ZenDiS calls for feedback on Digitial Sovereignty Criteria - Reference and First Comment

ZenDiS is calling for feedback on its first Discussion Paper on Digital Sovereignty Criteria.

Deadline is May 15th, 2026.

Feedback shall be submitted via openCode. Therefore, stakeholders must visit ZenDiS' dedicated website and provide feedback via the implemented feedback form, either overarchingly or per chapter. At time of publishing this news piece, ZenDiS seems to respond without undue delay on each individual feedback, accessibly via openCode.

The official Digital Sovereignty Criteria and its related discussion paper are only available in German. To ease international feedback, ZenDiS was requested by first feedbacks to provide an English version, too. Yet ZenDiS refused to provide a translation, given the distinct purpose of the criteria addressing very specific requirements of German Public Administration Bodies. 

In order to support the project and make this article useful for the international community, you can find an unofficial English version ready for download. Please note: This version was created by auto-translate and only for purposes of research and quotation along this article. 

Considering the distinct purpose of the criteria, ZenDiS will most probably prefer German feedback. 

According to ZenDiS the criteria shall support measurability. ZenDiS deems measurability a pre-requisite to make Digital Sovereignty operational. ZenDiS also claims that the term Digital Sovereignty is is in danger of being washed up due to promotional use by service providers. More precisely, ZenDiS states that measurability shall address the capacity of public institutions to act as a 
whole – including their entire IT infrastructure and the digital services built upon it, rather than the (in)dependence of individual software solutions.

• Against this background, the potential target of evaluation appears rather the Public Administration Body - and its digital services stack - rather than individual digital services as such. 

Confusingly, the discussion paper also claims, that  public administration should be able to select IT solutions, components and providers flexibly and switch between them as required at a reasonable cost. Consequently, public administration must be able to effectively represent its requirements to technology providers, for example when it comes to contractual terms, security standards or operation within its own data centre.

• Against this background, the potential target of evaluation appears rather the individual digital services. 

Concludingly, ZenDiS states that strategic objectives for digital sovereignty, specific criteria can be derived to systematically assess the digital sovereignty of public authorities and organisations, which loops back to the Public Administration Body and away from individual digital services. 

The current state of ZenDiS' criteria on Digital Sovereignty appear at the level of Objectives, when international common terminology on conformity assessment programmes shall be used. As of now, no individual criteria are included in the discussion paper, neither is any Implementation Guidance or Interpretative Notes. 

ZenDiS divided its criteria in four chapters, plus one additional chapter on clarifying its risk based approach. Those chapters are:

• Organisation and Capabilities (A)
• Digital Applications and Digital Services (B)
• Data (C)
• Operations and Infrastructure (D)

This chapter addresses the objective whether the organisation is capable of actively managing digital sovereignty. It sub-divides in aspects such as 

• Strategy (existence and effectiveness of a sovereignty-oriented digital strategy)
• IT Governance & Management
• Risk Management 
• Procurement and contracting 
• Client Capability 
• Competencies as a prerequisite for influencing suppliers

This chapter addresses the objective whether applications used enable technological self-determination – or do such application lead to dependencies that restrict the ability to act.

It sub-divides into elements such as 

• Transparency and documentation 
• Traceability and security of the supply chain 
• Application architecture and modularity 
• Standards and interfaces 
• Dependencies at the software level

This chapter addresses the objective whether public authorities can exercise full control over their data at all times – including access, storage, processing, deletion and migration. 

It sub-divides into elements such as

• Data location
• Data security 
• Data protection 
• Data structures

This chapter addresses the objective whether the administration can operate its systems continuously, securely and independently, even in the event of external disruptions or geopolitical tensions.

It sub-divides into elements such as

• Dependency at the operational or provider level
• Customer relationship
• Ability to exit
• Resilience and business continuity
• Security and compliance in operations

ZenDiS clarifies that the analysis must reflect an appropriate risk analysis. It claims that it would not be reasonable that every individual digital application or digital service has to meet identically rigorous requirements. It shall be rather a matter of balancing different dimensions, to meet a sweet-spot among cost-effectiveness, practical feasability and “Digital Sovereignty”.  

Dimension of concern are

• Data Criticality
• Security Posture
• Legal Risks
• Administrative Processes 
• Degree of Dependency
• Supply Chain Reliability

This comment reflects a high-level first assessment, which will require further detailing. 

Generally, it is highly appreciated that ZenDiS is calling for expert's feedback. Especially, as ZenDiS almost prompt responsiveness on openCode indicates that every feedback will be taken seriously into account. 

On the other hand, there is serious concern on the applied methodology and purpose. As of now, the discussion paper only covers so-called objectives. This drafting methodology indicates that ZenDiS is aiming for a conformity assessment programme. In this case, Objectives do not provided much added value. The core of any conformity assessment programme it its criteria and related Guidance. Additionally, the target of evaluation must be distinct beyond any reasonable doubts. For now, the target of evaluation is pending between the “readiness” of Public Administration Bodies and “features” of digital application and digital services (including its infrastructure). With such indifferent and ambiguous target of evaluation along the high-level objectives, useful material feedback might be very cumbersome. 

While ZenDiS claims itself that one of its primary objectives is measuring and comparing Public Authorities capabilities and resulting readiness for Digital Sovereignty, this might indicate that instead of a conformity assessment programme, ZenDiS should rather focus on drafting a readiness profile. 

However, the main flaw within the methodology seems its added value and assessment of (market) need. ZenDiS recognises that Digital Sovereignty is about be washed out as a promotional term. Yet, Digital Sovereignty has no stable definition but remains a moving target with a variety of intentions and interests behind. Designing a conformity assessment programme - or any other method alike - comes with a reasonable risk, to downgrade reasonable needs of Digital Sovereignty into “Yet Another Seal”. 

Digital Sovereignty appears rather a change in mindset along establishing and prioritising long-term strategies over short-term “tick-boxing”. Introducing a “tick-box” assessment for Public Administration Bodies - who probably will be the most important driver behind Digital Sovereignty - might end any effective changes upfront. Additionally, The current draft lacks its highlights where the Digital Sovereignty Criteria provide any added value compared to existing standards, conformity assessment programmes and alike. Instead of re-inventing the wheel a suitable synopsis of existing standards and where their criteria contribute to Digital Sovereignty might be more effective and more likely to be adopted on the market.