SovereigntyGap.
SovereigntyGap.sovereignty-gap.eu

Publicly document the governance jurisdiction of the main components of our supply chain

Publish on your website readable documentation of the components of your supply chain with their jurisdiction.
Estimated read: ~3 minutes. Commitment sheet published in the manifesto’s positive program, declarable from the Sovereignty Profile.

Publicly document the governance jurisdiction of the main components of our supply chain#

What this is, concretely#

This commitment consists of publishing, on your website, readable documentation of the main components of your software supply chain with their governance jurisdiction. The supply chain, in the sense of the manifesto, is not limited to the software you use: it includes the forge where your source code resides (GitHub, GitLab, Codeberg, internal instance), the package registries that deliver your dependencies daily (npm, PyPI, Maven Central, RubyGems, crates.io), container registries (Docker Hub, GitHub Container Registry, Quay.io), continuous integration services (GitHub Actions, GitLab CI, CircleCI, Jenkins), and certificate providers (Let’s Encrypt, DigiCert, Certigna, CertEurope).

The commitment does not require an exhaustive technical mapping of your source code — it requires public visibility on the rails through which your activity passes. The format may be a simple web page, a table, or a document included in a wider Sovereignty Profile if you also publish a publisher Profile. Recommended precision: name of the service, governance jurisdiction, model (commercial, foundation, association), optional commentary on history or known alternatives.

Why this commitment matters#

The supply chain is the most often forgotten blind spot in sovereignty analyses. Organisations that examine their software and their hosting providers carefully often neglect registries and forges, although their failure or capture would have immediate operational effects. Thesis 7 of the manifesto states it bluntly: “distributing free software through registries and networks under foreign jurisdiction is to grant that jurisdiction a right of inspection and interruption over what we believe we own.”

Historical incidents have illustrated this. The left-pad crisis in March 2016, where the withdrawal of a tiny npm package broke tens of thousands of builds worldwide, demonstrated the structural fragility of this chain. The Docker Hub anonymous-download limits in November 2020, the voluntary withdrawals of colors.js and faker.js in January 2022, more recently the suspensions of services to Russia in March 2022 (Microsoft, Adobe, Visa, Mastercard), show that the jurisdictions and operators of this chain are real levers.

The commitment contributes to a wider commons: if several European organisations publicly document their chain dependencies, the manifesto’s gap observatory can aggregate that data and make critical concentrations visible. Thesis 6 sums up the spirit: “the technological sovereignty of a piece of software is measured against its entire chain.”

A concrete example#

A French public cultural institution with an IT team of 8 people takes this commitment in March 2026 with a 9-month horizon. The team inventories the services by category. Forge: self-hosted GitLab on internal infrastructure in France (European governance for the instance, GitLab CE code under US governance). Package registries: npm for the frontend (US governance, Microsoft), PyPI for the Python backend (US governance, PSF, AWS and Fastly infrastructure), Maven Central for a few Java tools (US governance, Sonatype). Container registry: self-hosted Harbor mirroring Docker Hub. CI/CD: GitLab CI on the internal instance. Certificates: Let’s Encrypt for public services, Certigna for eIDAS qualified certificates.

The institution publishes a readable table on its website with an introductory pedagogical note explaining why the documentation is useful to the public and to peers. The page is updated annually. Six months after publication, two other regional cultural institutions take the same commitment, drawing on the published table.

Anti-pattern to avoid#

Internal documentation classified “confidential” does not fulfil the commitment, which is explicitly to publish. Public documentation reduced to “we use industry standards” says nothing usable. The value lies in the precision of service names and in the mention of jurisdiction.

Success indicators#

By the 9-month horizon, you can reasonably consider this commitment fulfilled if a public page on your website documents by name the services of your supply chain with their jurisdiction, if the list covers at minimum forge, package registries used, container registry, CI/CD, and certificates, and if an annual update procedure is defined internally.

→ Documented in the dossier#

JSON schema category: audit. Default horizon: 9 months. Applicable to: businesses, public administrations, associations, foundations, research institutions.

Themes

Legal and capital sovereignty

Related sheets

pub-008-european-host-defaultProvider

Offer hosting with a European cloud provider as the default for our European clients

Make hosting with a European cloud provider the default option offered to your European clients.

Horizon · 1 yearpreference
pub-012-anti-foreign-acquisition-statuteProvider

Write into the statutes protective clauses against a non-EU acquisition — shareholders' agreement, European pre-emption rights, golden share, specific share with blocking rights

Lock the capital chain of your company against a jurisdiction flip through non-EU acquisition.

Horizon · 2 yearspublication
Add this commitment to a declaration →← Back to the library
Commitments libraryuser-005-document-jurisdiction-supply-chainCC BY-SA 4.0