BSI C3A:v1 on Cloud Autonomy published by Federal Office for Information Security

The BSI C3A:v1 extends the well-reputed BSI Cloud Computing Compliance Criteria Catalogue (BSI C5) standard, recently published in its 2026 version. 

This approach is consistent with the discussions around ENISA's European Cybersecurity Scheme (EUCS) whether Sovereignty Criteria natively reflect a security related dimension or if they form an independent dimension. 

BSI C3A:v1 is currently not mandatory. Stakeholders are supposed to decide voluntarily whether they will make the entire set or any sub-set of the BSI C3A part of their contractual relations or public procurement. BSI C3A remains open on the required methodology and operations of BSI C3A as Conformity Assessment Programme. 

BSI C3A:v1 presupposes that any Cloud Service which intends conformity with BSI C3A is already successfully assessed against BSI C5. Therefore, in practice, it is very likely that BSI C3A will be assessed according to the same rules and procedures applicable to BSI C5. 

Even though BSI C3A is not imposed by any legislation, now, this may change in future. BSI C5 has not been a legal requirement at its very beginning but has become a legal requirement by recent German legislation, e.g. § 393 SGB V. 

BSI C3A follows a similar structure as BSI C5. Therefore, there are high level dimensions, as necessary, sub-dimensions, criteria, additional criteria and supplementary information. 

• Dimensions define the highest level objective. 
• Sub-Dimensions define sub-clusters of criteria reflecting “high level objectives”, each supporting the highest level objective. 
• Criteria define the actual yet abstract requirements, of which all are designed as obligations (MUST). 
• Additional Criteria allow further fine-tuning and increase of rigour by complementing the general perspective of a Criterion with more specific aspects. 
• Supplementary Information provides further Guidance either to facilitate a harmonised interpretation of the Criteria or by providing examples on how real-life implementations may be designed. 

In total there are seven dimensions covered by BSI C3A:v1. Those are 

1. Strategic
2. Legal & Jurisdictional
3. State of Defense Takeover
4. Data
5. Operational
6. Supply Chain
7. Technology

BSI claims that BSI C3A is strongly aligned with existing frameworks, facilitating its broad adoption and recognition by stakeholders. 

Terminology used within BSI C3A is derived from ISO/IEC 22123:2023. It is worth noting that the BSI C3A distinguishes e.g. between

• Account data 
• Cloud service customer data
• Cloud service derived data
• Cloud service provider data

Dimensions addressed by BSI C3A derive from EU CSF. The BSI states that “C3A adopt the structure (categorization) and objectives of the European Union's Cloud Sovereignty Framework (EU CSF). In addition, the contributing factors of the EU CSF are reflected in the verifiable criteria of the C3A, but are expanded to include further aspects.”

Since BSI C3A expects conformity with BSI C5 a continuity and compatibility seems to be built from ISO 27XXX-series (IT-Security), over cloud specific standards, such as ISO/IEC 22123:2023, towards integrating European Frameworks such as EU CSF, alongside the operational alignment of BSI C5 assessment procedures with SOC-reports.

Comparison respectively high-level mapping of Sovereignty Dimensions between EU CSF, Sovereignty Criteria by ZenDiS and BSI C3A:v1

The publication of a dedicated set of Criteria by BSI marks a significant milestone within discussions around how to make Sovereignty measurable. 

However, the first set of criteria comes along some flaws. First, the criteria are only related to Cloud Services, which may not address any of Europe's digital infrastructure. On the other hand, Cloud Services in the sense of managed services, became a strong default in various IT systems. Consequently, addressing Cloud Services (first) may create a enormous footprint upon the still ongoing debates. 

Nonetheless, the first draft requires some critical analyses, the following high-level impression addresses its contribution to the Sovereignty vs Security discourse and the methodology and clarity of the draft. 

Considering the structure of BSI C5:2026 and the newly created BSI C3A:v1, the discussion around Sovereignty being a Security dimension might end simply as facts have been and will be created. It is worth noting, that such “facts” may not prove as binary as strong statements (e.g. EBF statement, or Statement EUCS High+) by stakeholders around EUCS indicated in the past, which eventually and probably led to EUCS's stagnation.  

The European Commission has published its European Cloud Sovereignty Framework in 2025, which indicates, either (1) the European Commission either does not all of the relevant criteria to be fit for Security Framework, such as EUCS, or (2) the European Commission simply did not want to wait any longer for EUCS to be completed. 

The BSI has incorporated some sovereignty criteria into BSI C5:2026, which apparently shall be those where there is an overlap with security matters. The introduction of BSI C3A states: "Security & Compliance Sovereignty is already covered by established BSI publications like C5:2026, IT-Grundschutz or the HA 
Benchmark compact.", which is why this dimensions is not covered (reduntantly) in BS C3A. "C3A presupposes that the cloud service provider meets the C5 criteria, as they reflect the security aspect of the sovereignty definition."

In other words: Where there was once a push by stakeholders to implement Digital Sovereignty as a “one hit kills them all” (EUCS high), real life seems to establish distinct frameworks resulting in “Sovereignty” being yet another modular aspect in digital certifications and audits. 

