Germany says that big tech’s permanent access to customers’ systems and data is “cyber dominance,” a form of cyberaggression. The country’s cybersecurity agency released new “sovereignty criteria” for selecting cloud services. The checklist is voluntary, but carries real consequences if purchasers start requiring compliance.
The Federal Office for Information Security (BSI), Germany’s central authority responsible for IT security, has just fired shots at Silicon Valley.
The watchdog has released a non-binding document, “Criteria enabling Cloud Computing Autonomy (C3A),” aimed at helping customers make better decisions when choosing cloud services by defining the “level of sovereignty.”
In essence, to clear it, the companies must be located in the EU, managed by European companies, cannot give access to data to foreign governments, have data centers located in the bloc, ensure data portability, and only customers must hold their encryption keys, among many other things.
“Germany and Europe are under constant pressure from cyber aggression,” the BSI’s press release translation reads.
“Alongside cybercrime and cyber conflict, a third type of threat is increasingly coming into focus for society as a whole: cyber dominance – the ability of manufacturers of digital products to maintain permanent access to their customers' systems and data.”
The new C3A framework is expected to be used by both cloud providers – to demonstrate their sovereignty – and cloud customers, to identify the relevant requirements.
“To ensure transparency and enable cloud service customers to make risk-based decisions in this context, there is a need for generally recognized, objective, and verifiable criteria for self-determination, i.e., autonomy,” the document states.
Have thoughts about this topic? Others do, too. Join them in the discussion.
BSI President Claudia Plattner says that digital sovereignty concerns citizens, and European tech needs to be strengthened in key areas.
“Non-European products – wherever we intend to continue using them – must be secured in such a way as to enable self-determined use. The C3A offers transparency, guidance, and the opportunity to select cloud services according to the criteria relevant to the specific application,” Plattner said.
What is required for a “sovereign cloud?”
The C3A document lists six major groups of criteria that define concrete requirements for the autonomous use of cloud services.
The criteria come in tiers, ranging from EU-wide compliance to country-level requirements, and down to individual subcontractor-level requirements.
Strategic Sovereignty: requires that cloud service providers operate under EU jurisdiction, have a registered office in the EU, and be effectively controlled by EU entities. Stricter criteria narrow to Germany specifically.
Legal and Jurisdictional Sovereignty: requires tech companies to identify any non-EU laws with cross-border implications affecting customer data confidentiality and integrity, and to define audit procedures.
“If an EU member state declares a state of defense, the cloud service provider MUST enable the EU member state to take over the capabilities required to operate the cloud, including the necessary physical assets and personnel, within the framework of legal possibilities,” one of the criteria reads.
Data Sovereignty: requires vendors to disclose where data is stored and processed, and offer EU-only and Germany-only storage options. Crucially, encryption keys must belong to the customers – providers can’t access the data, and cloud providers must enable client-side encryption for all data.
Cloud companies must also support multiple tiers of identity management systems, allowing customers to authenticate using external identity providers, non-proprietary open standards, or stateless authentication. Customers must be provided with logging capabilities for all data access activity.
Operational Sovereignty: requires personnel with logical or physical access to services to be EU citizens or German citizens. Remote work access paths must be located in the EU. Cloud companies also must ensure redundant and independent connectivity, with at least one provider being an EU-based company, European SOC (Security Operations Center) capabilities, and control security updates.
“The cloud service provider MUST be able to disconnect all non-EU network connections to the cloud without an impairment of the availability, integrity, authenticity, and confidentiality of the cloud service,” one of the requirements reads.
Supply Chain Sovereignty: requires providers to map software, hardware, and external service components, including country of origin, and have substitution plans for critical non-EU dependencies if they fail or get restricted.
Technology Sovereignty: requires cloud companies to have their current source code backups and documentation in the EU. They must continue secure service delivery even if key third parties are disconnected or main dependencies are disrupted.
US tech sees EU regulations as a “barrier to entry”
BSI Vice President Thomas Caspers explained that the C3A criteria incorporate practical experience and were developed in collaboration with national and international cloud providers with whom they have cooperation agreements.
The BSI says that because of the shared responsibility model, cloud companies control the infrastructure, limiting customers’ options. The C3A should help assess the level of independence customers will actually have before signing up.
C3A builds on C5, BSI’s attestation scheme introduced in 2016, helping cloud vendors demonstrate operational security against common cyber-attacks when using cloud services.
C3A is based on the European Cloud Sovereignty Framework (CSF), a European Commission document that defines what constitutes a sovereign cloud across strategic, legal, operational, and technological dimensions. The EU put real money behind it by launching a €180 million tender for sovereign cloud services last year.
The US tech industry previously criticized the EU regulation design, calling it “a de facto barrier to entry, distorting competition in favor of domestic or EU-based providers.”
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked