Wednesday, July 8, 2026 · Week 28 DE · EN · FR · ES Dark
Reboot Germany

C3A: How the BSI Makes Cloud Sovereignty Measurable

Cloud sovereignty becomes measurable: The BSI breaks it down into six verifiable dimensions with C3A.

By Tobias Massow April 27, 2026 6 min read
C3A: How the BSI Makes Cloud Sovereignty Measurable

On 27 April 2026, the BSI published the C3A – a criteria catalogue that makes cloud sovereignty measurable for the first time. The framework breaks sovereignty down into six auditable dimensions, from legal access rights to supply chain exposure. For IT procurement teams, it is the first catalogue that translates sovereignty into concrete purchasing requirements. And it is already available, while the EU is still drafting the Cloud and AI Development Act.

Key Takeaways

  • Sovereignty becomes measurable: The BSI’s C3A evaluates cloud services across six sovereignty dimensions. Gut feeling is replaced by an auditable framework.
  • C3A builds on C5: Where C5 certifies technical security, C3A assesses autonomy. A provider must meet C5 criteria before C3A even applies.
  • Voluntary and ready to use now: C3A is a voluntary procurement tool with no regulatory binding force – IT teams can start using it immediately. The EU Cloud and AI Development Act, which aims to make sovereignty a legal requirement, is still working its way through the legislative process.

Related:Cloud Sovereignty in Practice: C5, Data Residency, Key Control  /  C5 Audits Force Mid-Market Companies to Rethink Their Cloud Supply Chain

How C3A Differs from C5 and CADA

Three acronyms are currently circling the same topic – but they mean very different things. Anyone procuring cloud services should keep them clearly apart.

What is C3A? The C3A (Criteria enabling Cloud Computing Autonomy) is a BSI criteria catalogue that makes the sovereignty characteristics of a cloud service transparent and comparable. Providers demonstrate compliance through audits; users assess their usage scenarios against the criteria and define a target sovereignty level for their workloads.

The division of labour is clear. C5 answers whether a cloud service is operated securely from a technical standpoint. C3A builds on that foundation and assesses whether the service can be used autonomously within a given risk context. The EU Cloud and AI Development Act, in turn, is the legal framework intended to make sovereignty a procurement obligation – but it is still moving through the legislative process. C3A delivers the measurement tool that will operationalise that obligation once it passes, and is available today.

The Six Dimensions of Cloud Sovereignty

The C3A follows the European Cloud Sovereignty Framework and converts its factors into auditable criteria. The result is six dimensions that together form a sovereignty profile. The BSI deliberately excludes two areas of the EU framework: security and compliance sovereignty is already covered by C5, while ecological sustainability falls outside the BSI’s mandate.

Dimension What it targets
Strategic Sovereignty Independence of your own cloud strategy from individual vendors and their roadmaps.
Data Sovereignty Control over where your data is stored, who can access it, and how it is encrypted.
Legal Sovereignty Protection against foreign government access through jurisdiction and contract law.
Operational Sovereignty The ability to maintain operations without relying on the vendor.
Supply Chain Sovereignty Transparency and control over the technical sub-suppliers behind a service.
Technological Sovereignty Availability of open standards and the ability to replace individual components.

Source: BSI C3A, structured according to the EU Cloud Sovereignty Framework; classification by cloudmagazin

The elegance of this breakdown lies in what it does to the conversation: it turns a catch-all question into six specific ones. Nobody has to answer whether a cloud is sovereign in the abstract. Instead, a target level can be defined and verified for each dimension individually.

How C3A Changes Cloud Procurement

For IT purchasing, this shifts the basis of the conversation. Until now, sovereignty was a word that appeared in every tender and could be measured in none. With C3A, organisations can define a target sovereignty level for each workload and hold it up against a vendor’s actual profile.

Three steps make sense regardless of the framework’s legal status. First, classify your workloads: not every application needs the highest sovereignty level – an internal test environment calls for a different standard than a specialist process handling personal data. Second, request the vendor’s profile: providers that take C3A seriously can document their rating for each dimension. Third, assess the gap: wherever target and actual levels diverge, you either have room to negotiate or a reason to plan an exit.

The fact that C3A is voluntary weakens it less than it sounds. Precisely because there is no mandate behind it, the framework can be folded into the next procurement process immediately, without any political scaffolding. And when the EU legal framework does arrive, this tool will already have real-world experience behind it.

Frequently Asked Questions

What is the difference between C3A and C5?

C5 certifies whether a cloud service is operated in a technically secure manner. C3A builds on this and assesses whether it can be used autonomously – that is, sovereignly – within a given risk context. C3A requires that the provider meets the C5 criteria.

Which six dimensions does the C3A examine?

Strategic, data, legal, operational, supply chain, and technological sovereignty. The BSI deliberately excluded the security and sustainability domains of the EU framework, since C5 already covers security and sustainability falls outside the scope of the mandate.

Is the use of C3A mandatory?

No. The C3A is a voluntary assessment tool with no direct regulatory effect. It can, however, serve as a foundation if the EU Cloud and AI Development Act later makes sovereignty a procurement requirement.

How does IT procurement use the C3A in practice?

Users define a target sovereignty level for each workload and compare it against a provider’s profile. Providers document their rating for each dimension through an audit. Where target and actual levels diverge, that gap becomes the basis for negotiation – or for considering an exit.

When will the C3A be available?

The BSI published the C3A on 27 April 2026, initially as an English-language document. A German version was announced for the second quarter of 2026.

Cover image source: Pexels / Sergei Starostin (px:6466141)

Also available in

FrançaisEspañolDeutsch
MBF Media Newsletter

The monthly briefing for decision-makers

Once a month, the MBF Media Newsletter gathers what matters from cloudmagazin, MyBusinessFuture, Digital Chiefs and SecurityToday, curated by the editorial team.

25,000 IT and business decision-makers read this newsletter. Read along.

Subscribe for free
MBF Media Newsletter, aktuelle Ausgabe auf dem iPhone
Ein Magazin der Evernine Media GmbH