CAN/DGSI 100-8, Data Governance – Part 8: Framework for Digital Sovereignty

This document specifies the minimum requirements and provides a framework for organizations to assess their ability to protect, control, and govern their digital infrastructure, data, and technologies in their custody from jurisdictional risks, while taking advantage of the global technology ecosystem.

The document is not intended to prescribe how an organization should implement specific security controls. Instead, the document guides organizations using jurisdictional and technology-agnostic approaches that can be adapted to address specific business requirements.
Considerations are given to:
• Identification and categorization of digital infrastructure, data, and technologies assets;
• Development of an appropriate threat model;
• Identification of potential risks, including from laws in foreign jurisdictions;
• Options to mitigate associated risks; and
• Adherence to data sovereignty due diligence and transfer requirements under applicable law and regulations.

The document is modeled from ISO/IEC TS 10866:2024, Information technology — Cloud computing and distributed platforms — Framework and concepts for organizational autonomy and digital sovereignty.

This document applies to all sectors, including public and private companies, government entities, and not-for-profit organizations.

This document assumes that the Organization implementing the following requirements has in place existing risk management policies and procedures.

NOTE: For those applying the document, in the event of a potential inconsistency or ambiguity between this document and applicable data privacy legislation, the law prevails. Where personal information is used in the document, local jurisdictional, legal and/or regulatory definitions apply.