Maturity Model: Sustainability Maturity

The maturity model of the Sustainability pillar assesses organizational and technical maturity along five levels — from no measurement to active CO₂ reduction on a net-zero path.

The 5 Maturity Levels

Level	Name	Description
1	Blind	IT emissions unknown. No cloud carbon tools activated. No ESG reporting obligation known or addressed. Sustainability is not an architecture topic.
2	Visible	Cloud carbon tools activated. Emissions are occasionally reviewed. No targets, no systematic attribution by workload. No automation.
3	Reported	Structured, monthly emission measurement with workload attribution. Data flows into ESG/CSRD report. Baseline defined. First optimization measures (lifecycle policies, non-prod shutdown).
4	Optimized	Active reduction measures operational: Graviton/ARM majority, idle elimination, storage lifecycle, batch time-shifting. Reduction targets measurably tracked. SCI established as a metric.
5	Carbon-Neutral/Positive	Emission reduction at SBTi 1.5°C target level. Remaining unavoidable emissions neutralized through verified compensation (Gold Standard Carbon Credits). Annual verification.

Level

Name

Description

Blind

IT emissions unknown. No cloud carbon tools activated. No ESG reporting obligation known or addressed. Sustainability is not an architecture topic.

Visible

Cloud carbon tools activated. Emissions are occasionally reviewed. No targets, no systematic attribution by workload. No automation.

Reported

Structured, monthly emission measurement with workload attribution. Data flows into ESG/CSRD report. Baseline defined. First optimization measures (lifecycle policies, non-prod shutdown).

Optimized

Active reduction measures operational: Graviton/ARM majority, idle elimination, storage lifecycle, batch time-shifting. Reduction targets measurably tracked. SCI established as a metric.

Carbon-Neutral/Positive

Emission reduction at SBTi 1.5°C target level. Remaining unavoidable emissions neutralized through verified compensation (Gold Standard Carbon Credits). Annual verification.

Control Maturity Matrix

This matrix shows for each WAF-SUS control the target maturity level per stage:

Control	Level 1	Level 2	Level 3	Level 4	Level 5
WAF-SUS-010 Carbon Measurement	No tool	Tool active, ad-hoc	Monthly, workload attribution	Automated pipeline, ESG-integrated	Real-time dashboard, CSRD feed
WAF-SUS-020 Efficient Compute	No policy	Some ARM/Graviton	Policy + CI gate, >30% ARM	>60% ARM, migration plan active	>85% ARM, only documented exceptions
WAF-SUS-030 Green Regions	No consideration	Informally aware	ADR requirement documented	Batch in green regions	Dynamic carbon routing
WAF-SUS-040 Idle Elimination	No monitoring	Manual reviews	Auto-detection + scheduled shutdown	Spot >50%, scale-to-zero	Zero idle, everything demand-driven
WAF-SUS-050 Storage Lifecycle	No policies	Individual policies	All resources, orphan scan	Data-min policy, tags-driven	Storage emissions in SCI
WAF-SUS-060 Workload Scheduling	Arbitrary times	Some off-peak	All flex jobs on off-peak, documented	Carbon API integration	Temporal + spatial shifting combined
WAF-SUS-070 Software Efficiency	No SCI awareness	Code review mentions efficiency	ADR with SCI, dependency review	SCI as metric, DoD component	SCI OKR, automatic regression alerts
WAF-SUS-080 Network Efficiency	No CDN, no compression	CDN + compression for main app	CDN everywhere, VPC endpoints, monthly review	Transfer budgets per workload	Network emissions in SCI
WAF-SUS-090 ESG Reporting	No reporting obligation known	Manual annual queries	Quarterly export, data in CSRD report	Automated pipeline, assurance-ready	Real-time dashboard, third-party assurance
WAF-SUS-100 Debt Register	No governance	Informal awareness	Formal register, quarterly review	Leadership reporting, carbon savings documented	OKRs, automated health checks, net-zero roadmap

