The C3A criteria catalog addresses the sovereignty dimension of cloud services — from data sovereignty and EU jurisdiction to exit strategy and key control. We make your cloud usage demonstrably sovereign — on hyperscalers as well as on European infrastructure.
Six dimensions decide whether cloud usage is truly sovereign — or whether "sovereign" just remains a marketing term. Each dimension has its own audit criteria, evidence and escalation questions.
Who controls the data — and where does it sit?
EU localization, end-to-end encryption at-rest and in-transit, key control with the customer (BYOK / HYOK), traceable data flows and deletion evidence. Control does not end at the provider, but only at key management.
Who operates — and who has admin access?
Operations steered by European teams, clear separation of admin roles, documented emergency and escalation processes. "Sovereign cloud" does not start at the marketing label but at the privileged-access model.
Open standards, portability, no vendor lock-in.
Open interfaces, documented APIs, container and data formats that realistically enable a vendor switch. Sovereignty does not mean "leave the cloud" — but: be able to move at any time, technically and commercially.
EU jurisdiction — no extraterritorial access.
Contractual relationship with an EU entity, exclusive EU jurisdiction, no data access via US CLOUD Act, FISA 702 or comparable third-country regulations. Addresses Schrems II implications and sector-specific supervisory requirements.
Exit strategy, vendor choice, cost control.
Economic dependency is the most invisible form of lock-in. Clear exit paths, cost models without FX risks, multi-cloud options and a documented plan B prevent migration becoming impossible for business reasons.
Audit rights, transparency, evidence of trust.
Full audit rights (on request via third parties), transparent subprocessor chains, demonstrable security architecture — backed by C5 attestation, ISO 27001, ISO 27017/27018 and complementary C3A criteria. Trust is demonstrable, not asserted.
Six steps — modular, document-based and aligned to the maturity of your cloud strategy.
Capture cloud workloads, data categories, contractual situation and existing evidence (C5, 27001, TISAX).
Target/actual comparison against the 6 dimensions — per service, per data category, per regulatory obligation.
Prioritized plan: technical hardening, key management, contract changes, provider switch.
Introduce BYOK/HYOK, move or mirror workloads, harden the privileged-access model.
Build the audit package: TIA, subprocessor list, exit plan, KPI dashboard, periodic tests.
Continuous assessment, surveillance audits, re-assessment on changes to provider or law.
Sovereignty is no longer a nice-to-have. These sectors feel the pressure first — through supervision, supply chains or customer demands.
Federal, state and municipal authorities as well as KRITIS operators that must procure cloud services with demonstrable sovereignty — beyond C5.
→ Start C3A assessmentBanks, insurers and asset managers under BaFin supervision (KAIT/VAIT/BAIT), DORA and ICT third-party regulation.
→ Become supervisor-readyHospitals, research institutions and pharma companies with particularly sensitive data and rising EU requirements (EHDS, GDPR).
→ Secure data sovereigntyManufacturing, engineering, automotive — protection of IP, design data and production knowledge from third-country access.
→ Structure IP protectionC3A (Cloud Computing Compliance Criteria Catalogue — Autonomy) addresses the sovereignty dimension of cloud services and complements the information-security-focused C5. While C5 audits "how secure" a cloud is operated, C3A adds "how sovereign": data sovereignty, jurisdiction, operating model, exit capability. Both catalogs are complementary — we recommend an integrated audit program.
In our experience legal and strategic sovereignty — both break down on closer inspection due to corporate structures, standard contract clauses and missing audit rights. Technological and operational sovereignty, on the other hand, are well manageable with the right tooling and architectural decisions.
Not necessarily. Several hyperscalers offer European sovereign-cloud constellations with EU operator, BYOK/HYOK and contractually hardened third-country exclusion. Decisive is the demonstrable architecture, not the logo. C3A delivers the assessment grid that lets you distinguish marketing sovereignty from real sovereignty.
An initial assessment for 5–15 central cloud services typically takes 4–8 weeks, depending on the existing documentation. After that, the action phase and build-up of the evidence structure follow, which takes 6–12 months depending on maturity.
C3A is compatible: Gaia-X self-descriptions cover large parts of technical and operational sovereignty, the EU Cloud Code of Conduct addresses the GDPR layer. C3A bundles these building blocks into an auditable 6-dimension model and extends them with strategic sovereignty (audit rights, key control, exit tests).
The audit is performed analogously to C5 by independent financial auditors per ISAE 3000 (revised) or IDW PS 860 — based on the cloud provider's system description. We accompany providers in the build-up and operators in the evidence request from their cloud service providers.
Contact us for an individual consultation and security solution tailored to your requirements.
Valeri Milke, CEO of VamiSec
"Only when all instruments are well-tuned does your organization become secure and compliant."
