EU Sovereign-Control Certification for Critical Digital Infrastructure

Objectives of the initiative

We call on the European Commission to propose or support legislation within the EU cybersecurity certification framework, including Regulation (EU) 2019/881 or any successor act, to create an optional, risk-based and tiered EU sovereign-control certification component for critical digital infrastructure services.

The component should be distinct from, and complementary to, cloud-only cybersecurity certification, entity cyber-posture certification, high-risk supplier restrictions and general supply-chain risk tools. It should provide a voluntary and auditable service-level signal on sovereign-control resilience.

It should assess effective ownership and material control; EU jurisdiction and operational control over critical functions; third-country legal or corporate-control risks; material critical dependencies; safeguards against unlawful third-country access or interference; independent audits, assurance levels and reassessment after material changes.

Certified status should be usable as an objective procurement or transparency criterion where justified by cybersecurity, resilience, data protection, service continuity or users’ lawful choice.

Provisions of the Treaties you consider relevant for the proposed action

Articles 114 and 16 TFEU; where relevant, Articles 53(1), 62 and 173 TFEU, for internal-market harmonisation, data protection, cybersecurity certification, trade in services, resilience and EU industrial competitiveness.

Annex on the subject, objectives and background to the initiative

Subject

This initiative concerns an optional, risk-based and tiered EU sovereign-control certification component for critical digital infrastructure services, within the EU cybersecurity certification framework under Regulation (EU) 2019/881 or any successor act.
 

It does not ask for a ban on foreign providers, mandatory EU-only use, censorship, Treaty change or digital isolation. It asks for a lawful, voluntary and auditable EU mechanism so that citizens, businesses, public authorities and EU institutions can identify services offering stronger resilience against non-EU control, foreign legal pressure, opaque critical dependencies and unlawful third-country access.
 

This initiative builds on, but is distinct from, the EUCS cloud-certification debate. EUCS concerns cloud cybersecurity certification. This initiative asks for a broader legislative basis for a service-level sovereign-control profile covering critical digital infrastructure, including cloud, hosting, DNS, CDN, certificate authority, identity and authentication, managed cybersecurity and other critical ICT services.
 

Need and legal gap

EU law already addresses important parts of the problem. The GDPR protects personal data. NIS2 strengthens cybersecurity duties for essential and important entities. The Data Act addresses unlawful third-country governmental access to non-personal data held in the Union by data processing service providers. The Cybersecurity Act creates an EU framework for cybersecurity certification.
 

However, existing and proposed tools do not necessarily provide a clear, voluntary, public and service-level EU certification signal for sovereign-control resilience. Technical cybersecurity certification, entity cyber-posture certification, supply-chain risk tools, high-risk supplier restrictions and cloud-only schemes do not by themselves give ordinary users and procurers a comparable way to assess who controls a critical service, which law can reach its critical functions, and which dependencies may affect continuity, confidentiality, integrity or lawful access.
 

A service may be technically secure and legally compliant while still depending on non-EU control planes, parent-company influence, third-country legal obligations, remote administration, logging, telemetry, DNS, CDN, certificate authority services, identity systems, cloud services, software supply chains or subcontractors that users cannot realistically inspect.
 

Objectives

The Commission should propose or support legislation to:
 

1. Create an optional, risk-based and tiered EU sovereign-control certification component for critical digital infrastructure services.
 

2. Require assessment of effective ownership and material control, including beneficial ownership, parent-company control, voting rights, board influence, contractual control and other material influence over security-relevant decisions or critical operations.
 

3. Require assessment of EU jurisdiction and operational control over critical functions, including data processing, key management, logging, authentication, incident response, infrastructure administration, update mechanisms and remote administration.
 

4. Require assessment of third-country legal obligations or corporate-control arrangements capable of compelling access, secrecy, disclosure, operational interference or transfer of control over personal data, metadata, non-personal operational data, security logs, administrative systems or other critical functions.
 

5. Require disclosure of material critical dependencies, where relevant to the certified service, including hosting, cloud, software, firmware, DNS, CDN, certificate authority, identity, telemetry, subcontractor and remote-administration dependencies that may affect confidentiality, integrity, availability, administrative control, lawful access or continuity.
 

6. Require technical, organisational and legal safeguards against unlawful third-country access or interference, including documented handling of access requests, legal challenge where possible, privileged-access controls, audit logs, separation of duties, transparency reporting and EU-controlled key management where relevant.
 

7. Require independent periodic audits, public audit summaries, measurable assurance levels, reassessment after material changes, and protection for trade secrets, sensitive security details and classified information.
 

8. Allow certified status to be used as an objective procurement and market-transparency criterion where justified by cybersecurity, resilience, data protection, continuity of essential services, public-sector needs or users’ lawful choice.
 

Relevance and compliance
 

The initiative is not a blacklist and not a rigid data-localisation rule. It is a transparency and assurance mechanism. It should complement EUCS, NIS2, the Data Act, cybersecurity supply-chain measures and future cloud policy without replacing them.
 

It supports the internal market, data protection, cybersecurity, resilience and EU technological sovereignty while remaining voluntary, proportionate, risk-based and compatible with open markets. It respects Member State competences, including national security, and the freedom of citizens and entities to maintain digital ties with third countries.