The SCOPE framework references the following regulations, technical standards, and research across its 12 dimensions and 5 maturity levels. Each source is cited where its requirements or findings are directly relevant to a dimension's sovereignty posture.
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The GDPR establishes comprehensive data protection requirements including lawful processing, data subject rights, data protection by design, and mandatory breach notification.
Official text →The revised Swiss Federal Act on Data Protection (nDSG) modernises Switzerland's data protection framework to align more closely with the GDPR while retaining Swiss-specific provisions. It introduces stronger obligations for data processors, mandatory data breach notification, and enhanced requirements for cross-border data transfers.
Official text →Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union. NIS2 expands the scope of the original NIS Directive to cover more sectors and entity types, introduces stricter security requirements, and mandates supply-chain risk management and multi-factor authentication.
Official text →Regulation (EU) 2022/2554 on digital operational resilience for the financial sector. DORA establishes uniform requirements for the security of network and information systems of financial entities, including ICT risk management, incident reporting, operational resilience testing, and third-party ICT provider oversight.
Official text →The CLOUD Act (18 U.S.C. §§ 2701–2713) allows US law enforcement to compel US-based technology companies to provide data stored on servers regardless of whether the data is stored in the US or on foreign soil. This has significant implications for digital sovereignty as it can override local data protection laws.
Official text →Judgment of the Court of Justice of the European Union (Grand Chamber) of 16 July 2020 invalidating the EU-US Privacy Shield framework. The Court held that US surveillance laws do not provide protection essentially equivalent to that guaranteed by the GDPR and the EU Charter of Fundamental Rights. Standard Contractual Clauses remain valid but require exporters to verify adequate protection on a case-by-case basis.
Official text →The international standard specifying requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It provides a systematic approach to managing sensitive information through risk assessment and treatment, ensuring confidentiality, integrity, and availability of data.
Official specification →Comprehensive guidance for cryptographic key management covering key generation, distribution, storage, use, and destruction. It defines security services provided through cryptography, specifies the protection required for each type of key, and outlines the lifecycle functions involved in key management.
Official specification →An auditing framework that evaluates a service organisation's controls relevant to five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 defines the control objectives against which organisations are assessed and is widely used to demonstrate provider trustworthiness.
Official specification →A security framework providing incrementally adoptable guidelines for securing the software supply chain. SLSA defines four levels of assurance covering source integrity, build system hardening, provenance generation, and dependency tracking.
Official specification →A passwordless authentication standard comprising W3C WebAuthn (a browser API for public key credential-based authentication) and the FIDO Alliance's Client to Authenticator Protocol (CTAP). Together they enable phishing-resistant, passwordless authentication using asymmetric cryptography.
Official specification →Verifiable Credentials define a standard data model for cryptographically verifiable, tamper-evident digital credentials that can be issued, held, and presented without a centralised authority. Decentralized Identifiers (DIDs) provide a complementary standard for globally unique, self-sovereign identifiers independent of any centralised registry.
Official specification →Demonstrates that speculative execution in modern processors can be exploited to leak sensitive data across security boundaries. Spectre (CVE-2017-5753, CVE-2017-5715) tricks applications into revealing their own secrets by exploiting branch prediction, with implications for hardware-level sovereignty guarantees.
Read paper →Reveals that the fundamental isolation between user applications and the operating system kernel can be broken in modern processors. Meltdown (CVE-2017-5754) demonstrates that hardware-level vulnerabilities can undermine software-level sovereignty guarantees regardless of jurisdiction or encryption.
Read paper →