Cloud Computing Autonomy Criteria
C3A v1.0 · BSI — Bundesamt für Sicherheit in der Informationstechnik · 2026
The C3A defines criteria for cloud computing autonomy, covering sovereignty objectives SOV-1 through SOV-6. It is designed for German entities and references BSI standards. The binary pass/fail model separates base criteria (mandatory) from additional criteria (customer-selected per C3A §1.4).
Scoring model
Binary pass/fail per criterion. No partial credit. Attainment bands: Not Attained (<50%), Partially Attained (50–74%), Substantially Attained (75–89%), Fully Attained (≥90%). Layer A criteria (critical sovereignty prerequisites) gate overall attainment — any Layer A failure results in "Not Attained" regardless of % met.
Objectives & weights (49 questions)
Covers SOV-1 through SOV-6 only (no SOV-7 Security or SOV-8 Environmental). 33 base questions and 16 additional questions in the tool. Source has 45 base criterion IDs + 15 additional IDs; tiered questions cover 2 IDs each.
| Objective | Weight | Questions |
|---|---|---|
| SOV-1 Strategic Sovereignty | 15% | 4 |
| SOV-2 Legal & Jurisdictional Sovereignty | 10% | 3 |
| SOV-3 Data & AI Sovereignty | 10% | 14 |
| SOV-4 Operational Sovereignty | 15% | 16 |
| SOV-5 Supply Chain Sovereignty | 20% | 8 |
| SOV-6 Technology Sovereignty | 15% | 4 |