Methodology

A data-driven, fully-automated framework

The European Digital Resilience Index (EDRIX) measures the tangible, real-world digital outcomes of each EU27 member state. Rather than scoring policy intent, it observes what citizens, businesses, and governments actually do: which operating systems people run, which browsers they use, who hosts their domains and email, and how dense their developer communities are.

Since the June 2026 release, EDRIX is computed entirely from public, automatically refreshable data sources. No manual curation. No closed datasets. Every quarterly publication is generated end-to-end from the same pipeline.

The current EDRIX (version 2.0) rests on four pillars and five raw metrics.

The four pillars

Pillar Metric(s)
Developer Ecosystem GitHub developers per capita
Grassroots Adoption Linux share on desktops and laptops + Sovereign browser share
Private sector resilience Sovereignty rating of national-TLD domains
Public sector resilience Sovereignty rating of official / government domains

1. Developer Ecosystem

Digital resilience requires the capacity to build and maintain technology, not just consume it. We measure the density of each country's developer community.

  • Source: GitHub's Innovation Graph, GitHub's official open dataset of developer activity, updated quarterly.
  • Metric: the country's share of the world GitHub developer population, normalized by the country's population in millions. Per-capita normalization prevents large countries from mechanically dominating a raw developer-count ranking.
  • Period: the most recent quarter available at publication time.

2. Grassroots Adoption

The on-the-ground digital choices of citizens and businesses on their desktops and laptops. Two sub-metrics, averaged:

  • Linux share on desktops and laptops — the proportion of human web traffic from desktops and laptops in the country originating from a Linux machine.
  • Sovereign browser share — the combined share of Firefox and Opera among human visits from desktops and laptops. Brave is rolled into Chrome by Cloudflare's user-agent classification and cannot be separated at the browser-family level; we name this limitation explicitly.

Both come from Cloudflare Radar, filtered to human traffic from desktops and laptops, aggregated over a trailing 90-day window matching the Radar dashboard's headline view. The aggregation is volume-weighted across the full period — the same calculation Cloudflare Radar's own dashboard performs.

3. Private sector resilience

A proxy for the digital sovereignty of a country's private-sector technology choices.

  • Method: a sovereignty rating algorithm is applied to the top 500 domains in each national TLD as ranked by Cloudflare Radar. Each domain's web and mail server is classified by the company that owns the ASN, regardless of where the IP geolocates. A subsidiary of a US company (e.g. Equinix (Germany) GmbH, Cloudflare London, LLC, Liquid Web B.V.) is classified as US; same for subsidiaries of UK companies (e.g. M247 Europe SRL, owned by UK M247 Ltd). Non-EU-controlled providers (US, post-Brexit UK) score 0.0; EU providers score 1.0; servers that geolocate outside the EU without matching a keyword also score 0.0 (safety net).

  • Non-EU27-owned brands on national TLDs are excluded. amazon.fr, google.sk, tiktok.fr, wise.fr, bbc.fr, yandex.fr, sony.fr, airbnb.fr and similar use a national TLD for localisation but the underlying property is owned outside the EU27 — counting Amazon-hosting-Amazon as "French private-sector sovereignty" would be misleading. The exclusion list covers ~140 brand stems across:

    • United States (Google, Amazon, Microsoft, Meta, Apple, X, eBay, Airbnb, Tripadvisor, Netflix, Adobe, Salesforce, Cloudflare, Akamai, Fastly, OpenAI, etc.)
    • China (TikTok, Alibaba, Tencent, Baidu, JD, Xiaomi, Huawei, Temu, Shein, ByteDance, etc.)
    • Russia (Yandex, VK, Mail.ru, Ozon, Kaspersky)
    • United Kingdom (BBC, Sky, Wise, Vodafone, Arm, Dyson, post-Brexit)
    • Japan / South Korea (Sony, Samsung, LG, Naver, Kakao, Line, Rakuten)
    • Israel, Switzerland, India, Singapore, Australia (Wix, Fiverr, Nestlé, Logitech, Atlassian, Canva, Tata, etc.)

