New: EU CAPTCHA – GDPR-compliant bot protection. Try it free for 3 months!
Home>
BSI C3A: The New Standard for Cloud Sovereignty
BSI C3A: The New Standard for Cloud Sovereignty
SECURITY INSIGHTS | April 30, 2026
With the publication of the “Criteria enabling Cloud Computing Autonomy” (C3A) on April 27, 2026, the BSI presented its first-ever assessment framework for digital sovereignty in the cloud sector. This framework transforms what was previously a political buzzword into concrete criteria and a clear benchmark for providers.
The requirements of the “Criteria enabling Cloud Computing Autonomy” (C3A) require that the cloud provider meets the BSI C5 criteria and are divided into criteria and supplementary criteria, some of which include additional information that can be used depending on the use case and customer requirements. In principle, the C3A adopts the structure and objectives of the EU Cloud Sovereignty Framework (EU CSF) and translates its contributing factors into verifiable criteria, supplemented by additional aspects.
The C3A deliberately does not cover two categories of the EU CSF: SOV-7 Security & Compliance and SOV-8 Environmental Sustainability. The former is already addressed, among other things, by BSI C5:2026 and BSI IT-Grundschutz, while the latter category does not fall within the BSI’s area of responsibility.
The Six Dimensions of Sovereignty in BSI C3A
SOV-1 Strategic Sovereignty | The provider must be headquartered in the EU and effectively controlled by European entities (ownership structure, governance, strategic independence). |
SOV-2 Legal & Jurisdictional Sovereignty | Subjection to EU legal jurisdiction, protection against extraterritorial access (e.g., CLOUD Act); audit rights under contract or law, preferably based on existing audits such as C5 or SOC 2 Type 2, while maintaining security and confidentiality protocols. |
SOV-3 Data Sovereignty | Key management, identity providers, as well as logging and monitoring; customers must retain control over their encryption keys. |
SOV-4 Operational Sovereignty | "Disconnect capability" (SOV-4-09-C) and EU citizenship of personnel for certain operational roles (SOV-4-01-C1/C2) to prevent unauthorized data access by foreign states; in the event of a disconnect, availability, integrity, authenticity, and confidentiality must be maintained, with a documented decoupling process tested at least annually. |
SOV-5 Supply Chain Sovereignty | Dependencies on hardware, software, and external services; mandatory disclosure of the software components used as well as a list of software vendors, including SBOM; list of relevant hardware suppliers with countries of origin, mitigation strategies, and architectural flexibility for substituting hardware components. |
SOV-6 Technology Sovereignty | Availability of source code for the cloud provider, ensuring that cloud operations can be maintained at all times without external dependencies; backups of source code and documentation within the EU to ensure operations remain secure even if cooperation with third-party providers is terminated. |
Why this matters now
The C3A requirements are not yet mandatory, but may be designated as minimum requirements in future legislation or tenders. A similar situation occurred with the BSI C5 criteria, which are now legally mandated in the healthcare sector and whose compliance is frequently required in tenders.
Any company, government agency, or KRITIS operator that relies on a cloud provider subject to a non-European jurisdiction is taking on operational risks. Added to this is the legal dimension: providers subject to U.S. law, for example, may be required by laws such as the CLOUD Act to disclose data, regardless of where the data is physically stored. The C3A criteria systematically highlight these risks, thereby making them assessable for the respective stakeholders.
Myra is prepared
As a German cloud provider for application and network security, Myra holds a BSI C5 (Type 2) attestation and is certified according to ISO 27001 based on BSI IT-Grundschutz. In the C3A dimensions of strategic sovereignty (SOV-1), supply chain sovereignty (SOV-5), and technology sovereignty (SOV-6), Myra achieves virtually complete compliance. Our customers are also on the safe side when it comes to legal sovereignty (SOV-2): Myra is subject exclusively to German and European law: Non-EU authorities have no access to data or systems.
With regard to the BSI’s C3A criteria, Myra is already a best-practice example of sovereign cloud computing in Germany. We provide our customers not only with protection against cyberattacks, but also with the assurance that this protection is provided under exclusively German and European control.
Benefit from digitally sovereign cybersecurity with Myra:
Reliable cyber resilience: Fail-safe availability and data security in accordance with European laws and values – without risks posed by political influence or foreign law.
Preservation of data sovereignty: Compliance with EU data protection standards builds trust and protects both customer and business data, for example through GDPR-compliant TLS termination.
Reduced regulatory burden: More efficient implementation and demonstrable compliance with national or European cybersecurity requirements such as NIS-2, DORA, or the Cyber Resilience Act (CRA).
Robust supply chain: No sudden price hikes or access restrictions due to tariffs, trade barriers, or other geopolitical developments.
About the author
Christina Schlatte
Global Communications Managerin
About the author
As Global Communications Manager at Myra, Christina Schlatte is responsible for international communications and the strategic expansion of global PR and communications initiatives. She also brings a background in journalism to the role: she gained her first editorial experience at an Austrian daily newspaper, where she developed a keen sense of language and storytelling. Her degree in International Relations subsequently laid the foundation for her work in global PR and communications.