Digital sovereignty is no longer a buzzword in Europe – it’s a strategic imperative. Yet until now, there was no objective yardstick for measuring how sovereign a cloud solution or AI service actually is. Schwarz Digits, the IT and digital division of the Schwarz Group (Lidl, Kaufland), has addressed this problem: with the European Sovereign Stack Standard (ES³), there is now a measurable framework for digital sovereignty in Europe for the first time.
In this article, we explain what ES³ entails, how the maturity model works – and map our CompanyGPT deployment variants against the new standard.
What Is the European Sovereign Stack Standard (ES³)?
The ES³ is a comprehensive sovereignty program that Schwarz Digits unveiled at Hannover Messe 2026. It builds on the EU Cloud Sovereignty Framework (CSF) from the European Commission and extends it with a crucial ninth dimension: Artificial Intelligence.
At its core is the Sovereignty Maturity Level (SML) Framework – a four-tier maturity model that evaluates the digital sovereignty of IT services against more than 100 criteria. The auditing firm BDO verifies the model as an independent third party.
The Problem: Sovereignty Washing
According to Bitkom (2024), 82% of companies in the information economy justify their digital dependence on non-European providers by citing a lack of adequate European alternatives. At the same time, many providers use the term “sovereign” loosely, without customers being able to verify what’s behind it. ES³ puts an end to sovereignty washing through measurable criteria and independent audits.
The Nine Dimensions of Digital Sovereignty
The SML Framework evaluates IT services across nine dimensions, derived from and extending the EU Cloud Sovereignty Framework:
- Strategic Sovereignty – Anchoring in corporate strategy
- Legal and Jurisdictional Aspects – Legal framework and access protection
- Data – Control over data storage and processing
- Operational Independence – Ability to operate independently
- Supply Chain – Transparency and control over suppliers
- Technology – Open standards and open-source components
- Security and Compliance – Certifications and security measures
- Environmental Sustainability – Resource efficiency and sustainability
- Artificial Intelligence – The new ninth dimension covering AI-specific sovereignty
Each dimension is assessed on three levels:
- Regulatory (contracts, SLAs, agreements)
- Organizational (processes, responsibilities, governance)
- Technological (technical implementation, automation, architecture)
The Four Maturity Levels of the SML Framework
Level 1 – Initial
Heavy reliance on external providers. Processes are reactive and ad hoc. No standardized understanding of digital sovereignty in the strategy.
Level 2 – Managed
Digital dependencies are documented. Initial contingency plans and basic capabilities are captured and controlled on a rule-based foundation.
Level 3 – Advanced
Sovereignty is firmly established as a strategic goal. Verified alternative sources or clear migration paths are available for all critical services.
Level 4 – Future-Proof
Near-complete digital autonomy. Core processes are based on a securely controlled infrastructure, open standards, and open-source components. 100% European DNA – genuine immunity to external access, such as the US CLOUD Act.
The Minimum Principle
A central element: the overall rating of a service always corresponds to the lowest level achieved across all nine dimensions. Sovereignty is only as strong as its weakest link. A service that achieves Level 4 in eight dimensions but only Level 2 in one dimension receives an overall rating of Level 2.
Why ES³ Matters for AI Decisions
The ninth dimension, “Artificial Intelligence,” is what makes ES³ particularly significant. AI services raise the sovereignty question in an especially acute way:
- Where are prompts and responses processed? Many AI services process data outside the EU.
- Which models are used? Frontier models from OpenAI, Anthropic, or Google are often operated in US data centers.
- Who has access to the data? The US CLOUD Act potentially grants US authorities access to data processed by US companies – even when servers are physically located in the EU.
- Is data used for model training? Many consumer AI services feed user data into training.
ES³ creates transparency here and enables informed decision-making.
CompanyGPT in the ES³ Context: Three Deployment Variants
Our CompanyGPT is deliberately designed so that companies can choose their desired sovereignty level themselves. Depending on requirements, we offer three deployment variants – each with a clear ES³ profile.
Variant 1: STACKIT Only – Maximum Sovereignty (ES³ Level 4)
For companies that make no compromises on sovereignty.
In the STACKIT Only variant, the entire CompanyGPT infrastructure runs on STACKIT, the European hyperscaler from Schwarz Digits:
- LLM hosting via STACKIT AI Model Serving with models like Llama, Mistral, and Aleph Alpha
- Databases and applications on STACKIT infrastructure (PostgreSQL, Object Storage, Kubernetes)
- No contact with US hyperscalers – no frontier models from OpenAI, Google, or Anthropic
- Authentication via Keycloak (when no Entra ID is available)
- 100% European DNA across the entire value chain
ES³ classification: This variant can achieve the highest maturity level, Level 4 (Future-Proof). The entire infrastructure is subject to European law, there is no dependency on US parent companies, and the models used are fully hosted and operated in Europe.
