What is this?
An interactive map of administrative regions, municipalities and the largest listed companies across all the Nordic countries, showing digital sovereignty exposure across two dimensions:
MX tab — which provider handles official email, classified by legal jurisdiction based on DNS records.
CA tab — which Certificate Authority controls the certificate for each entity's public website, revealing a second axis of US jurisdiction exposure independent of email.
Why it matters
US Cloud Act: Microsoft 365, Google Workspace, Amazon, DigiCert, and other US-headquartered providers are subject to the CLOUD Act, which allows US authorities to demand access to data and infrastructure regardless of where it is physically hosted — even when GDPR applies.
An institution may have migrated email to a European provider yet still rely on a US-controlled CA to secure its public website — or vice versa. Both layers matter for a complete sovereignty assessment.
How does it work?
MX: Each domain is checked via DNS (MX, SPF, CNAME, DKIM, autodiscover, TXT), SMTP banners, ASN lookups, and a Microsoft tenant API. Email security gateways (FortiMail, Barracuda, Heimdal, etc.) are detected and looked through to find the actual backend provider. Confidence-scored and quality-gated before publishing.
CA: Each domain is scanned via a live TLS handshake to retrieve the full certificate chain. The issuing CA is matched against a signature database covering Let's Encrypt, DigiCert, Amazon, Google Trust, Sectigo, GlobalSign, HARICA, Buypass, Telia and others, then classified into five risk tiers by jurisdiction.
Data is refreshed weekly via GitHub Actions.