European digital sovereignty test for domains

Frequently Asked Questions

How is the sovereignty score calculated?

The score is a weighted average (0-100) based on whether each infrastructure component is hosted by a European provider. The weights reflect both the sensitivity of the data and the difficulty of migrating that component:

  • Email Host: 25% – Email can contain sensitive communication and be difficult to migrate
  • Web Host: 25% – Where user data is processed and subject to the hosting provider's legal jurisdiction
  • Third-Party Resources: 20% – External scripts, trackers, CDNs, and analytics that may leak data
  • Registrar: 15% – Controls the domain name itself
  • DNS: 10% – Can reveal browsing patterns or hijack traffic, but relatively easy to change
  • SSL Certificate: 5% – Primarily about trust chain, lower practical privacy risk

The final score is calculated based only on categories where data is available. If a category can't be determined, it doesn't affect the score.

How accurate are the results?

The scan provides a strong indicator of European digital sovereignty, but it's not absolute. Here are some limitations to keep in mind:

  • Misidentification: Some resources may be incorrectly classified. For example, a resource hosted on a European server might actually be operated by a US organisation, or vice versa. This can happen if it's not in the database yet.
  • Complex infrastructures: Large organisations often use multiple providers across different regions, making categorisation challenging.
  • CDN and proxy layers: Content delivery networks and reverse proxies can mask the true origin server. They still count against sovereignty, though, as a non-European provider is still serving your content.
  • Third-party resources: Detection relies on publicly available data and may miss some resources or include false positives.

Use this tool as a starting point for understanding your digital infrastructure, not as a definitive audit. For critical compliance decisions, consider a professional audit .

What does "European" mean in this context?

I consider a service "European" if it's operated by a company with its legal headquarters in Europe. This includes not just EU member states, but also countries like the United Kingdom, Switzerland, Norway, and Iceland that have similar data protection frameworks and legal traditions.

This broader definition matters because:

  • The company is subject to European-style data protection laws (GDPR, UK GDPR, Swiss DPA, etc.)
  • Data can be subpoenaed under European legal frameworks with strong privacy protections
  • European courts have jurisdiction over disputes
  • These countries share similar rule-of-law traditions and judicial independence

Note that server location and legal jurisdiction are different. A European company might use US data centers, or a US company might use European servers. I prioritise the legal entity's location because that determines which laws apply to your data.

Why do some results show "Unknown"?

Several reasons can cause unknown results:

  • The service provider isn't in the database yet
  • The domain uses unusual or custom infrastructure
  • Technical limitations prevented data collection (timeouts, blocked requests, etc.)
  • The infrastructure is too complex to classify automatically

Unknown results don't affect your sovereignty score. Only confirmed European or non-European services are factored in.

Why does the third-party resources section sometimes have multiple calls to the same service?

Sometimes sites make several calls to different endpoints on the same service. For example, one call for images, another for scripts, yet another for sending data. The scanner logs them independently but shows an identical domain for them all.

Can I improve my sovereignty score?

Yes. The scan results identify specific components that are non-European. You can improve your score by:

  • Switching to European hosting providers (Hetzner, Scaleway…)
  • Migrating email to European services (Infomaniak, Mailbox.org, Proton, Migadu…)
  • Using European CDN and analytics providers
  • Transferring your domain to a European registrar
  • Removing or replacing non-European third-party scripts and trackers

The difficulty varies by component. DNS and registrar are relatively easy to change, email and hosting require a bit more planning, while third-party resources can be a minefield.

Who built this tool?

The sovereignty scanner was built by me, Colin O'Brien. I'm a technical consultant specialising in digitally sovereign software selection. The tool was created to help organisations understand their digital infrastructure dependencies and make informed decisions about GDPR compliance and data sovereignty.

If you encounter issues or have suggestions, please get in touch.

Is my scan data stored or shared?

Scan results are stored in the database to allow you to return to them via their unique URL. They are not linked to from anywhere public (unless you do so yourself). At some point in the future, older scans may expire. This is not the case at the moment.

I collect minimal analytics to improve the service (using a self-hosted copy of Swetrix). Your domain scan data is not shared with third parties and is used only to provide this service.

How often is the provider database updated?

Continuously. I update the database of known providers as I discover new patterns. However, the internet is vast, and I can't identify every service automatically. If you notice a provider that's being misclassified or not recognised, please let me know.

This site is currently in beta, please let me know if you come across any issues.