WAF++ WAF++
Back to WAF++ Homepage

Scope

Goal

This pillar defines requirements and controls to implement cloud sovereignty demonstrably, enforce it technically, and evidence it in audits.

In Scope

Workloads & Infrastructure

  • Workloads (applications, platform services) in public, private and hybrid cloud

  • Infrastructure-as-Code (Terraform, Pulumi, CloudFormation, Bicep)

  • Container platforms (EKS, AKS, GKE, self-managed)

  • Serverless workloads (Lambda, Azure Functions, Cloud Run)

  • Managed database services (RDS, Aurora, Azure SQL, Cloud SQL)

Data

  • Primary data (production databases, object storage, file systems)

  • Replication and disaster recovery copies

  • Backups and snapshots

  • Logs, traces and metrics (observability data)

  • Metadata (resource tags, API access logic, configuration data)

Identity & Access

  • Administrative accesses (cloud console, CLI, APIs)

  • Break-glass / emergency access

  • Privileged Access Management (PAM)

  • Service accounts and CI/CD identities

Cryptography

  • Encryption keys (KMS, HSM, Key Vault)

  • Key ownership, key rotation, key deletion

  • Certificates (PKI, TLS)

Dependencies & Subprocessors

  • Managed cloud services (databases, queues, object storage)

  • Third-party providers (monitoring SaaS, SIEM, ticketing, CI/CD platforms)

  • Subprocessors within the meaning of GDPR Art. 28

  • Terraform providers, modules and their origin

Operations & Exit

  • Incident response (in the context of jurisdiction)

  • Monitoring and forensics within sovereignty boundaries

  • Data migration and exit capability

  • Portability of data and IaC

Out of Scope (for the current state)

Topic Reason

Complete legal country assessment

Legal advice on jurisdiction is provider- and case-specific. WAF++ provides the technical framework; legal details require specialized attorneys.

Product-specific provider optimizations

Deep provider-specific implementation details belong in separate patterns/runbooks.

Complete ISO/NIST/EUCS mapping catalogs

Regulatory mappings are included as references in the YAML controls; complete compliance programs exceed the scope of a WAF.

Physical infrastructure security

Falls within the cloud provider’s shared responsibility area.

Network security (general)

Fundamental network security (firewall, IDS/IPS) is in the Security pillar. Sovereign focuses on egress control as a data residency topic.

Multi-cloud redundancy

The Reliability pillar covers redundancy. Sovereign focuses on control and exit capability, not active multi-provider operations.

Application Context

The Sovereign pillar is particularly relevant for:

Sector Primary Requirements

Public Administration

GDPR, BSI C5, national data protection laws, confidentiality obligations

Healthcare

Patient data protection (SGB X, eHealth), GDPR Art. 9 (special data categories)

Financial Sector

DORA, EBA guidelines, BaFin requirements, outsourcing reporting obligations

Critical Infrastructure (KRITIS)

BSIG §8a, NIS2 directive, IT-Grundschutz

Companies with US connections

Cloud Act risks, Schrems II, standard contractual clauses

Any company with EU customer data

GDPR Art. 44–46 (third-country transfers), EUCS certification