    A brand is matched on its second-level domain, so subdomains are also covered. Spotify, Klarna, Booking.com (Dutch) and other EU27-owned digital businesses are explicitly kept in. The list is curatable and reviewed each publication. Available on request.

  • Sample: capped at 500 domains per national TLD, after the US-owned-brand exclusion. A few of the smallest TLDs have fewer than 500 entries in Cloudflare's top-1M list and contribute everything they have — Malta is the most extreme, with 93 .mt domains in total. Cyprus (238) and Luxembourg (247) are the next constraints.
  • Aggregation: average rating across each country's sample. Domains that could not be measured (unresolvable, no MX, no SOA) are excluded.

The top-N sample is a deliberate trade-off. Larger TLDs (.de, .fr) have tens of thousands of domains in Cloudflare's top-1M; averaging over all of them would place Germany's score in the long tail of small German sites running on Hetzner / Strato, rather than where Germans' most-visited infrastructure actually lives. Restricting to the top-500 measures the high-traffic surface honestly and keeps statistical noise low (~2 percentage points on a 50% rate). Small-TLD countries use their full available set rather than being dropped from the comparison.

4. Public sector resilience

The technological sovereignty of the state itself: where the head-of-state, government, and capital-city websites are hosted.

  • Method: the same sovereignty rating algorithm, applied to a curated list of official / public-sector domains (~3 per country: head of state, government portal, capital city).
  • Aggregation: average rating per country.

Detailed index calculation

The same three-step normalization applies to every quarterly publication.

Step 1 — Normalize each metric to 0–10.
Each of the five raw metrics is min-max normalized across the 27 EU member states: the lowest value scores 0, the highest scores 10, and others linearly in between.

Step 2 — Pillar score.
Pillars composed of multiple metrics — only Grassroots Adoption, today — take the unweighted mean of their normalized sub-metric scores. Single-metric pillars use the normalized value directly. The resulting pillar scores are then re-normalized across the 27 member states to 0–10, so each pillar can hit its full range and contributes equally to the final index.

Step 3 — EDRIX.
The final EDRIX score is the arithmetic mean of the four normalized pillar scores, ranging from 0 (lowest in every pillar) to 10 (highest in every pillar).

Archive and traceability

Every quarterly publication is generated by a single automated pipeline that refreshes all five metrics, assembles the inputs, and recomputes the index — a process that runs in under two minutes against the live data sources.

For each publication we archive, in dated form, the assembled inputs, one snapshot per metric, and the computed index. Because the pillar normalization is min-max across the 27 member states, any past edition can be recomputed exactly from its archived inputs. The full archive — current and prior editions, methodology versions included — is available on request for academic or journalistic verification.

Methodology history

EDRIX 1.0 (September 2025) — five pillars

The original publication used a five-pillar framework with two additional inputs that have since been retired:

  1. Public Policy — based on the 2024 Open Source Observatory (OSOR) report. Scored each country's public-sector Open Source strategy, OSPO presence, and legal framework.
  2. Developer Ecosystem — GitHub developers per capita plus per-capita count of vetted solutions in the EuroStack Directory.
  3. Grassroots Adoption — Linux desktop share + Sovereign browser share + a separate "Open Source browser share" sub-metric (Firefox + Brave only) used solely for EOTRIX.
  4. Private Sector Digital Resilience — Domain sovereignty ratings plus per-capita count of EuroStack Industry Initiative supporters.
  5. Public Sector Digital Resilience — same as today's public sector resilience pillar.

The September 2025 publication also computed a companion index, EOTRIX (European Open Technology Readiness Index) — a 3-pillar score restricted to OSOR + GitHub developers + Linux / Open Source browser share. EOTRIX has been retired pending redesign.

