BSI Defines Criteria for Technical Cloud Sovereignty: C3A Catalog Creates Binding Standards

Summary

The Federal Office for Information Security (BSI) has published the "Criteria Enabling Cloud Computing Autonomy" (C3A), a catalog that defines when a cloud solution is technically sovereign. The criteria address dependencies on non-European cloud providers such as AWS, Azure, or Huawei and define concrete requirements for secure, independent infrastructure. The C3A catalog builds on existing C5 security criteria and is expected to influence the debate around the EU Commission proposal "Cloud and AI Development Act" (CADA), planned for May 2026. The BSI draws on experience from projects such as DelosCloud, Stackit, and T-Systems Sovereign Cloud.

Persons

• Thomas Caspers (Vice President BSI)
• Martin Bierwirth (Head of Cloud Security Department BSI)
• Henna Virkkunen (EU Vice President)

Topics

• Cloud security and digital sovereignty
• European IT independence
• Compliance and regulation
• Critical infrastructure

Clarus Lead

The C3A initiative responds to strategic pressure: the planned submission of CADA by the EU Commission in May 2026 will clarify a European definition question that has remained politically vague until now. The BSI positions itself with a technically viable proposal to concretely structure the upcoming regulatory debate – and thereby potentially shape requirements for public administration, critical infrastructure, and defense across the EU. In parallel, France is testing a national path with ANSSI in which French companies are mandatorily involved; Germany's C3A approach, by contrast, aims at European standards with graduated application profiles.

Detailed Summary

The C3A operationalizes sovereignty in four dimensions. Technical decoupling becomes clear in criterion SOV-4-09-C: cloud operators must maintain operations in the event of disconnection (separation from the non-European system) without endangering availability, integrity, or confidentiality. This must be documented and tested at least annually. The enhanced requirement SOV-4-09-AC additionally demands disclosure of documentation to local IT security authorities.

Legal and personnel requirements are also graduated. Criterion SOV-4-01-C1 requires EU citizenship and EU residence for all employees with logical or physical access. The stricter variant SOV-4-01-C2 restricts this to Federal Republic residence – relevant for high-security zones such as security agencies or the Bundeswehr. Providers must not be subject to non-EU jurisdiction; the location of IT maintenance activities is also regulated.

Defense case provisions are new in European cloud catalogs. The C3A defines that operators must transfer operations including material and personnel to federal authorities in the event of a defense case as regulated by the Constitution. While the BSI has no direct legal responsibility for this, it is preparing standard scenarios.

Implementation path: The C3A are not directly binding but can become minimum requirements through legislation or procurement procedures. They supplement the already legally binding C5 security catalog and build on IT baseline protection as well as the OPS 2.2 module. For federal agencies, the minimum standard for using external cloud services (MST-NCD) is already mandatory – the C3A will extend this obligation.

Key Statements

• With C3A, the BSI creates a binding reference framework for cloud sovereignty that combines technical security (C5) with independence requirements
• Concrete criteria address disconnection security, personnel EU restrictions, and defense case scenarios
• The catalog is strategically positioned ahead of the EU Commission's submission of CADA (May 2026) and could shape European regulation
• Hyperscalers such as AWS or Azure can partially meet C3A requirements; complete decoupling will not be continuously feasible for several years

Critical Questions

1. Evidence/Data Quality: What specific technical tests and breakthrough scenarios do the disconnect criteria (SOV-4-09-C) concretely build on? How was "at least annual testing" validated as a security interval?

2. Conflicts of Interest: The BSI spoke with providers (AWS, Schwarz-Digits, SAP) in developing C3A – how was neutrality ensured regarding large providers and mid-market alternatives?

3. Causality/Alternatives: Can cloud infrastructure actually operate for multiple years in complete decoupling from US operator systems, or will hidden dependencies (software updates, security patches) undermine autonomy?

4. Feasibility: Which German or European cloud providers already meet the requirement SOV-4-01-C2 (Federal Republic residence for all employees)? How realistic is this requirement for scalability?

5. Regulatory Risk: If the EU passes CADA without reference to C3A, the German catalog loses binding force – how does the BSI plan to address this divergence?

6. Jurisdiction: Does the C3A's exclusion of non-EU jurisdiction apply only to holding structures with EU subsidiaries or only to operational control?

Sources

Primary Source: BSI defines when a cloud is truly sovereign – https://www.heise.de/news/BSI-definiert-wann-eine-Cloud-wirklich-souveraen-ist-11272737.html (Heise Online, Author: Falk Steiner)

Verification Status: ✓ 2026

This text was created with the support of an AI model. Editorial Responsibility: clarus.news | Fact-Check: 2026