Cloud Sovereignty Index
← All frameworks

Cloud Computing Autonomy Criteria

C3A v1.0 · BSI — Bundesamt für Sicherheit in der Informationstechnik · 2026

The C3A defines criteria for cloud computing autonomy, covering sovereignty objectives SOV-1 through SOV-6. It is designed for German entities and references BSI standards. The binary pass/fail model separates base criteria (mandatory) from additional criteria (customer-selected per C3A §1.4).

Scoring model

Binary pass/fail per criterion. No partial credit. Attainment bands: Not Attained (<50%), Partially Attained (50–74%), Substantially Attained (75–89%), Fully Attained (≥90%). Layer A criteria (critical sovereignty prerequisites) gate overall attainment — any Layer A failure results in "Not Attained" regardless of % met.

Objectives & weights (49 questions)

Covers SOV-1 through SOV-6 only (no SOV-7 Security or SOV-8 Environmental). 33 base questions and 16 additional questions in the tool. Source has 45 base criterion IDs + 15 additional IDs; tiered questions cover 2 IDs each.

Objective Weight Questions
SOV-1 Strategic Sovereignty 15% 4
SOV-2 Legal & Jurisdictional Sovereignty 10% 3
SOV-3 Data & AI Sovereignty 10% 14
SOV-4 Operational Sovereignty 15% 16
SOV-5 Supply Chain Sovereignty 20% 8
SOV-6 Technology Sovereignty 15% 4

Source documents

Start C3A assessment → Decisions register