Digital sovereignty describes the abilities and opportunities of individuals and institutions to perform their role(s) in the digital world independently, self-determinedly (autonomous) and securely. The decision to use cloud services is based on the shared responsibility model, which means that responsibility is shared between the cloud service provider and the cloud service customer. This model inherently limits the scope of decisions that the cloud service customer is able to take, including those that impact the customer's digital sovereignty. Cloud service providers can enable their cloud service customers to maintain the desired degree of self-determination in various ways — or not. To ensure transparency and enable cloud service customers to make risk-based decisions in this context, there is a need for generally recognized, objective, and verifiable criteria for self-determination i.e. autonomy. C3A - Criteria enabling Cloud Computing Autonomy provide a set of criteria for assessing whether a given set of cloud services allows for self-determined use within its respective risk context. C3A are a guiding framework and are intended to increase transparency. The C3A Framework is not binding in itself.

C3A adopt the structure (categorization) and objectives of the [European Union's Cloud Sovereignty Framework ](https://commission.europa.eu/document/09579818-64a6-4dd5-9577-446ab6219113_en)(EU CSF). In addition, the contributing factors of the EU CSF are reflected in the verifiable criteria of the C3A, but are expanded to include further aspects. Two areas of the EU CSF are intentionally not covered by the C3A: SOV-7 Security & Compliance Sovereignty is already covered by established BSI publications like [C5:2026](https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html) ,[ IT-Grundschutz ](https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/it-grundschutz_node.html)or the [HA Benchmark compact](https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Hochverfuegbarkeit/HVB-kompakt/HVB-kompakt_node.html) . The aspects of SOV-8 Environmental Sustainability are not part of the area of BSI's responsibility. C3A presupposes that the cloud service provider meets the C5 criteria, as they reflect the security aspect of the sovereignty definition. The C5:2026 also includes criteria covering aspects in the overlap of autonomy and security.

C3A criteria are divided into criteria and additional criteria. Supplementary information is provided for some of the criteria. Depending on the use-case and the requirements of the cloud service customer, it can be determined which criteria and which additional criteria apply. **Criterion**: These criteria help to define concrete requirements for an autonomous use of cloud services. The set of criteria help to improve transparency and measure self-determination of cloud services. **Additional **Criterion**: **Additional criteria raise the bar on existing requirements or expand the scope of autonomy. It is up to the cloud service customers to request an additional criterion according to their digital sovereignty needs. **Supplementary Information**: Additional information on the criteria e.g. the scope, exceptions or external references.

C3A can be used by cloud service providers as well as cloud service customers: **• **A cloud service provider can demonstrate compliance with criteria by providing evidence. To do so, the cloud service provider should select which criteria apply to the respective set of cloud services and then provide the relevant evidence through an audit. • A cloud service customer can use the framework to identify criteria within the various domains that he considers relevant. By using the framework, cloud customers can define their baseline level of sovereignty in the context of cloud computing and, for the audited services, assess the fulfilment of the criteria identified as important.

In the following, definitions are provided for key terms used in this document. The definitions are derived from the BSI’s IT-Grundschutz-Kompendium and the international standard ISO/IEC 22123:2023 (Information Technology - Cloud Computing - Part 1: Vocabulary): **Account data ** Class of data specific to each cloud service customer that is required to administer the cloud service. Account data (e.g. payment information, contact information, etc.) is typically generated when a cloud service is purchased and is under the control of the cloud service provider. **Authenticity ** Feature of information in which changes can be uniquely assigned to an originator. **Availability ** The accessibility of information, services, and functions of an IT system, IT applications or IT networks as intended. **Cloud computing ** Paradigm for enabling network access to a scalable and elastic pool of shared physical or virtual resources with self-service provisioning and administration on-demand. Examples of resources include servers, operating systems, networks, software, applications, and storage equipment. Self-service provisioning refers to the provisioning of resources provided to cloud services performed by cloud service customers through automated means. The acronym cloud is synonymous with cloud computing and will also be used in the C3A. **Cloud service ** Information technology service offered via cloud computing. This includes infrastructure (e.g. computing power, storage space), platforms and software. **Cloud service provider ** Natural or legal person providing a cloud service. **Cloud service customer ** Natural or legal person who has a business relationship with the cloud service provider for the purpose of using the cloud service. **Cloud service customer data ** Class of data objects under the control, by legal or other reasons, of the cloud service customer that were input to the cloud service (including credentials to control access to information or other resources), or resulted from using the functionalities of the cloud service by or on behalf of the cloud service customer via the published interface of the cloud service. **Cloud service derived data ** Class of data objects under cloud service provider control that are derived as a result of interaction with the cloud service by the cloud service customer. Cloud service derived data includes the portion of log data containing records of who used the service, at what times, which functions, types of data involved and so on. It can also include information about the numbers of authorized users and their identities. It can also include any configuration or customization data, where the cloud service has such configuration and customization functionalities. **Cloud service provider data ** Class of data objects, specific to the operation of the cloud service, under the control of the cloud service provider. Cloud service provider data includes but is not limited to configuration and utilization information of system components, storage and network resource allocations, physical and virtual resource failure rates, operational costs and so on. **Confidentiality ** The ability of information to be made available or disclosed only to authorized persons, entities and processes in a permissible manner. **Integrity ** The ability of information to be complete, accurate (correct, undamaged) and protected from manipulation and unintentional or erroneous alteration.