Germany: Federal Office for Information Security published Criteria enabling Cloud Computing Autonomy (C3A)

On 27 April 2026, the German Federal Office for Information Security (BSI) published the Criteria enabling Cloud Computing Autonomy (C3A), a non-binding framework setting out verifiable criteria for assessing the degree of self-determination available to cloud service customers when using cloud services. The C3A is directed at cloud service providers offering Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) products, as well as at public and private sector cloud service customers seeking to procure or assess sovereign cloud services. The C3A adopts the structure of the European Union (EU) Cloud Sovereignty Framework and articulates criteria across six sovereignty domains. Strategic sovereignty covers EU or German jurisdictional requirements, registered head office requirements and effective control by EU or German undertakings. Legal and jurisdictional sovereignty covers annual risk assessments of extraterritorial non-EU laws and audit rights for the responsible cybersecurity authority. Data sovereignty covers data residency options restricted to the EU or Germany, external key management integration and client-side encryption. Operational sovereignty covers EU-based or Germany-based operating personnel, security operations centres and tested disconnect and reconnect capabilities. Supply chain sovereignty covers documented inventories of software, hardware and external service dependencies. Technology sovereignty covers EU-based source code backups updated at least every 24 hours. Cloud service providers may demonstrate compliance with the C3A through audit, and cloud service customers may use the C3A to define their baseline level of cloud sovereignty for procurement and assessment. The C3A presupposes baseline compliance with the BSI Cloud Computing Compliance Criteria Catalogue (C5) 2026 and does not cover security and compliance sovereignty (SOV-7) or environmental sustainability (SOV-8) of the EU Cloud Sovereignty Framework.