In the first week of June, I used CERTavia to scan 289 European enterprise domains across six industries. Every scan is grounded in the Sovereign Validation Protocol (SOVP), a deterministic infrastructure validation framework I developed, filed as an IETF internet draft, and submitted to the USPTO as a provisional patent.
SOVP checks 80+ parameters across 6 clusters (A through F). The result is binary: SOVP-CERTIFIED or SOVP-FAILED. The CERTavia Evaluation Score (CES) is the numerical overall value (0 to 100) that aggregates the individual scores of all six clusters. It shows exactly which clusters need work to reach CERTIFIED. The cluster structure and parameter definitions are modeled on the infrastructure-relevant requirements of the EU AI Act, particularly Article 15.
This first large-scale benchmark provides a clear baseline: the overall average CES is 16.6 out of 100. The best individual score, measured at a DAX 40 company, is 52.5.
The Numbers
Six industries, 289 domains. Here's the baseline by sector:
- DAX 40 (40 domains): Ø 25.4 · Max 52.5
- Automotive & Industry (50): Ø 23.7 · Max 46.6
- Financial Sector (BaFin-regulated) (50): Ø 13.0 · Max 38.8
- Healthcare & Pharma (50): Ø 12.7 · Max 41.9
- Critical Infrastructure (49): Ø 13.7 · Max 38.6
- Federal Agencies & EU (49): Ø 10.9 · Max 35.6
What Interests Me About These Numbers
I built SOVP to make exactly this kind of measurement possible. What strikes me most about the results: federal agencies and EU institutions — the very bodies enforcing NIS2 and the EU AI Act on everyone else — score the lowest of any sector in the entire benchmark, at Ø 10.9 points.
This layer of requirements is new. The entire market is at the beginning of this shift.
Cluster F (AI Governance) reaches an industry-wide average of Ø 6.9 points. Cluster E (Agentic Readiness) sits at Ø 8.8. Both clusters measure the infrastructure layer that the EU AI Act treats as a basic technical prerequisite: machine-readable governance signals that an AI system can evaluate in a rule-based, reproducible way. Whoever invests here early builds a structural lead.
What This Means for the Coming Months
DORA has been mandatory since January 2025. The EU AI Act enforcement phase is underway. Companies currently operating at a CES of 13 points in the financial sector have concrete work to do building machine-readable infrastructure evidence. The decisive advantage of SOVP: it's auditable, deterministic, and cryptographically signed. That makes progress measurable.
The benchmark is published twice a year. The next scan is planned for late 2026.
Full report with industry tables and methodology at certavia.org →