How classifications are decided — and disputed.

How classifications are granted

The classification you see on the platform is the result of two inputs:

Your scan answers — submitted via the Quick Scan (indicative) or Extended Scan (self-verified), scored against our published scoring model.
A supporting evidence review for Extended Scans — we read the notes and documents you submit, and we may ask for clarification before the classification is confirmed.

For Quick Scans, results appear immediately and are marked as indicative. For Extended Scans, we target turnaround within ten working days. If we have questions, we reach out before finalising.

The scoring methodology

The scoring model measures six weighted domains: jurisdiction, data residency, infrastructure, AI dependency, vendor concentration, and governance. Weightings, question bank, and threshold values are published alongside each release of the scan.

Transparency: any classified company can request the exact numerical breakdown that led to its score. Our commitment is that nothing in the scoring is hidden behind “proprietary secret sauce” marketing.

When we update the model

The scoring model evolves as the regulatory landscape and vendor ecosystem shift. Updates are:

Published with release notes and an effective date.
Previewed with Founding Members at least four weeks before they become active.
Applied to new classifications immediately; existing classifications keep their current class until their annual refresh or a voluntary re-scan.

Disputes and corrections

If you believe your own classification is wrong, or that another company's classification is misleading:

Email info@eucompany.org with the specific concern and, ideally, the question or domain you want reviewed.
We acknowledge within five working days and begin a review.
If a correction is warranted, we update the classification, annotate the public profile, and notify the affected company.
If the dispute relates to factual misrepresentation (a company claims an E-class it cannot substantiate), we may suspend or withdraw the classification pending resolution.

Annual refresh

Classifications expire twelve months after issuance unless refreshed. Companies are prompted to either re-run the scan or confirm that their answers still hold. A stale classification is removed from the public directory until refreshed.

Conflict of interest controls

Independence is a structural issue, not a statement of good intent. The controls we apply:

No paid-for classifications. Payment on the platform only unlocks deeper analysis and visibility features — never a better class.
Advisory and classification are separated. Consulting services offered by Westcube Management BV are not a prerequisite for, or factor in, any classification.
Founding Members do not set their own scores. They shape the criteria prospectively, not their individual results.
Public audit trail. Substantive changes to the scoring model are versioned and kept publicly accessible.

Relationship to formal frameworks

EUCompany.org is not a regulatory body and our classification is not a formal certification. We complement — but do not replace — frameworks like GDPR, NIS2, EU Cloud Code of Conduct, ISO 27001, or sector-specific compliance regimes. If you already meet one or more of those, the scan highlights where you are already aligned and where sovereignty gaps remain.

Governance roadmap

We are starting lean and deliberately conservative:

Today (2026): operated by Westcube Management BV, scoring reviewed by a small internal team with Founding Member feedback.
Phase 2: an external advisory panel of independent voices (practitioners, not vendors) reviews scoring-model changes.
Phase 3: transition to a non-profit foundation (stichting) to formalise governance and further decouple the initiative from any single commercial entity.

Progress against this roadmap is reported once per year alongside the annual refresh cycle.

Getting in touch

Governance questions, dispute requests, or suggestions: info@eucompany.org, or use our contact form.