Limitation: No frontier models (GPT, Claude, Gemini) are available. However, for many use cases – particularly RAG, summarization, text generation, and internal assistants – the available open-source models are more than sufficient.
Variant 2: STACKIT + Hyperscaler – Sovereign Core with Optional Extension (ES³ Level 2–3)
For companies that want sovereignty as the default but occasionally need frontier models.
This variant combines the best of both worlds:
- Hosting, databases, and applications run on STACKIT
- LLMs by default via STACKIT AI Model Serving
- Optionally extensible with frontier models:
- Azure OpenAI (EU region): GPT-4o, GPT-4.1, GPT-5.1 (later models such as GPT-5.5 are currently not available in the EU)
- Google Vertex AI (EU region): Gemini 2.5 (Gemini 3 is currently not available in the EU)
- Anthropic via Vertex AI/Azure: Claude Sonnet, Claude Opus
- Authentication via Keycloak or Microsoft Entra ID
ES³ classification: The sovereign core on STACKIT achieves Level 3–4. Once frontier models are integrated via hyperscaler APIs, the overall rating drops to Level 2–3 due to the minimum principle, depending on contractual and organizational safeguards. Data processing remains in the EU, but the providers are subject to US jurisdiction.
Advantage: Companies can decide per use case whether a sovereign open-source model is sufficient or whether a frontier model’s performance is required. The platform infrastructure remains consistently sovereign throughout.
Variant 3: CompanyGPT on Azure – Enterprise Environment with Full Model Selection (ES³ Level 2)
For companies that already have a Microsoft infrastructure and want maximum model variety.
In this variant, CompanyGPT runs entirely in the customer’s own Azure tenant:
- Hosting, databases, and applications on Azure (EU region)
- LLMs via Azure OpenAI Service as the default provider
- Optional extension via Google Vertex AI or AWS Bedrock for models not available at Microsoft
- Authentication via Microsoft Entra ID (seamless M365 integration)
- On explicit request: Access to global models (GPT-5.5, GPT-Image-2, Gemini 3) currently only available outside the EU – but then no longer GDPR-compliant
ES³ classification: With pure EU operations, this variant achieves Level 2 (Managed). The infrastructure resides with a US hyperscaler (Microsoft) that is fundamentally subject to the US CLOUD Act – even when data is physically processed in the EU. Through contractual safeguards (DPA, SCCs, EU Data Boundary) and organizational measures, the level can be stabilized.
Advantage: Maximum model variety, seamless integration into existing Microsoft 365 environments, and proven enterprise governance processes. For many companies, this is the pragmatic entry point before considering a migration toward STACKIT.
Comparison Table: CompanyGPT Variants in the ES³ Framework
| Criterion | STACKIT Only | STACKIT + Hyperscaler | Azure |
|---|---|---|---|
| ES³ Level | Level 4 (Future-Proof) | Level 2–3 (Managed–Advanced) | Level 2 (Managed) |
| Infrastructure | 100% STACKIT | STACKIT + Azure/Vertex AI | 100% Azure |
| LLM Default | STACKIT AI Model Serving | STACKIT AI Model Serving | Azure OpenAI |
| Frontier Models | No | Optional (EU region) | Yes (EU region) |
| Global Models | No | No | On request (not GDPR-compliant) |
| US Jurisdiction | None | Only for frontier models | Yes (Microsoft) |
| CLOUD Act Risk | None | Limited | Present (contractually addressed) |
| Authentication | Keycloak / Entra ID | Keycloak / Entra ID | Entra ID |
| GDPR Compliance | Full | Full (EU models) | Full (EU operations) |
| Model Examples | Llama, Mistral, Aleph Alpha | + Claude, Gemini 2.5, GPT-5.1 | + GPT-5.5*, Gemini 3*, GPT-Image-2* |
* Only with global processing – not GDPR-compliant
Our Recommendation: Sovereignty as the Default
We recommend our clients think of sovereignty as the default and only make compromises where the specific use case requires it:
- Start with STACKIT as your default infrastructure
- Use STACKIT AI Model Serving for the majority of your AI use cases
- Activate frontier models selectively – per agent, per use case, per department
- Document your sovereignty decisions – the ES³ gives you the framework for this
This way you achieve the best possible balance between performance and sovereignty – and can transparently demonstrate at any time why you made which decision.
Conclusion: From Buzzword to Benchmark
The European Sovereign Stack Standard makes digital sovereignty measurable and comparable for the first time. For companies deploying AI services, this means: you can now make an informed, traceable decision instead of relying on marketing promises.
CompanyGPT supports all three sovereignty tiers – from maximally sovereign on STACKIT to pragmatic on Azure. Companies can incrementally develop their AI strategy toward greater sovereignty without sacrificing capability.
From now on, digital dependency is a conscious choice.
Want to know which CompanyGPT variant fits your sovereignty profile? Contact us for a no-obligation consultation – we’ll map your current infrastructure against the ES³ framework together.