EuroScanner Methodology: Deterministic Sovereignty Audits

Home / Methodology

Methodology How EuroScanner works

Overview

EuroScanner is an automated sovereignty observability platform. It performs daily scans of public infrastructure records—including DNS, ASN, MX records, SSL certificates, and HTML service signatures—to report deterministic facts about the legal jurisdiction controlling a domain's digital dependencies.

Our mission is to provide transparency into the digital supply chain of EU public bodies and critical infrastructure. EuroScanner is a measurement tool, not a compliance platform; it reports observable data and makes no legal determinations regarding GDPR or other regulatory obligations.

Observation Layers

Layer 1: Infrastructure

Highest weight

DNS resolution to IP address → ASN via RIPE Stat API → jurisdiction classification based on parent company ownership. SSL certificate issuer identification.

Layer 2: Email

Medium weight

MX records analysis to identify third-party providers. SPF/TXT record analysis for secondary routing detection.

Layer 3: Frontend

Lower weight

HTML pattern matching against service signatures. Detects US services (Google Analytics, Cloudflare, AWS, Stripe, HubSpot, Intercom, Hotjar, Segment, Meta Pixel, Mixpanel, Sentry, Datadog, SendGrid, Mailchimp, Vercel Analytics) and EU positives (Plausible, Matomo, Simple Analytics, Brevo, Crisp, Penpot).

Layer 4: Historical

Daily automated scans. Append-only history prevents data overwriting. Every infrastructure change event is logged per domain.

Grading System

A++

Verified, fully EU sovereign (requires manual verification).

A+

Verified, excellent posture (requires manual verification).

Very good posture. Unverified scans are capped at this grade.

Good posture. Minor concerns detected.

Moderate concerns identified.

Significant issues detected.

Critical findings. Non-EU infrastructure detected at the hosting layer.

Frequently Asked Questions

Q: What is the CLOUD Act and why does it matter for EU data?

A: The CLOUD Act (2018) requires US companies to provide US authorities access to data they store or control, regardless of where that data is physically located. This means infrastructure hosted by US companies — even on EU servers — may be subject to US jurisdiction. EuroScanner flags this by classifying ASNs by the legal jurisdiction of their parent company.

Q: Does using EU-hosted infrastructure guarantee GDPR compliance?

A: No. EuroScanner reports infrastructure observations, not legal determinations. GDPR compliance depends on many factors beyond hosting jurisdiction. Our scans make infrastructure dependencies visible — what you do with that information is a matter for your legal team.

Q: How does EuroScanner calculate a sovereignty grade?

A: Each domain is scored across three layers — infrastructure hosting, email routing, and embedded frontend services — weighted by how much data each layer typically handles. The grade reflects the combined sovereignty posture at the time of the scan.

Q: How often are domains re-scanned?

A: Every domain in our dataset is scanned daily. Results are appended to a permanent history — no data is ever overwritten. The scan timestamp is shown on every domain page.

Q: Why does EuroScanner report observations rather than verdicts?

A: Infrastructure facts are deterministic — an IP resolves to an ASN, an ASN belongs to a company, a company has a legal jurisdiction. Legal conclusions are not. We report what our scan detected on a specific date and let the reader draw their own conclusions.

Data sources and limitations

Data Sources

RIPE Stat API (ASN lookup), whois.cymru.com (fallback), public DNS, public MX records, HTML source inspection.

Limitations

Robots.txt respected for HTML fetching. DNS/ASN/SSL checks run regardless. Infrastructure can change between scans. Grades reflect configuration at scan timestamp only.