Contact
DEEN
Sovereignty · Cloud · BSI C3A
Blog · Cloud Compliance

BSI Publishes C3A: New Sovereignty Criteria for Cloud Services

With the Criteria enabling Cloud Computing Autonomy (C3A), the BSI provides a framework for evaluating the sovereignty characteristics of cloud services.

Published: April 2026
·
approx. 3 min read
Digital SovereigntyBSIC3ACloudCompliance
Illustration: BSI C3A Cloud Sovereignty

With the C3A (Criteria enabling Cloud Computing Autonomy), the Federal Office for Information Security (BSI) has introduced a pioneering framework that serves as a new "Sovereignty Checklist." It allows organizations to objectively evaluate the sovereignty characteristics of cloud services and ensure digital self-determination.

This raises questions about digital sovereignty, particularly regarding cloud services. With the C3A (Criteria enabling Cloud Computing Autonomy), the Federal Office for Information Security (BSI) has introduced a pioneering framework.

“The C3A provide transparency, guidance, and the ability to select cloud services based on criteria relevant to the specific use case.” - Claudia Plattner, BSI President

Shared Responsibility and C3A vs. C5

Choosing cloud services is based on the Shared Responsibility Model, which limits the scope of decisions customers can make independently.

While security properties are addressed in the BSI's Cloud Computing Compliance Criteria Catalogue (C5), C3A allows organizations to evaluate whether a cloud offering can be used autonomously within their specific risk context.

  • C5 (Security): Focus on operational security properties and compliance standards.
  • C3A (Autonomy): Focus on the ability to act independently of the cloud provider’s influence and strengthening operational autonomy.

The Six Sovereignty Domains of C3A

The C3A framework divides requirements into six core domains (SOV-1 to SOV-6) that define and measure the degree of autonomy:

SOV-1: Strategic

Focus on jurisdiction (EU/DE), registered headquarters, and effective corporate control by EU entities to limit external influence.

SOV-2: Legal

Ensuring audit rights for national authorities and mechanisms for taking over assets in the event of a state of defense.

SOV-3: Data

Control over storage locations (residency), integration of external Key Management Systems (BYOK), identity providers, and client-side encryption.

SOV-4: Operational

EU residency of operating personnel, local SOC capabilities, and the technical ability for a complete network disconnect from non-EU connections without service interruption.

SOV-5: Supply Chain

Transparency via Software Bill of Materials (SBOM), hardware dependencies, and proactive management of export restrictions.

SOV-6: Technology

Ensuring source code availability in the EU and the capability for independent maintenance and patching without third-party reliance.

Note: The areas of SOV-7 (Security & Compliance) are already covered by the C5 catalogue, while SOV-8 (Environmental Sustainability) is not within the BSI's primary framework scope.

What does this mean for companies?

For companies, the C3A catalogue provides an objective basis for translating the often abstract concept of "cloud sovereignty" into tangible business decisions:

  • Informed Risk Management: Organizations can specifically evaluate how much they depend on the technological and operational roadmap of a single provider.
  • Strategic Flexibility: Criteria such as SOV-6 (Technology) ensure that exit strategies exist not just on paper, but remain technically feasible.
  • Future-proof Compliance: In highly regulated industries (e.g., critical infrastructure or healthcare), C3A helps proactively address regulatory requirements for resilience and autonomy.
  • Mitigating Vendor Lock-in: Transparency regarding dependencies allows for planning multi-cloud strategies or hybrid approaches based on valid data.

To-dos for companies:

  • Inventory: Identify critical cloud workloads where autonomy represents a business-critical risk.
  • Utilize C3A Checklist: Use the catalogue as a template for your next risk assessment or cloud procurement.
  • Contract Review: Check existing contracts for audit rights (SOV-2) and control options over storage locations (SOV-3).
  • Architecture Review: Evaluate technical sovereignty features such as External Key Management (BYOK) or exit scenarios.

Structure and Application

The C3A framework is divided into base and supplementary criteria. Depending on criticality, cloud customers can decide which criteria to apply (e.g., localization of data centers or the origin of operating personnel).

The criteria are aligned with the European Cloud Sovereignty Framework (EU CSF) and require the cloud provider to already fulfill C5 criteria. In the future, the BSI will publish a guide for C3A audits to standardize proof of compliance, similar to the C5 attestation process.

Practical Implications

While the framework is not (yet) legally binding, it is expected to become the standard for future tenders and security requirements. Cloud providers can prove compliance through standardized audits, while customers use it as a precise instrument for risk assessment and securing strategic independence.

Conclusion

C3A provides the necessary transparency to evaluate cloud services not only based on security (C5), but specifically regarding the degree of digital sovereignty and autonomy. They are thus an essential building block for strategic independence in a connected world.

Resources

Download C3A - Criteria enabling Cloud Computing Autonomy (PDF)