The Five-Position Framework

The binary test applied across every sovereignty stack.

Sovereignty depends on two things: what we control and who we trust.

Five positions span that spectrum. We test any offering with one binary question: does it pass the position its workload requires, or not?

Paper 1 carries the full case.

The five positions

Position 1. National sovereignty. One state has jurisdiction; no other has reach. Every entity in the chain operates under your own law. The strongest position, because it carries the narrowest trust dependency: your own government, accountable to your own electorate.

Position 2. EU sovereignty. Twenty-seven states share jurisdiction; no entity in the chain is reachable by non-EU law. Stronger than Position 4 by a wide margin. The position the EU Cloud and AI Development Act is reaching for.

Position 3. Distributed sovereignty. No single entity holds the whole, so no single entity can be compelled to surrender it. Trust shifts from institutions choosing well to mathematics that institutions cannot reverse. Regulatory access then requires cooperation, not a court order. Required for cryptographic primitives, journalist communications, civil society against hostile states.

Position 4. Shared with a foreign state. A provider may be European in name, staff and marketing; if foreign law can compel it, the data sits under foreign jurisdiction. Six trust assumptions hold the compliance illusion together, and each has already failed at least once. This is where most European institutions sit today, regardless of what their compliance documentation says.

Position 5. Decentralisation theatre. Foreign control delivered through nominally distributed architecture. If a system’s consensus layer, governance structure or development authority answers to a foreign jurisdiction, the system is at Position 4 wearing Position 3’s clothing. Canton is the textbook case.

The binary test

An offering passes the position its workload requires, or it does not.

Averaging across layers, compensation between strong and weak layers, and graduated qualification all fail the test.

One layer at Position 4 puts the whole stack at Position 4. The least sovereign layer determines the whole. It’s the stack contamination principle.

We refuse scoring because scoring is how sovereignty washing operates. Paper 3 (being finalised) traces the redefinition project that grading systems enable.

Required positions by workload class

• DORA-regulated financial workloads require Position 2 for ICT third parties handling regulated data.
• Defence-critical software requires Position 1 or 2, with selective Position 3.
• Citizen identity at the wallet provider layer requires Position 1 or 2.
• Cryptographic primitives in the post-quantum migration require Position 3.

The Stack Compliance Body (Law 2) certifies offerings per stack per workload class.

Paper 1 carries the case in full: the six trust assumptions that hold Position 4 together, the five verification layers that tell Position 3 from Position 5, and the worked examples.

Paper 3 (being finalised) carries the redefinition pressure pushing the binary into a graded score.

Domain papers apply the framework to specific stacks.

The Manifesto demands binary application at the procurement layer.

Related

• Law 1: Define Sovereignty. The conformance test the framework serves.
• Stack Sovereignty principle. How the framework applies to whole-stack offerings.
• Pattern: Stack Contamination. The least-sovereign-layer rule. (Being finalised)