CAN/DGSI 100-8, Data Governance – Part 8: Framework for Digital Sovereignty

This document specifies the minimum requirements and provides a framework for organizations to protect and assess its ability to control and govern its digital infrastructure, data, and technologies in their custody from jurisdictional risks, while taking advantage of the global technology ecosystem.

The document is not intended to prescribe how an organization should implement specific security controls. Instead, the Standard guides organizations using jurisdictional and technology-agnostic approaches that can be adapted to address specific business requirements.

Considerations are given to:
• Identification and categorization of digital infrastructure, data, and technology assets;
• Development of an appropriate threat model;
• Identification of potential risks, including from laws in foreign jurisdictions;
• Options to mitigate associated risks; and
• Adherence to data sovereignty due diligence and transfer requirements under applicable law and regulations.

The document is modeled from ISO/IEC TS 10866:2024, Information technology — Cloud computing and distributed platforms — Framework and concepts for organizational autonomy and digital sovereignty.

This document applies to all sectors, including public and private companies, government entities, and not-for-profit organizations.

DATE POSTED: September 4, 2025

DEADLINE FOR COMMENTS: October 10, 2025