BSI President Claudia Plattner: “Digital sovereignty moves people. It is clear to all of us that the European market and the local digital industry need to be strengthened in important fields of technology. The BSI is actively helping with this in the area of cyber security. At the same time, non-European products – wherever we want to continue using them – must be secured in such a way that self-determined use is possible. The C3As offer transparency, guidance and the opportunity to select cloud services according to the criteria that are relevant for the respective application purpose.”
BSI Vice President Thomas Caspers: “Cloud use creates a relationship between customers on the one hand and the cloud provider on the other. In this context, influences on the provider can also indirectly affect customers. To enable them to make risk-based decisions, generally recognized, objective and verifiable criteria for self-determination and autonomy are required. We have developed the C3A criteria catalog as part of our collaboration with national and international cloud providers with whom we have cooperation agreements: In the process, findings from practical experience have been incorporated into a trend-setting framework, on which we also exchange information with our international partner authorities.”
The decision on the use of cloud services is based on the shared responsibility model between cloud providers and cloud customers. It limits the scope of decisions that cloud customers can make – also and especially with regard to the secure and self-determined use of the services. While the security features of cloud services are addressed in the BSI’s Cloud Computing Compliance Criteria Catalogue (C5), the C3A criteria catalog enables an assessment of whether a cloud offering can be used in a self-determined manner in the respective risk context. The C3As serve as a guiding framework for action and create transparency, but do not have a regulatory effect.
The C3As can be used by both cloud providers and cloud customers. Cloud providers can prove compliance with the criteria through an audit. Cloud customers can use the framework to identify relevant requirements for their own usage scenario and thus define their desired level of sovereignty. In the next step, the BSI will publish guidelines for C3A audits – the verification process will be similar to the established C5 testing processes.
The C3As are divided into criteria and additional criteria. Supplementary information is provided for some of the criteria. Depending on the use case and requirements of the cloud customer, it is possible to determine which criteria and additional criteria are used. For example, the C3As offer selection options with regard to localization (e.g. location of the data centers, origin of the operating personnel). Depending on the criticality of the use case and the result of their own risk analysis, cloud users can decide whether they require localization in Germany or in the EU.
The structure and objectives of the C3As are based on the European Cloud Sovereignty Framework (EU CSF). In addition, the “contributing factors” of the EU CSF are taken up in the verifiable criteria of the C3A and expanded to include additional aspects. The C3As also require that the cloud provider fulfills the C5 criteria. The publication of a German-language version of the C3A is planned for the end of the 2nd quarter of 2026.
– – – – – –
Further links
👉 www.bsi.bund.de
Photo: pixabay
