The press release arrived on Friday, 17 April 2026, three days before Hannover Messe opened. Rolf Schumann and Christian Müller, the co-CEOs of Schwarz Digits, presented the European Sovereign Stack Standard — ES³ — with the explicit ambition of becoming Europe’s measure of digital sovereignty. The format: a maturity model in four levels — Basic, Initial, Advanced, Future-Proof. The mechanism: a catalogue of more than 100 criteria. The credibility marker: independent verification by BDO AG, whose Management Board Chairman Parwäz Rafiqpoor signed the attestation.

Schumann summarised the proposition: “We are transforming the need for digital sovereignty into a measurable standard for industry companies, SMEs and regulated sectors.” BDO’s verification statement followed: “The audit of the sovereignty maturity model by BDO confirms: The ES³ maturity model provides an independent, practical basis for strengthening digital sovereignty in Europe.”

This is the first European sovereignty score-sheet to arrive with audit infrastructure. It is also written by a company that competes in the market it is now scoring.

What ES³ proposes

The four maturity levels are intended to be progressive. Basic covers minimum data-residency claims. Initial establishes operational independence from non-EU control. Advanced requires full architectural separation from non-EU dependencies. Future-Proof claims verifiable continuity under hostile geopolitical conditions.

The catalogue, by the public summary, spans jurisdiction, ownership, operational control, supply chain, and key custody. BDO’s verification covers the methodology rather than individual product assessments — a meaningful distinction. A verified methodology is not the same as a verified product score; ES³ certifies how to score, not who has scored well.

Public-sector buyers can write tender conditions referencing a specific ES³ level and refuse bids below it. That alone changes incentive structures. Until ES³, sovereignty in European procurement was either a binary claim or a vibes-based score. A number now exists.

The case for it

Three things ES³ does that nothing currently does.

It puts a number on sovereignty. Before ES³, sovereignty in tender language was a marketing word with no defined content. A maturity model with audit means a public buyer can refuse a bid that does not meet a stated level. The closest comparable European framework — Gaia-X labelling — has been criticised for vagueness and slow execution. ES³ is faster and more concrete.

It establishes a verification layer that competitors must address. Once a measurable standard exists, alternatives must either match its criteria or explain publicly why they have chosen different ones. This is how regulatory frameworks become operational.

It arrived at a moment when European procurement was actively looking for criteria. Germany’s Vergabebeschleunigungsgesetz, passed six days later, made sovereignty a permissible award criterion. ES³ supplies the criteria the law makes admissible. The timing is not accidental.

The conflict at the centre of it

Schwarz Digits is the IT and digital arm of the Schwarz Gruppe — the parent company of Lidl and Kaufland — and operates StackIT, a major European cloud provider that competes directly with AWS, Azure, and Google Cloud on European tenders. Bernd Wagner, the Schwarz Digits CSO who introduced the technical detail at the Hannover Messe stand, runs a security architecture that is engineered against criteria the parent company has now also written. Schwarz Digits is not a neutral standards body. It is a market participant writing the rules of its own market.

This is not, on its own, disqualifying. ISO, IEEE, and IETF standards routinely originate at vendors with skin in the game. But it is structurally identical to Microsoft writing the standard against which Microsoft Sovereign Cloud is evaluated, or AWS publishing the criteria for European Sovereign Cloud certification. The same scepticism should apply here that would obviously apply to those.

Two defences are routinely offered and each falls short.

The first defence: someone had to do this, and the market would not wait for a neutral body. This is genuinely true. European formal standards work moves on the timescale of CEN-CENELEC and ETSI — years to decades. A workable vendor-led standard now is plausibly more useful than a slow neutral one in 2032. But “plausibly more useful” is not “neutral”. The standard’s adoption needs to be discussed accordingly.

The second defence: BDO’s verification mitigates the conflict of interest. Partially. Rafiqpoor’s attestation language is specific — it confirms the methodology, not individual product assessments. A vendor-written methodology that audits well is still a vendor-written methodology. The conflict of interest is in the criteria selection, not the procedural correctness of the audit.

The cui-bono question simplifies. Schwarz Digits and StackIT benefit if ES³ becomes the default sovereignty score-sheet, because their offering is engineered against criteria they wrote. BDO benefits from being the verification authority for what could become a widely cited European standard. The German-speaking sovereign-cloud ecosystem broadly benefits if German-flavoured criteria become the de-facto European default. French sovereign-cloud vendors — Outscale, OVHcloud, Atos, Linagora — have not co-shaped the criteria; they lose marginally if ES³ is widely adopted.

What the criteria do not address — and where they are not visible

The 100+ criteria cover jurisdiction, operations, supply chain, and key custody by the public summary. Three architectural layers are conspicuously absent from any reporting we have seen.

Update channels for the underlying open-source components — most still flow through US-controlled hosting, primarily GitHub. Cryptographic root trust — what certificate authorities sit in the verification chain. Continuity guarantees under sanctions — what happens if BDO, a globally-operating professional services firm with US business exposure, were itself sanctioned for verifying European sovereignty.

The Future-Proof level claims to address geopolitical continuity. The criteria for that level have not been publicly enumerated. The Schwarz Digits press release does not link to the catalogue. The trade-press coverage describes the model but does not reproduce the criteria text. Until the full catalogue is published, the highest level of ES³ is an aspiration with a label rather than a verified property.

This visibility problem is not incidental. Public scrutiny is the mechanism that separates a sovereignty standard from a marketing instrument. A standard that lives behind summaries and case studies is harder to scrutinise than one that publishes its full text. ES³ has positioned itself in a market without yet putting itself under the kind of inspection the position warrants.

What this article is not

It is not a claim that ES³ is bad. European procurement urgently needs criteria, and a vendor-led standard with audit infrastructure is meaningfully better than the current state.

It is not a claim that Schumann or Müller acted in bad faith. The conflict of interest is structural, not motivational.

It is not a claim that the standard will fail. ES³ may become the dominant European reference; it may also be superseded by CADA’s regulatory four-level system. Both outcomes are possible.

What to ask before adopting it

The question for public-sector buyers considering ES³ as a procurement criterion is short and worth saying out loud: would you adopt a sovereignty maturity model written by Microsoft and verified by KPMG, on the same terms?

If the answer is no, the corresponding standard for ES³ requires the same critical scrutiny. The conflict of interest does not disappear because the writing vendor is European rather than American. It is reduced — jurisdictional exposure does change between vendors — but the criteria-selection problem is identical.

The next signal to watch is the criteria catalogue itself. As of writing, the full text is not public. The Bundestag’s new procurement-law clause needs concrete criteria to anchor it. If ES³ becomes that anchor before the catalogue is published, German public procurement will have outsourced its sovereignty definition to a Lidl subsidiary. That is not necessarily wrong. It is structurally identical to outsourcing sovereignty definitions to Microsoft, just with a different jurisdiction’s accent.

Sources

Topic overview: Digital Sovereignty in Europe Related articles: Sovereignty Washing Explained, Sovereignty as procurement law