While the EU CSF lacks any assessable criteria, BSI C3A lacks any defined objectives. One might claim that as the Introduction refers to the EU CSF, the Objectives as defined in the EU CSF become the Objectives of the BSI C3A. 

While such a dynamic reference will ease the alignment across both frameworks, it comes with a significant risk: already minor linguistic changes within the Objectives of the EU CSF may influence the interpretation and fit for purpose of the BSI C3A criteria. 

Clarity and stability was easy to increase if the objectives were incorporated into the BSI C3A. Especially, as even the EU CSF objectives lack clarity on the identified risks that shall be mitigated by required implementations of “Sovereignty”. 

BSI C3A considers Sovereignty strongly interlinked with location of data and registered offices, along nationality of employees.

BSI C3A does not clearly state the identified risk scenarios it shall mitigate. Consequently, it is impossible to objectively analyse whether individual criteria will effectively contribute to any such intended mitigation. 

At least there remains doubt if all of such criteria will provide effective protection. If might even result in the opposite effects, because “trust in the framework” will eventually reduce actual awareness, dynamic reactions, and zero-trust implementations. 

Exemplary, the citizenship of key personnel. 

The following certainly reflects a harshly critical stand and provocatively “misreads” the current draft. Yet, the intent is to make it as obvious as possible why clarity of objectives and identified risk (scenarios) is so important in order to evaluate the suitability of criteria.

Ways to interpret the criterion

As there is no clear and identified risk profile, the criterion creates the impression of old resentments. Citizenship A is more trustworthy than Citizenship B. If the criterion shall address the fact that individuals can be subject to extra-territorial legislation due to their citizenship, the criterion remains unclear how it is expected that extra-territorial legislation shall be enforced against such individual. One might consider the latter is addressed by the second element of the criterion, which is that the individual must have its main residence within Europe / Germany. 

First, if the individual holds Citizenship A but does not have its main residency in “A” would not this mitigate the risk already, as there is still no direct enforcement capabilities of state “A” against the individual, at the very least if the individual has its main residency in Europe / Germany? Second, if residency in Europea / Germany does not suffice, does this imply that Europe / Germany considers its powers on its very own territory already significantly eroded so that it cannot protect those living there?

Third, as it refers to “all personnel” without further specification on the individual impact, does this eventually allow for a single-point-of failure? In other words, would it suffice if there is only “one” individual with full control of the technical infrastructure or if the is only “one” individual with full control of the business or compliance decisions, provided that such “one” individual is a EU / German citizen?

Which leads to fourth, why does the (potential) risk scenario expect personnel to breach their legal obligations (be them statutory or contractual) easily, if an extra-territorial power nudges them by means of “applicable laws due to their citizenship” rather than by nudges based on financial benefits (bribing) or physical threats against themselves or any closely related individuals? Is it to be expected, fifth, that “Citizenship” criteria will be extended similar to the “Effective Control” so that (indefinite) levels of dependency (citizenship) will be evaluated, both of the individual and any (influential) individuals from immediate personal circle? 

Distinct implementation requirements than proxy-tick boxes

The Citizenship and main residency appears to be a proxy, as the original aspects might have been to “complicated” to be drafted. However, proxies carry the inherent risk to miss their target and result in a “checkbox success” blinding for the actual risk. 

If the intent has been to mitigate the risk of extra-territorial powers adversly affecting Cloud Services by manipulating key personnel, diversification of powers appears more appropriate. There must not be one single-point-of-failure which could run the Cloud Service or any data therein unavailable or inaccurate. Any single-point-of-failure will eventually fail, if extra-territorial powers identify its weak-spot.

Additionally if the intent has been to protect the Cloud Services against adverse changes to the source code or hardware, procedures ensuring upfront clearance of any such changes seems more appropriate. Especially, if the Cloud Service Customer was required to actively green-light every single source-code update or data and service access by the Cloud Service Provider, full sovereignty remains. 

In this context it must kept in mind that the BSI C3A already provides for safeguards such as that the source-code of the Cloud Service must be readily available by its five most recent different versions, of which the most recent one must not be any older than 24h. Therefore, the BSI C3A apparently has considered risks and mitigating requirements along those lines already. Against this background the identified risks which can (only) be mitigated by citizenship becomes more confusing. 

BSI C3A appears to lack clarity in respect of its assessment procedure. While it is appreciated that BSI C3A remains voluntary and that interested parties shall define their own set of relevant criteria, the lack of a assessment procedures will make it hard to compare assessment reports or public claims of “BSI C3A compliance". 

Given the highly sophisticated methodology established by BSI C5 - and related BSI security frameworks - maybe BSI C3A will incorporate its assessment procedure in any of its future updates. It seems reasonable that - prior first hands-on experiences - any detailed outline of such a procedures might be overly limiting the adoption rate. Yet hopes remain that BSI will extend its Sovereignty Framework once it received practitioners feedback on its BSI C3A:v1 on its criteria and BSI has made first experiences on actual assessments, innovative approaches or any (unforeseen) obstacles thereof.