Digital Sovereignty as a Quality Attribute for Software Architectures
Summary
The paper analyzes digital sovereignty (DS) as a quality attribute (QA) for software architectures (SAs) in cloud computing (CC), focusing on the European Union's policy frameworks. It argues that DS can be analytically refined as a QA, exhibiting properties like measurability, validation, trade-offs, and scenario-based analysis. A key contribution is a risk metric σ=α×β×ζ, where α quantifies semantic dependence on a cloud vendor, β represents vendor lock-in strength (analytically fixed at >0.9 for US hyperscalers in Europe), and ζ denotes the applicability of foreign jurisdictions over EU law. This extends to an overall risk equation φ=σ×ρ×ℹ, incorporating occurrence probability (ρ) and impact (ℹ). The EU's 2025 Cloud Sovereignty Framework (CSF) establishes a five-fold effectiveness scale and eight dimensions for DS, including a comparison formula. Furthermore, the proposed Cloud and AI Development Act (CADA) from June 2026 mandates risk assessments for public sector CC services, emphasizing data sensitivity, unlawful access, and service disruption, while promoting multi-vendor and multi-cloud strategies to mitigate risks.
Key takeaway
For public sector IT leads evaluating cloud deployments for critical services, recognize digital sovereignty as a quantifiable quality attribute. Your risk assessments should integrate metrics for vendor lock-in, semantic dependencies, and foreign legal jurisdiction, as outlined by the EU's Cloud Sovereignty Framework. Actively pursue multi-vendor or multi-cloud strategies and ensure architectural decomposition supports migration within mandated timelines, like the 12 months specified in the CADA proposal, to mitigate geopolitical and vendor-specific risks.
Key insights
Digital sovereignty can be formalized as a measurable quality attribute for software architectures in cloud computing.
Principles
- Digital sovereignty is a measurable quality attribute.
- Vendor lock-in significantly impacts cloud sovereignty.
Method
The paper proposes conceptualizing DS as a QA using a scenario-based methodology. It introduces metrics like α (semantic dependence), β (lock-in strength), and ζ (foreign jurisdiction) to quantify risk σ, further extended to φ=σ×ρ×ℹ for overall risk analysis.
In practice
- Implement multi-vendor or multi-cloud strategies.
- Prioritize critical infrastructure functions.
Topics
- Digital Sovereignty
- Software Architecture
- Cloud Computing
- EU Policy
- Vendor Lock-in
- Risk Assessment
Best for: CTO, Executive, VP of Engineering/Data, AI Architect, Policy Maker, Director of AI/ML
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by cs.SE updates on arXiv.org.