Control

Level 1

Level 2

Level 3

Level 4

Level 5

WAF-SUS-010 Carbon Measurement

No tool

Tool active, ad-hoc

Monthly, workload attribution

Automated pipeline, ESG-integrated

Real-time dashboard, CSRD feed

WAF-SUS-020 Efficient Compute

No policy

Some ARM/Graviton

Policy + CI gate, >30% ARM

>60% ARM, migration plan active

>85% ARM, only documented exceptions

WAF-SUS-030 Green Regions

No consideration

Informally aware

ADR requirement documented

Batch in green regions

Dynamic carbon routing

WAF-SUS-040 Idle Elimination

No monitoring

Manual reviews

Auto-detection + scheduled shutdown

Spot >50%, scale-to-zero

Zero idle, everything demand-driven

WAF-SUS-050 Storage Lifecycle

No policies

Individual policies

All resources, orphan scan

Data-min policy, tags-driven

Storage emissions in SCI

WAF-SUS-060 Workload Scheduling

Arbitrary times

Some off-peak

All flex jobs on off-peak, documented

Carbon API integration

Temporal + spatial shifting combined

WAF-SUS-070 Software Efficiency

No SCI awareness

Code review mentions efficiency

ADR with SCI, dependency review

SCI as metric, DoD component

SCI OKR, automatic regression alerts

WAF-SUS-080 Network Efficiency

No CDN, no compression

CDN + compression for main app

CDN everywhere, VPC endpoints, monthly review

Transfer budgets per workload

Network emissions in SCI

WAF-SUS-090 ESG Reporting

No reporting obligation known

Manual annual queries

Quarterly export, data in CSRD report

Automated pipeline, assurance-ready

Real-time dashboard, third-party assurance

WAF-SUS-100 Debt Register

No governance

Informal awareness

Formal register, quarterly review

Leadership reporting, carbon savings documented

OKRs, automated health checks, net-zero roadmap

Self-Assessment: Level 2 Checklist (Visible)

An organization is at Level 2 when all of the following apply:

AWS Customer Carbon Footprint Tool, Azure Emissions Impact Dashboard or GCP Carbon Footprint is activated
Emissions have been manually exported and reviewed at least once in the past 6 months
The question "How much CO₂ does our cloud operation emit?" is roughly answerable (order of magnitude)
At least one team uses ARM/Graviton instances or Lambda arm64
The organization’s CSRD obligation has been clarified (in scope, out of scope, subsidiary)

Self-Assessment: Level 3 Checklist (Reported)

An organization is at Level 3 when all of the following apply:

Monthly carbon footprint exports from all cloud providers in use have been set up
Workload tagging enables emission attribution at the workload level
Carbon data is part of the official ESG or sustainability report (or the build-up for it is documented)
All S3 buckets have lifecycle policies
All CloudWatch log groups have retention_in_days set
Non-production environments have scheduled shutdown rules
A sustainability debt register exists and was updated in the last quarter

Self-Assessment: Level 4 Checklist (Optimized)

An organization is at Level 4 when all of the following additionally apply:

More than 60% of EC2/container vCPU hours run on ARM/Graviton or Ampere Altra
More than 80% of Lambda functions use arm64
Autoscaling with scale-to-zero configured for all stateless compute workloads
All batch workloads configured for off-peak (22:00–06:00 UTC) or flexible windows
CDN for all user-facing applications; HTTP compression active on all APIs
VPC endpoints for S3 and DynamoDB (and other AWS services) in all production VPCs
SCI (Software Carbon Intensity) measured for at least the three most important Tier-1 services
Year-over-year CO₂ reduction target defined and tracked in the last quarterly report

Recommended Entry Path

Phase	Timeframe	Measures	Target Level
Phase 0: Baseline	Week 1–2	Activate carbon tools, clarify CSRD obligation, inventory current state	Level 1 → 2
Phase 1: Quick Wins	Month 1–2	S3 lifecycle policies, log retention, non-prod scheduled shutdown, Lambda on arm64	Level 2 → 3
Phase 2: Systematization	Quarter 1–2	Sustainability debt register, CDN + compression, VPC endpoints, quarterly reviews, ESG integration	Level 3
Phase 3: Optimization	Quarter 2–4	Graviton migration EC2, autoscaling + scale-to-zero, batch time-shifting, SCI measurement Tier-1	Level 3 → 4
Phase 4: Continuous Improvement	Ongoing	SCI OKRs, automated carbon pipeline, SBTi targets, annual progress reports	Level 4 → 5

Phase

Timeframe

Measures

Target Level

Phase 0: Baseline

Week 1–2

Activate carbon tools, clarify CSRD obligation, inventory current state

Level 1 → 2

Phase 1: Quick Wins

Month 1–2

S3 lifecycle policies, log retention, non-prod scheduled shutdown, Lambda on arm64

Level 2 → 3

Phase 2: Systematization

Quarter 1–2

Sustainability debt register, CDN + compression, VPC endpoints, quarterly reviews, ESG integration

Level 3

Phase 3: Optimization

Quarter 2–4

Graviton migration EC2, autoscaling + scale-to-zero, batch time-shifting, SCI measurement Tier-1

Level 3 → 4

Phase 4: Continuous Improvement

Ongoing

SCI OKRs, automated carbon pipeline, SBTi targets, annual progress reports

Level 4 → 5

Most organizations start at Level 1 or 2. Level 3 is the CSRD minimum for organizations subject to reporting obligations. Level 4 is the target maturity level for technology-driven organizations with a sustainability commitment. Level 5 is a medium-term goal (3–5 years) for most organizations.