Methodology

How we calculate EU First scores and assess digital sovereignty.

Scoring Model

The EU First score is a weighted average of four key dimensions that assess how well a vendor aligns with EU digital sovereignty requirements.

Legal Jurisdiction (40%)

Legal jurisdiction of the primary processing entity. EU/EEA headquarters and legal entities score highest. Non-EU jurisdictions with data access treaties (e.g., CLOUD Act) score lowest.

Infrastructure & Hosting (25%)

Where subprocessors are located and what data they can access. Content-level access from non-EU entities heavily penalizes this score.

Where Data is Stored (20%)

Physical location of data storage and processing. EU-only hosting scores highest. Backups and DR sites are also considered.

Who Owns the Company (15%)

Ultimate beneficial ownership and control. EU-owned and controlled entities score highest. Subsidiaries of non-EU parents score lower.

Score Labels

90-100
EU First
Strong EU sovereignty alignment with minimal non-EU dependencies.
75-89
EU First (with notes)
Good EU alignment with some dependencies or exposures that warrant attention.
50-74
Mixed
Mixed EU and non-EU dependencies. Suitable for less sensitive use cases.
25-49
High Risk
Significant non-EU dependencies. Carefully review for sovereignty needs.
0-24
Non-EU
Primarily non-EU controlled with substantial sovereignty risks.

Strictness Modes

Practical

Practical assessment for most organizations. Focuses on where data is processed and stored operationally.

  • EU data residency options are valued
  • Legal structures matter but are not disqualifying
  • Suitable for general business use

Strict

Rigorous assessment for high-sensitivity contexts. Any non-EU legal exposure or control is flagged.

  • Non-EU jurisdiction = automatic failure
  • Hyperscaler dependencies flagged
  • For government, defense, critical infrastructure

Data Touch Levels

Subprocessors are categorized by the type of data they can access:

Content Access
Full access to user data content. Most sensitive level. Includes data processors, backup services, and analytics that see raw data.
Sensitive Metadata
Access to metadata that could identify users or reveal patterns. Includes logging services, CDNs with headers, and monitoring tools.
Telemetry
Anonymized or aggregated data only. Error tracking, performance metrics, and usage statistics without identifying information.

Red Flags

These conditions trigger red flag warnings regardless of overall score:

  • Non-EU jurisdiction over primary data processor
  • Non-EU subprocessor with content-level data access
  • Support/admin access from non-EU locations without customer-held keys
  • Telemetry exporting identifiers or content to non-EU services

Confidence Levels

Each data point is tagged with its verification level:

Verified
Verified from official documentation, legal filings, or audit reports.
Vendor Claimed
Provided by the vendor through their published materials or direct communication.
Unverified
Submitted by users and pending verification. Lower confidence level.