Why the methodology changed (May 2026)

To make automated, regular publication possible, every input needed to be automatically refreshable. Three inputs were incompatible with that goal:

  • OSOR 2024 ratings — manually curated, updated less than annually, sourced from PDF reports. Dropped. The Public Policy pillar was folded into public sector resilience — both measure state-led digital choices, and the domain-rating signal is the more direct, more frequently-updatable measure of public-sector practice.
  • EuroStack Solutions per capita — manual curation by the EuroStack project, infrequent updates. Dropped.
  • EuroStack Supporters per capita — same. Dropped.

The four-pillar EDRIX 2.0 is the result. Every remaining metric refreshes in well under two minutes from automated, public sources.

Known data-quality corrections

September 2025: public sector resilience column. The original September 2025 inputs accidentally used the same value for both private sector resilience (all national-TLD domains) and public sector resilience (official / government domains only) — the public-sector column was never separately measured. The retroactive correction (June 2026), using the same August 2025 domain database against the current sovereignty rating logic, produces a markedly different public-sector picture for that historical snapshot. The most visible effect was Czech Republic falling from #3 to #6 in the corrected September 2025 ranking (its public-sector score was inflated by the duplication bug), and seven countries (Austria, Croatia, Germany, Hungary, Luxembourg, Romania, Slovenia) reaching a true 10/10 in public sector resilience in that corrected September 2025 snapshot. The June 2026 publication shows different numbers — only four countries (Austria, Croatia, Romania, Slovenia) reach 10/10 — because the underlying domain hosting has shifted in the intervening nine months and because the EDRIX 2.0 methodology now distinguishes EU providers from non-EU providers (US and post-Brexit UK) rather than only checking the IP's geographic country.

June 2026: Cloudflare aggregation method. The first June 2026 run computed Linux share on desktops and laptops and Sovereign browser share by averaging hourly traffic snapshots, which biased the result upward by ~0.5–1.0 percentage points per country (Linux usage is over-represented during low-traffic night hours, and a simple hourly mean over-weights those hours). The current methodology uses volume-weighted aggregates over the same period — the same calculation Cloudflare Radar performs for its own dashboard. The original June 2026 figures, if cited anywhere, should be considered superseded.

Limitations and anticipated critiques

Why measure only the web and mail?

The web and mail are the only infrastructure layers that are publicly observable and systematically measurable at the scale of 13,500 domains (top-500 × 27 TLDs). Anyone with a DNS resolver and an HTTP client can reproduce the measurement; no privileged access is required. The "hidden" layers (internal workloads, payment systems, IoT, mobile applications) are often more dependent on US hyperscalers than what EDRIX reveals — but they are not measurable from the outside without an organisational audit. Including those layers would turn EDRIX from a public, reproducible index into a proprietary audit.

The web and mail are not exhaustive; they are representative. A presidential site on Cloudflare is a conscious, public choice; it says something about the state's sovereignty posture. And the inverse — a sovereign web and mail stack but workloads entirely on AWS — is statistically rare.

Why measure Linux share on desktops and laptops?

It is the most concrete grassroots adoption signal of an alternative to the Windows/macOS ecosystems dominated by the United States. It captures both the technical engagement (Linux requires know-how) AND the conscious choice for a non-US option.

Its limits are explicit: it does not measure Linux on servers (where it dominates everywhere), does not capture ChromeOS, does not distinguish between distributions. At 4.0% EU27, it is a trend proxy, not a production measure. But the trend matters: moving from 3.7% to 4.0% in nine months is measurable, comparable between countries, and reproducible via Cloudflare Radar.

An alternative metric (purchases of Linux-certified hardware, deployments in local government, engagement on European distributions) would be either non-measurable publicly, or non-comparable across the 27 member states.

Why measure developers via GitHub, when GitHub is owned by Microsoft?

Measuring developers via GitHub presents a paradox — GitHub is owned by Microsoft, a US company, and EDRIX measures European digital resilience. We acknowledge that, for lack of a better source.

The data from the Innovation Graph is the best public proxy available for the density of a country's developer community — an open dataset, per country, quarterly, reproducible. The alternatives are not usable at country level: GitLab does not publish externally accessible per-country activity statistics; Codeberg has not responded to our requests. The metric will be supplemented by other sources as soon as comparable data becomes available.