EN 
DE 
On April 27, 2026, the German Federal Office for Information Security (BSI) published the 'Criteria enabling Cloud Computing Autonomy' (C3A). This publication closes a gap that has been evident in practice for years, as there has been a lack of generally recognized, objective and verifiable criteria to determine what constitutes a truly sovereign cloud offering.
While the security features of cloud services are adressed in the BSI's Cloud Computing Compliance Criteria Catalogue (C5) , the Criteria catalog C3A assesses whether a cloud offering can be used in a self-determined manner within its respective risk context. C3A conformity requires C5 conformity as a prerequisite.
The catalog was developed in collaboration with national and international cloud providers with whom the BSI has cooperation agreements. This is a positive development, as the practical experience gained from these partnerships has been incorporated directly into the framework. The ongoing process also facilitates an exchange with international partner authorities.
The background to the new BSI catalog is the growing concern about 'cyber dominance'. This refers to manufacturers of digital products retaining permanent access to their customers' systems and data. The aim is to secure non-European products in such a way as to enable users to exercise control over their own data.
Protection against 'sovereignty washing'
In its latest white paper, the ZenDiS (Centre for Digital Sovereignty in Public Administration) coined the term 'sovereignty washing'. This refers to offerings that are marketed as 'sovereign' but only fulfil partial aspects of digital sovereignty. A data centre in Frankfurt or Amsterdam does not automatically make a cloud sovereign if the technology base and updates are in the US. US law, particularly the CLOUD Act and FISA 702, applies to US companies, regardless of where their servers are located. The operational independence of a European subsidiary does not negate the legal obligations of the US parent company. This was confirmed by Microsoft France's Chief Legal Counsel before the French Senate in July 2025.
C3A addresses precisely this transparency issue by providing verifiable criteria.
Current legal situation: no easing in sight
There has been no improvement in the legal situation since the publication of ZenDiS.
The EU Data Act has been fully applicable since September 2025. Chapter VII requires cloud providers to implement technical and legal measures to prevent foreign authorities from accessing data unlawfully. This creates a structural dilemma for US providers: The requirements of the CLOUD Act and Chapter VII of the EU Data Act cannot be legally fulfilled at the same time. Any entity that complies with a request from a US authority may simultaneously be in breach of EU law – and vice versa.
In a nutshell, what is the structure of the C3A catalog?
The BSI divides cloud sovereignty into six domains (SOV-1 to SOV-6) that build on each other. There are basic (C) and extended (AC) criteria for each domain. The criteria also offer a choice between two levels: The EU level (C1) and the German level (C2), the latter of which has stricter requirements.
SOV-1 - Strategic Sovereignty: The provider must operate under EU or German law, have their registered office there, and be effectively controlled by European or German companies. Changes of ownership that could affect the sovereignty criteria must be communicated 90 days in advance.
SOV-2 - Legal and jurisdictional sovereignty: The provider must check at least once a year whether legal standards outside the EU could affect its operations or the confidentiality and availability of customer data across borders. The resulting risks must be assessed in a structured manner. This also applies to providers with German headquarters that operate sites outside the EU. National authorities must also have the right to verify compliance with the C3A criteria through an audit. In the event of defence, the provider must be able to hand over cloud operations, including all necessary operating resources, source code, and administration tools, to government agencies.
SOV-3 - Data sovereignty: Data sovereignty: Customers must be able to track where their data is stored and processed. Providers must also enable the integration of external key management systems, allowing customers to keep their encryption keys outside the provider environment entirely. External identity providers must be able to integrate via open, non-proprietary standards. Furthermore, it must be possible to encrypt customer data on the client side before it leaves the provider's environment.
SOV-4 - Operational Sovereignty: All cloud personnel must be EU citizens residing primarily in the EU, and the SOC and connectivity must be operated within the EU. As a new C3A criterion, the BSI requires that all network connections outside the EU can be completely disconnected without affecting the operation of the cloud services. This must be verified annually by means of a test. Those who are permanently dependent on the US manufacturer for security updates cannot meet this criterion.
SOV-5 - Supply Chain Sovereignty: The provider must document which software and hardware components are used for each cloud service and from which countries they originate. Ideally, this documentation will be available as a software bill of materials (SBOM) and accessible to customers upon request. The provider must have countermeasures in place for critical dependencies and proactively assess the impact of possible export restrictions or delivery failures.
