For a long time, „digital sovereignty“ was a rather abstract term in strategic papers - a target value without a clear metric. However, with the publication of the Criteria enabling Cloud Computing Autonomy (C3A) The Federal Office for Information Security (BSI) is changing the rules of the game. For CISOs and IT managers, this means that sovereignty is moving from the philosophical corner directly into operational risk management and compliance auditing. For organizations under NIS 2 regulation, the C3As provide a methodical basis for systematically identifying and evaluating dependencies in the supply chain.
With the finalization of the Criteria enabling Cloud Computing Autonomy (C3A) by the BSI brings the operational independence of cloud services into the focus of risk management.
From the leap of faith to technical validation
C3A: Why digital sovereignty is becoming a measurable metric in risk management
The previous basis for cloud security was the C5 test standard. It provides an excellent foundation for information security, but largely ignores the issue of dependencies and legal access options. This is precisely where the C3As come in. They define sovereignty not as a binary state, but as a spectrum in six dimensions: from strategic sovereignty to data sovereignty and operational autonomy.
Particularly in the context of the NIS-2 regulation the criteria become more important. According to Article 21 NIS-2 companies are obliged to ensure the security of their supply chains. Anyone using cloud services must now demonstrate how they assess their dependence on non-European jurisdictions and the associated risks (keyword: US Cloud Act).
The six dimensions of cloud sovereignty
The BSI divides sovereignty into:
Strategic sovereignty: Long-term ability to act and avoid lock-in effects.
Legal sovereignty: Protection against unauthorized access from third countries (e.g. US Cloud Act).
Data sovereignty: Control over the entire life cycle of the data.
Operational sovereignty: Ensuring operational and administrative sovereignty.
Supply chain sovereignty: Transparency about sub-service providers and components.
Technological sovereignty: Availability of alternatives and interoperability.
Personnel requirements according to SOV-4-01-C2
One criterion of the operational dimension concerns access to the cloud infrastructure. The requirements level SOV-4-01-C2 stipulates that all employees of the cloud service provider who have logical or physical access to the resources must comply with the Citizenship of an EU member state own and their Residence within the Federal Republic of Germany must have. This regulation aims to ensure maximum legal accessibility and operational control by national security authorities.
The „disconnect“ criterion and the annual inspection obligation
The criterion SOV-4-09-C requires that a cloud service must retain its integrity and availability even if the connection to non-European instances is interrupted. Companies that claim this level of sovereignty are subject to a annual inspection obligation. It must be technically proven that the local instance remains capable of working autonomously. This is a relevant factor for increasing resilience, particularly for KRITIS sectors.
Regulatory classification: Framework for action instead of law
The decisive factor for the risk assessment is which legal obligation applies:
MST-NCD: The minimum standard for the use of external cloud services is in accordance with Section 44 BSIG for the Federal Administration binding.
C3A: For private sector companies, including KRITIS and NIS-2 regulated entities, the C3As act as a Non-legally binding orientation framework. However, they can be used as a list of requirements in tenders or to fulfill due diligence obligations in risk management.
Implementation by EASM and VRM
The technical validation of these criteria is carried out using a combination of External Attack Surface Management (EASM) and Vendor Risk Management (VRM)
Asset geolocalization: EASM analyses detect infrastructure components in jurisdictions that contradict the sovereignty objectives (e.g. shadow IT in third countries).
Supply chain monitoring: VRM workflows automate the querying of the six C3A dimensions with service providers. This enables continuous monitoring of the sovereignty parameters over the entire life cycle of the business relationship.
Protective measures and recommendations for action
In order to meet the BSI criteria and the requirements of the NIS2 directive, companies should prioritize the following measures:
Systematically evaluate and document cloud providers according to the BSI criteria for sovereignty
Design contracts with cloud service providers in such a way that data sovereignty and auditability are guaranteed
Consistently implement technical measures such as encryption and access controls
Continuously monitor and document asset inventory and data flows
Conduct regular audits to demonstrate compliance with BSI criteria and NIS2 requirements
Establish processes to ensure control over data and systems when changing providers
C3A-Evaluate and prove compliance
LocateRisk supports companies in assessing the sovereignty of their cloud services and efficiently managing regulatory evidence. The platform makes it possible to continuously monitor cloud providers and suppliers and identify relevant risks at an early stage. Data flows and system landscapes can be transparently mapped via the asset inventory, which is required for audits and compliance checks in accordance with NIS2. More about the methodology at Vendor Risk Management Check whether your external assets and suppliers meet the current technical BSI and NIS2 requirements: Free analysisstart
The C5 standard is an excellent tool for testing information security, but it primarily addresses the protection goals of confidentiality and integrity. The C3As go a decisive step further: they assess dependency. While C5 confirms that the front door is locked, the C3As check who has the second key and whether the landlord can unilaterally block access. For companies, this means moving from a pure security check to an assessment of operational autonomy and legal accessibility.
The BSI requires personnel with a permanent residence in Germany for the highest level. Simple „hosting in Germany“ loses its value if administrative support is provided from jurisdictions that are subject to the US Cloud Act. Although the data is stored locally, control over it is transferred abroad via management interfaces. CISOs must demand technical validation here instead of relying on blanket provider assurances.
EASM serves as a technical corrective. By identifying all systems connected to the internet and geolocating them, deviations from the sovereignty strategy can be identified immediately. If cloud instances or communication endpoints suddenly appear in regions that do not correspond to the agreed geofencing, this becomes immediately visible. It transforms sovereignty from a static clause in the service contract into a continuously monitorable process.
Conventional vulnerability scanners often wait weeks for data to be enriched by the NVD (National Vulnerability Database). During this time, the cloud infrastructure is unprotected. Our Preemptive Intelligence closes this period by identifying critical vulnerabilities from the day of publication. This is essential for cloud autonomy: only those who know their vulnerabilities faster than the attacker can retain operational control over their systems and prevent loss of control through external infiltration.
Manually checking providers using static questionnaires is no longer a reliable process given the complexity of modern cloud architectures. An automated VRM makes it possible to continuously monitor the six dimensions of C3A. Instead of asking for a „gut feeling“ once a year, LocateRisk provides data-based evidence of the security status and locations of the service providers. This is particularly important for compliance with the NIS-2 due diligence obligations in the supply chain is the only way to effectively minimize liability risks for management.
Request your personal Live-Demo now
Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.
Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!
We use cookies to optimize our website and our service.
Functional
Always active
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Marketing
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.
English 
Deutsch 
Français