Blackfort Technology
IT-Security · Feature15 May 2026·Christian Gebhardt

BSI C3A: New Criteria for Sovereign Cloud Services

Germany’s BSI publishes the C3A criteria catalog for cloud autonomy. Six sovereignty objectives extend the C5 standard and make digital self-determination measurable.

🇩🇪 Diesen Artikel auf Deutsch lesen →

Follow Blackfort on LinkedIn

Security incidents, technical analyses, and insights from the field — delivered directly to your LinkedIn feed.

Follow now →
Abstract depiction of sovereign cloud infrastructure with six concentric security layers

What C3A is — and what it isn’t

On 27 April 2026, Germany’s Federal Office for Information Security (BSI) released the new criteria catalog C3A — Criteria enabling Cloud Computing Autonomy. According to the BSI press release of 27 April 2026, the catalog enables cloud customers to obtain “transparency, orientation, and the possibility” to select sovereign cloud services on a criteria-based foundation. It fills a gap that the established C5 catalog deliberately left open — C5 evaluates security, C3A evaluates self-determination.

Methodologically, C3A aligns with the European Cloud Sovereignty Framework (EU CSF) from Directorate-General DIGIT, which defines eight sovereignty objectives (SOV-1 to SOV-8). The BSI adopts six of these and translates their “contributing factors” into verifiable criteria. Deliberately excluded are SOV-7 (Security & Compliance, covered by C5:2026, IT-Grundschutz, and HV-Benchmark Kompakt) and SOV-8 (Environmental Sustainability, outside BSI’s mandate).

Key facts about the release
  • Publisher: BSI, in technical coordination with France’s ANSSI
  • Released: 27 April 2026, currently available only in English
  • German version: Planned for end of Q2 2026
  • Prerequisite: C5 compliance is required — security is not part of the sovereignty assessment
  • Binding nature: No direct legal mandate today, but a de facto benchmark via procurement and EU regulation

The six sovereignty objectives in detail

C3A divides digital sovereignty into six layered domains — from strategic ownership structures to technological independence. Each objective consists of core criteria, supplementary criteria, and contextual information. The granularity extends down to individual requirements such as SOV-4-09-C on disconnect capability.

01

SOV-1 · Strategic Sovereignty

Ownership and control: the provider must be headquartered in the EU and effectively controlled by European entities. Foreign majority stakes or veto rights are scrutinized.

02

SOV-2 · Legal Sovereignty

Jurisdiction and legal framework: the provider must not fall under the reach of extraterritorial laws such as the US CLOUD Act or FISA Section 702. Annual assessment of non-EU legal exposure required.

03

SOV-3 · Data Sovereignty

Data location, external key management, identity providers, and comprehensive logging/monitoring control. Customers must be able to trace where data is stored and processed.

04

SOV-4 · Operational Sovereignty

Personnel and administration: all staff with logical or physical access must hold EU citizenship and EU residency (SOV-4-01-C1). Enhanced level C2 requires residency in Germany.

05

SOV-5 · Supply Chain Sovereignty

Documentation of all software and hardware components per service, ideally as a Software Bill of Materials (SBOM). Countermeasures for critical dependencies mandatory.

06

SOV-6 · Technological Sovereignty

Source code availability for operators and technology independence. Cloud services should remain operable even without external dependencies.

Six pillars of digital sovereignty: strategic, legal, data, operational, supply chain, technology
Six layered sovereignty dimensions — C3A translates the EU CSF into verifiable criteria.
What C3A deliberately leaves out

SOV-7 (security and compliance) is explicitly excluded from C3A, as it is already covered by C5:2026, IT-Grundschutz, and the HV-Benchmark Kompakt. SOV-8 (environmental sustainability) falls outside BSI’s remit. C3A therefore assumes C5 compliance as an entry requirement for sovereignty assessment.

Disconnect capability and personnel requirements

Two SOV-4 requirements particularly shape day-to-day practice: full disconnection of external network links without affecting service quality, and strict personnel requirements. Both are evaluated in two tiers — Core (C1) and Enhanced (C2).

CriterionCore (C1)Enhanced (C2)
SOV-4-01 · PersonnelEU citizenship and EU residencyResidency in Germany (high-security)
SOV-4-09 · DisconnectAll non-EU network links severableAnnual documented disconnection test
SOV-2 · JurisdictionNot subject to CLOUD Act / FISA 702Annual risk review of extraterritorial law
SOV-5 · Supply ChainSBOM per serviceDocumented mitigation for critical components

The disconnect requirement is particularly notable: SOV-4-09-C demands that after full disconnection from external platforms, the service must continue to operate “without compromise to availability, integrity, authenticity, and confidentiality.” The operator must test and document this scenario at least annually — including test results that must be disclosed on request to the responsible IT security authority at the data center location.

