Sovereign Cloud (Pillar: Sovereign)
The Sovereign Cloud pillar of WAF++ defines requirements, principles and measurable controls to demonstrably implement sovereignty over data, keys, dependencies and operations.
Sovereignty is not a product feature. It is an architectural state that must be achieved and continuously demonstrated.
What does Sovereign Cloud mean?
Sovereign Cloud means that an organization has demonstrable control over the following dimensions:
| Dimension | What is controlled? | WAF-SOV Control |
|---|---|---|
Jurisdiction & Data Residency |
Where is data, backups, logs and metadata stored? |
WAF-SOV-010, WAF-SOV-020 |
Region Pinning |
Can deployments only occur in permitted regions? |
WAF-SOV-020 |
Backup & Recovery |
Do backups remain within sovereignty boundaries? |
WAF-SOV-030 |
Logging & Telemetry |
Are logs/traces/metrics stored sovereignly? |
WAF-SOV-040 |
Key Ownership |
Does the organization control its encryption keys? |
WAF-SOV-050 |
Privileged Access |
Are admin accesses minimal, time-bound and auditable? |
WAF-SOV-060 |
Break-Glass |
Is emergency access controlled, logged and reviewed? |
WAF-SOV-070 |
Dependencies |
Are all subprocessors and third-party providers inventoried? |
WAF-SOV-080 |
Egress Control |
Can data not leave the sovereignty boundary unnoticed? |
WAF-SOV-090 |
Exit Capability |
Can the organization exit its provider in a controlled manner? |
WAF-SOV-100 |
Why is Sovereign Cloud its own pillar?
Sovereignty is cross-cutting: it touches Security, Reliability, Governance and Operations. Nevertheless it is a standalone discipline, because:
-
It has its own regulatory requirements (GDPR, BSI C5, EUCS, GAIA-X)
-
It requires specific technical controls that no other pillar fully covers
-
It must be measurable and auditable – not just documented
-
It represents a fundamental negotiating position vis-à-vis cloud providers
| Sovereignty without technical enforceability is a claim, not a control. |
Distinction from other pillars
-
Security addresses: attack protection, vulnerability management, incident detection.
-
Governance addresses: policies, decision processes, compliance framework.
-
Sovereign addresses: jurisdiction control, data sovereignty, exit capability, key ownership.
Sovereign Cloud assumes that security foundations are in place and augments them with jurisdictional and regulatory requirements specific to European and public sector contexts.
Regulatory Frameworks
The WAF++ Sovereign pillar aligns with multiple regulatory frameworks:
| Framework | WAF++ Coverage |
|---|---|
BSI C3A:2026 (Cloud Computing Autonomy) |
All 10 controls mapped; covers 7 dimensions: Strategic, Legal, State of Defense, Data, Operational, Supply Chain, Technology |
BSI C5:2020 (Cloud Computing Security Baseline) |
All 10 controls mapped; foundational security requirements |
GDPR (General Data Protection Regulation) |
All 10 controls mapped;Art. 32, 44-46, 28, 17, 20, 30, 32) |
EUCS (EU Cybersecurity Scheme for Cloud Services) |
All 10 controls mapped; ENISA standards |
ISO 27001:2022 |
All 10 controls mapped; A.5.x, A.8.x family |
GAIA-X |
All 10 controls mapped; Sovereign Cloud principles |
ANSSI SecNumCloud |
All 10 controls mapped; French cloud security requirements |
Quick Start
New to the Sovereign pillar? Recommended reading order:
-
Definition – What exactly is Sovereign Cloud?
-
Scope – What is in scope, what is not?
-
Sovereign Principles – 7 core principles
-
Controls – The 10 measurable controls
-
Maturity Model – Where does my organization stand?
-
Best Practices – How to implement it?