Version 0.1 — Working Draft

The Lighthouse
Framework

A Digital Sovereignty Assessment

For Crown Dependencies and Associated Offshore Financial Centres. A structured instrument for assessing and documenting digital sovereignty posture — where no adequate framework has existed until now.

Download v0.1 Read the framework →

The Problem

A gap no existing framework fills

Crown Dependencies and Associated Offshore Financial Centres operate sophisticated professional services sectors under their own legislative frameworks — outside both the UK and EU, yet deeply integrated with global systems.

Existing frameworks were not built for this. Cyber Essentials addresses hygiene, not jurisdiction. EUCS doesn't apply. NIST offers structure but no guidance on the CLOUD Act, FISA 702, or the compellable disclosure obligations that create the most acute sovereignty risks.

The result: no single instrument allows a Crown Dependency professional services firm to assess, document, and communicate its digital sovereignty posture coherently.

The Lighthouse Framework is designed to fill that gap.

What existing frameworks miss

✗Cyber Essentials — addresses hygiene only. No jurisdictional exposure assessment. No SaaS layer. No AI tooling governance.
✗EUCS — geographically bounded. Does not apply to Crown Dependencies or BOTs.
✗ISO 27001 — useful technical structure. No guidance on CLOUD Act reach or compellable disclosure.
✗NIST CSF — US-centric. No sovereignty layer. No Crown Dependency jurisdictional context.
✗None of the above address the SaaS application layer — where most actual risk lives for professional services firms.

The Framework

Nine dimensions of sovereignty

Each dimension addresses a distinct layer of exposure that existing frameworks fail to cover adequately — or do not cover at all.

Jurisdictional Exposure

Vendor ownership, legal reach instruments, sub-processor chain, and the gap between contractual and actual data residency.

Data Governance

Classification frameworks, retention and deletion obligations, portability, cross-border transfer mechanisms.

Infrastructure Sovereignty

Hosting jurisdiction, network routing, encryption, key management, and who ultimately controls access.

SaaS & Application Layer

Application inventory, shadow SaaS, per-application data classification, vendor jurisdiction, offboarding verification.

AI Tooling

Embedded AI features, model provenance, inference jurisdiction, autonomous action scope, audit trail requirements.

Operational Security

Patch management, identity and access control, incident response, supply chain security — proportionate to organisation size.

Regulatory Alignment

Jurisdiction-agnostic mapping structure for applicable data protection, sector regulation, and certification frameworks.

Contractual Protections

Audit rights, sub-processor veto, change of control protections, data return obligations, breach notification terms.

Continuity & Exit

Vendor dependency risk, exit planning, data portability enforceability, transition runway, lock-in assessment.

Who it's for

Built for Crown Dependency professional services

The framework addresses the common core problem: data simultaneously subject to local jurisdiction, UK reach, EU GDPR, and US legal process — with no single instrument that maps that exposure coherently.

⚖️

Law Firms

Legal professional privilege, cross-border matter management, CLOUD Act conflict on US client matters.

🏦

Financial Services

Trust administration, fund management, AML/KYC data, UBO registers, FSA-regulated entities.

📊

Accountancy & Tax

Client confidentiality, HMRC data handling, cross-border tax structures, statutory retention obligations.

🏛️

Government & Quasi-Gov

Public bodies, arm's-length organisations, procurement decisions with long-tail sovereignty implications.

Also applicable to: insurance and captive insurance managers, corporate services providers and registered agents, healthcare and healthcare-adjacent organisations.

Jurisdictions covered: Isle of Man · Jersey · Guernsey · British Virgin Islands · Cayman Islands · Bermuda · Gibraltar

Get the framework

Download version 0.1

Version 0.1 is a working draft published for consultation. It is complete enough to be useful and explicitly versioned to invite contribution. A scoring methodology will follow in version 1.0.

Licensed under CC BY 4.0. Free to share and adapt with attribution to The Lighthouse Framework Working Group.

Word Document · .docx

Lighthouse Framework v0.1

Editable format for LibreOffice or Word. For internal use, annotation, and distribution.

Markdown · .md

Lighthouse Framework v0.1

Source format. Git-friendly, renders in Obsidian, Forgejo, GitHub. Authoritative version.

Governance

The Working Group

The Lighthouse Framework is published by The Lighthouse Framework Working Group — an independent body coordinating the development, revision, and consultation of the framework across Crown Dependencies and Associated Offshore Financial Centres.

Practitioners from across the covered jurisdictions are invited to contribute. Version 0.1 is the starting point — not the finished article.

Contact the working group

contact@lighthouseframework.org

Administered by The Haunted Lighthouse Limited on behalf of the working group.

Revision schedule

0.1 Current Working draft — open for consultation

0.2 Planned Incorporates consultation feedback

1.0 Planned Published standard with scoring methodology

The framework is published under CC BY 4.0. Free to share and adapt for any purpose with attribution to The Lighthouse Framework Working Group.

The LighthouseFramework