Cloud sovereignty has meant different things to different people for long enough that the term stopped carrying real weight. Governments reach for it when signaling political direction, while vendors attach it to products that may reduce foreign dependency or may simply rebrand existing offerings with a European flag. Germany’s Federal Office for Information Security, known as BSI, has had enough of that ambiguity.
Consequently, this week it published C3A, a framework of specific, measurable criteria that organizations can use to evaluate cloud providers against a consistent standard rather than whoever makes the most convincing claim.
The full name is Criteria Enabling Cloud Computing Autonomy, and its scope goes well past what existing security standards cover. BSI’s C5 catalog already handles baseline cloud security. C3A, however, starts where C5 stops, asking a fundamentally different question: not whether a service is secure, but whether it could keep running if every connection to non-European parent infrastructure disappeared tomorrow. Moreover, that question has a specific answer in this framework, and providers need to document it, test it annually, and prove it holds up under scrutiny.
The disconnect readiness requirement is the most striking element. Providers must demonstrate operational continuity under separation scenarios, maintain data integrity throughout, and run documented tests at least once a year to verify that those procedures actually work. For organizations accustomed to providers making broad sovereignty claims without evidence, furthermore, that annual testing requirement alone represents a meaningful shift in what accountability looks like in practice.
Beyond that, the framework reaches into legal structure and workforce composition in ways that technical architecture cannot substitute for. Providers must show freedom from non-European legal control that could compromise data or operations, which addresses US extraterritorial laws directly.
In addition, higher-security scenarios require personnel with system access to hold EU citizenship and residency, and in some cases restrict access to individuals based in a particular country. These requirements raise genuine feasibility questions for global providers running distributed teams, and those questions do not have easy answers.
C3A carries no immediate binding force as a standalone document. That said, BSI frameworks routinely travel into procurement requirements and legislation, and German federal agencies already treat BSI guidance as operational standard. If the forthcoming European Cloud and AI Development Act absorbs elements of C3A at the EU level, therefore, hyperscalers competing for public sector contracts across member states will face compliance demands that reshape governance, staffing, and legal structures, not just infrastructure.