SOV-6 - Technological sovereignty: The provider must keep local backup copies of the entire source code (no more than 24 hours old and with at least 5 versions) so that operations can continue at any time without external dependencies. This includes all build scripts and deployment tools. Authorised personnel must have permanent access to the necessary development environments, and the provider must be able to develop and apply security patches independently in an emergency.
Degrees of Sovereignty: An Application Model for Practice
The six C3A domains can be condensed into a practical, step-by-step model that is practically applicable for tenders and procurement decisions.
Level 1 - Data residency: Servers and providers are based in the EU or Germany. This complies with SOV-1 (basic criteria) and SOV-3-01 (traceable data location). This is the minimum standard, which is what most providers offer under the term 'sovereignty'.
Stage 2 - Legal protection: In addition to Level 1, the provider is not subject to any legal obligation to hand over data at the request of foreign authorities (no CLOUD Act or FISA 702). Audit rights by national authorities are contractually anchored and customers can hold encryption keys outside the provider environment. This corresponds fully to SOV-1, SOV-2 and SOV-3. This level is more difficult to assess than Level 1 because it depends not only on the data centre location, but also on the law under which the provider operates, even if the server location and parent company are in different jurisdictions.
Level 3 - Operational independence: In addition, EU personnel, EU SOC and proven disconnect capability (tested annually) are also required, as well as independent connectivity. It fully complies with SOV-4. This is where all platforms that are permanently dependent on connections to non-European manufacturers for security updates structurally fail. Without these updates, operation becomes insecure after a short time — a fact confirmed by the major hyperscalers for their own platforms.
Level 4 - Complete digital sovereignty: In addition, there is a transparent supply chain (SBOM, hardware inventory), documented replaceability of all components and an open-source basis, and independent further development capability. This corresponds to SOV-5 and SOV-6. Platforms based on open stacks (OpenStack, Kubernetes and SCS) fulfil this level structurally.
What this means for procurement decisions
The C3A catalog is not a mandatory framework, but an orientation tool. Providers can demonstrate compliance with the criteria through audits. The verification procedure should be based on C5 testing. Cloud customers can use the catalog to identify relevant requirements for their specific usage scenario and define their desired level of sovereignty.
For cloud managers, this means that most offerings currently marketed as 'sovereign' only reach level 1. C3A shows the other levels. Asking "Where are the servers located?" (data residency) is insufficient. Also relevant are:
- Under which law does the provider effectively operate? (SOV-1 and SOV-2: legal sovereignty)
- Can operations be maintained if all connections outside the EU are completely interrupted? (SOV-4, operational sovereignty or self-sufficiency)
- Is the technology base open enough to allow a change of provider or independent further development? (SOV-3, SOV-5 and SOV-6; technological sovereignty).
Level 1 merely ensures compliance with data protection regulations (GDPR).
Level 3 and 4 are strategic security requirements for critical infrastructures and state institutions.
Anyone who is serious about sovereignty must move away from a purely physical view and consider the availability, integrity and portability of the systems under all political and legal conditions. Unsing hardened, open-source frameworks is often the only way to actually guarantee technological control at level 4.
ScaleUp and C3A
ScaleUp Technologies operates three cloud locations in Germany that are subject to German law. The company employs German personnel and has processes that are certified according to the ISO 27001 standard. Our cloud platform is based on OpenStack and the Sovereign Cloud Stack (SCS), and we were one of the first three providers in Germany to be certified to the SCS IaaS standard. Our cloud infrastructure runs on open OCP (Open Compute Project) hardware and is based on open standards at all levels.
As such, we are one of very few German providers to fulfil level 3 and, to a large extent, level 4 of the necessary sovereignty levels. We would be happy to discuss this with you in more detail.
Continuing: BSI C3A catalog | BSI press release C3A | ZenDiS white paper "Recognizing sovereignty washing in cloud services" (August 2025) | CFI T-553/23 (Latombe/DPF, September 2025) | EU Data Act Chapter VII (applicable from September 2025)
This article was created with the help of AI and then completely revised and supplemented with the four-stage model 'C3A Cloud Sovereignty'.
