The problem
What today's M2M auth can't deliver in the public sector.
A city contracts a gov-tech vendor for citizen-records management. The contract says: you and your sub-contractors will handle citizen data per GDPR and national law. The vendor signs. Procurement closes. Citizen records start flowing. In production, the vendor runs on a cloud platform. The cloud uses managed sub-services. Those sub-services rely on internal sub-processors, ship data across regions, and reload their own sub-processor lists quarterly through a PDF the city's IT director has never seen. The chain extends three or four further hops than the procurement file enumerates.
When the city's data-protection officer is asked to demonstrate compliance — by their own DPO under GDPR Art. 30, by a member-state competent authority under NIS2 (public administration is explicitly in scope per Annex I), by the national audit institution exercising its statutory audit right, or by a journalist filing an access request under member-state freedom-of-information law — the only artifacts on hand are the original procurement file, a yearly contractor self-attestation, and the stale sub-processor PDF. The current evidence stack is contractual, not evidentiary. Public procurement contracts under Directive 2014/24/EU define obligations; they do not produce evidence those obligations were met during operation. Annual contractor self-attestations are paper documents the contractor writes about themselves. NIS2 incident reporting triggers after a failure. Member-state freedom-of-information laws give citizens access rights the public body answers today by emailing the prime contractor.
National audit institutions — Valtiontalouden tarkastusvirasto, Riksrevisionen, Bundesrechnungshof, Cour des comptes, NAO — have statutory audit rights. They can ask. They are asking. The current answer is documents produced by the contractor, attested by the contractor's auditors, reviewed once a year.
How EdSSA addresses it
What EdSSA does differently here.
EdSSA Public Sector runs an attestor at each contractor and sub-processor boundary. When citizen data crosses a boundary — ingress, processing transition, egress to the next link, cross-region transfer, third-party API call — the attestor emits a cryptographically signed record describing what happened. The record commits to the data-handling event without exposing the citizen data itself. Each attestor's records anchor into a Tier-4 Merkle-anchored audit chain with a seven-year retention floor — comfortably above the typical member-state public-records retention minimum.
The chain is operator-independent: it can be replicated to mirror stores held by the public body itself, by a third-party transparency-log operator, by the member-state competent authority, or by the national audit institution directly. Verification does not require the cooperation of the party whose record is being verified. When the public body — or its DPO, a competent authority, the national audit institution, or a citizen exercising an access right — needs evidence, the operator produces a regulator-grade export bundle and the recipient verifies it independently. The verifier is software the state can hold, audit, and re-implement under the royalty-free standards-track licence.
EdSSA does not enforce contractor behaviour, replace the procurement contract, or certify any party as trustworthy. It produces what the current stack does not: a durable, operator-independent, archive-grade record of every contractor data-handling event, independently verifiable by the public body, the competent authority, the national audit institution, and the citizen. This posture — open protocol, royalty-free, RAND-Z licensing for conforming implementations, Helsinki HQ — is the only posture under which sovereign procurement can adopt a cryptographic-evidence layer at scale. A vendor-locked compliance product cannot be standardised on by an EU member state's public administration. A royalty-free open protocol, with multiple conforming implementations, can.
Use cases
Concrete operational scenarios.
- Municipal contractor compliance evidence for NIS2 + GDPR Art. 28 oversight
- Ministry-level contractor chains with operationally verifiable register entries
- Regional shared-services entities serving multiple municipal customers
- Public hospital sub-processor chains for clinical-data exchange
- State-owned enterprise audit evidence for national audit institutions
- National e-government platform contractor ecosystems under eIDAS-adjacent oversight
Compliance & standards
Standards and regulatory regimes.
NIS2 Annex I public administration scope and Art. 21(2)(d) supply-chain security. GDPR Art. 28 + Art. 30 processor obligations and records of processing, with the controller operating typically under Art. 6(1)(e) public-interest legal basis. Member-state national-law obligations on public-body data handling — Finland's Tiedonhallintalaki, Germany's Onlinezugangsgesetz, France's secteur public numérique framework. EU public procurement directives 2014/24/EU + 2014/25/EU + 2009/81/EC. eIDAS Regulation (EU) 910/2014 trust-service complement.
Audit emission
Per-contractor attestation records into the Tier-4 chain. edssa-admin compliance-export produces a regulator-grade evidence bundle the public body hands unchanged to a competent authority or national audit institution. Recipients verify independently with edssa-admin verify-anchor — software the state holds, audits, and re-implements under the royalty-free standards-track licence. No operator cooperation required after the archive handover.
Customers
Operators in this vertical.
“The state audit institution received our first-ever cryptographically-anchored evidence package last quarter, and they verified it without contacting us.”