BSI C3A: How cloud sovereignty is becoming measurable for the first time

The debate on digital sovereignty in Europe has gained significant momentum. Whilst financially motivated cybercrime and state-sponsored attacks have been the focus of widespread attention for years, a third dimension is increasingly coming to the fore: so-called ‘cyber dominance’ – that is, the ability of digital product providers to maintain a lasting influence over their customers’ systems and data. In the cloud environment in particular, this raises the question of how much autonomy companies and public authorities actually have over the services they use.

With the ‘Criteria enabling Cloud Computing Autonomy’ (C3A) catalogue of criteria published in April 2026, the Federal Office for Information Security (BSI) has presented a pioneering framework for action in this regard. In addition, the BSI plans to publish a guide for C3A audits, the verification procedures of which are to be structurally based on the established C5 testing process.

Criteria enabling Cloud Computing Autonomy: What is C3A all about?

The C3A is not a mandatory framework and has no direct regulatory effect. Rather, it is a guidance tool for cloud providers and cloud customers designed to make the sovereignty characteristics of a cloud service transparent and comparable. Whilst the Cloud Computing Compliance Criteria Catalogue (C5) answers the question of whether a cloud service is operated securely from a technical perspective, the C3A goes one step further: it enables an assessment of whether a cloud offering can also be used autonomously within the relevant risk context.

A key prerequisite for the application of C3A is therefore that the cloud provider meets the C5 requirements. The two catalogues are thus not in competition with one another, but are designed as interdependent levels: security (C5) forms the foundation, whilst sovereignty (C3A) constitutes the assessment dimension built upon it.

Ready to talk? Contact us

What criteria does the C3A cover?

Structurally, the C3A is based on the EU Cloud Sovereignty Framework (EU CSF) and incorporates its categories and verifiable factors. Overall, the catalogue divides the aspects of sovereignty into six criteria areas:

Strategic Sovereignty
Data Sovereignty
Legal and Jurisdictional Sovereignty
Operational Sovereignty
Supply Chain Sovereignty
Technology Sovereignty

The areas of ‘Security & Compliance Sovereignty’ and ‘Environmental Sustainability’ from the EU CSF have been deliberately omitted – the former is already covered by C5, IT-Grundschutz and comparable BSI products, whilst the latter does not fall within the BSI’s remit.

As is familiar from C5, C3A also distinguishes between basic criteria and additional criteria. The criteria can be flexibly combined depending on the requirements profile, meaning that the entire catalogue does not necessarily have to be applied. On this basis, cloud customers can define their desired level of sovereignty and specifically request those criteria that are relevant to their specific use case. The level of sovereignty could thus become a kind of benchmark for cloud providers and, consequently, a competitive advantage.

What does this mean for cloud providers?

In future, cloud providers will be able to demonstrate compliance with the C3A criteria through an independent audit, thereby providing customers with transparency regarding data sovereignty and (in)dependence on other service providers. The BSI plans to model the verification procedure structurally on the tried-and-tested C5 testing process in order to exploit synergies and keep the burden on providers manageable. The German version of the C3A is scheduled for publication in the second quarter of 2026.

The C3A is likely to develop into a de facto market standard in the short to medium term. In particular, public authorities, operators of critical infrastructure and companies with heightened security requirements will use the C3A as a criterion when selecting providers. Providers who establish transparency in this area at an early stage will position themselves as trustworthy partners in the European and, in particular, the German market.

How are C3A and the new C5:2026 related?

In parallel with C3A, the BSI has published C5:2026, an updated version of the Cloud Computing Compliance Criteria Catalogue. This too includes criteria that lie at the intersection of security and self-determination – particularly in the area of portability. Cloud providers should therefore consider both catalogues together and, where appropriate, have a readiness assessment carried out to determine the extent to which existing controls from ongoing C5 audits can also be used for future C3A audits.

From our experience, we know that an integrated approach offers significant added value and reduces cost pressure: duplication of effort can be avoided, synergies with other standards such as ISO 27001 or SOC 2 can be specifically leveraged, and the internal control system can be further developed in a consolidated manner.

What should you, as a cloud provider, be doing now?

Although the C3A does not impose any immediate legal obligation, we recommend that cloud providers address the new requirements at an early stage. Start by gaining an overview of which C3A criteria are already addressed by your current internal control system – particularly with regard to existing C5 certificates and comparable audits. On this basis, you can identify areas for action and draw up a realistic preparation plan for a future C3A audit.

KPMG can assist you in determining your level of control coverage and identifying areas for action, as well as with future audits of internal control systems against the C3A and C5 criteria. Our experts in Digital Process Compliance will be happy to advise you on matters relating to cloud sovereignty, BSI standards and preparation for the C3A audit.

Interested in our services? Contact us