.
The timing is not coincidental. In a geopolitical environment where data flows, technology access, and digital supply chains are increasingly subject to extraterritorial pressures, the ability to measure and verify sovereignty is a strategic imperative. The CSF and ES³, each in its own domain, provide Europe with useful tools to move from talking about digital sovereignty in cloud to actually pursuing it. That ES³ was launched at Hannover Messe’ is significant, given the emphasis on sovereignty for the industrial AI which is expected to propel Europe forward.
The challenge now is adoption. Standards only matter if they are used. The EU Commission has demonstrated leadership by embedding the CSF into its own procurement. Schwarz Digits has staked its commercial reputation on ES³’s rigour and independence. The question for European industry, regulators, and policymakers is whether they will seize this moment to make measured sovereignty the norm – not the exception – across the continent’s digital economy.
The European Sovereign Stack Standard (ES³) was presented at Hannover Messe 2026 (20–24 April). The EU Cloud Sovereignty Framework (Version 1.2.1) was published by the European Commission in October 2025. The EuroStack initiative was launched in September 2024 and published its investment blueprint in February 2025.