Conceptual visualization of an isolated data center with severed external network connections
Disconnect scenario under SOV-4-09-C: operations without external dependencies, mandatory annual testing.
Sovereignty-washing as a real threat

Germany’s Center for Digital Sovereignty (ZenDiS), as quoted in the Heise report, explicitly warns that some providers embellish their sovereignty credentials and “throw sand in customers’ eyes”. C3A creates the first verifiable benchmark against this practice — but only if organizations actively apply the criteria in procurement.

How a C3A assessment works in practice

C3A does not run itself. The catalog addresses cloud providers (for audit purposes) and cloud customers (for selection) alike. Similar to C5, independent audits are envisaged — the BSI has announced a dedicated audit guideline to follow.

Sovereignty assessment workflow

  1. 1Define the risk context and sovereignty needs of the specific use case (e.g., critical infrastructure vs. internal collaboration).
  2. 2Select the relevant SOV domains and maturity level (Core C1 or Enhanced C2) — not every use case requires SOV-4-01-C2.
  3. 3Verify the provider’s existing C5 attestations — without C5 compliance, C3A is not applicable.
  4. 4Evaluate the provider’s C3A report against your own defined requirements.
  5. 5Identify gaps and obtain contractual commitments (e.g., data location, personnel, disconnect tests).
  6. 6Embed the criteria in procurement as eligibility, award, or performance specifications.

BSI Vice President Thomas Caspers stated, as reported by Heise, that the BSI is “interested in technically viable solutions that formulate concrete conditions”. Development took place in cooperation with national and international cloud providers — a clear signal that C3A is not designed as a fence against hyperscalers, but as a structured assessment grid.

Example: excerpt from a C3A requirements matrix
# C3A requirements matrix (sample project)
# Use case: HR record processing, critical-infrastructure relevant

SOV-1 (Strategic)
  - C1: Headquartered in EU            [REQUIRED]
  - C2: Controlled by EU entities      [REQUIRED]

SOV-2 (Legal)
  - C1: No CLOUD Act / FISA 702        [REQUIRED]
  - C2: Annual risk review             [REQUIRED]

SOV-3 (Data)
  - C1: Data location EU               [REQUIRED]
  - C2: External key management (BYOK) [REQUIRED]

SOV-4 (Operational)
  - C1: EU personnel                   [REQUIRED]
  - C2: DE personnel                   [optional]
  - 09-C: Annual disconnect test       [REQUIRED]

SOV-5 (Supply chain)
  - C1: SBOM per service               [REQUIRED]
  - C2: Mitigation critical components [REQUIRED]

SOV-6 (Technology)
  - C1: Source code availability       [optional]

Strategic outlook: from recommendation to de facto standard

Formally, C3A is not a binding standard. In practice, that is likely to change quickly: the catalog will work its way into procurement and regulation via IT-Grundschutz, the upcoming minimum standard module “National Cloud Dispatch” (MST-NCD), and the anticipated EU Cloud and AI Development Act. The result is an architecture in which C5 makes security measurable and C3A makes sovereignty measurable — a dual yardstick that recalibrates cloud strategies.

For operators of critical infrastructures falling under NIS2 and for the public sector, C3A is becoming required reading — not necessarily in every single requirement, but as a structural frame for risk assessment. Organizations procuring new cloud services or reviewing their strategy should align C3A with their own risk inventory now, before the German version becomes the de facto benchmark by end of Q2 2026.

Recommended next steps
  • Map your current cloud landscape against the six SOV domains — even without a formal audit.
  • Review existing contracts for clauses on data location, personnel, disconnect, and SBOM.
  • For critical-infrastructure-relevant applications: anchor the requirements in procurement policies and contract templates.
  • Set up logging and monitoring such that SOV-3 requirements are actually demonstrable — see Blackfort Security Logging & Monitoring.
  • Expand ISMS documentation with sovereignty-related risks — alongside C5 and ISO 27001 evidence. For the C5 side: Blackfort BSI C5 consulting.

Note

Information is based on the official BSI press release of 27 April 2026, the C3A publication by the BSI, and complementary trade reporting. For binding requirements, consult the official BSI documents at bsi.bund.de.

Kontakt aufnehmen

IT-Security for your organization

Blackfort Technology supports organizations with NIS2 compliance, OT security, and the protection of critical infrastructures — from analysis to implementation.

Request a consultationOur services