The “technology sovereignty” of a cloud service implies that the provider keeps, within the EU, a source code backup that is no older than 24 hours and includes at least five versions.
The BSI (Germany’s counterpart to our ANSSI) has enshrined this requirement in its C3A framework (Criteria enabling Cloud Computing Autonomy). Through this framework, the requirement is translated into the Cloud Sovereignty Framework of the European Commission. With this document, the Commission has established a reference framework to assess the sovereignty of cloud offerings in the context of public procurement.
The Cloud Sovereignty Framework provides an analytic grid organized around eight objectives. For each objective, one can determine a level of assurance on a five-step scale (from “no sovereignty” to “full digital sovereignty”). And one can compute a “sovereignty score,” weighted by objective.
With the weighting it proposes, the EU has faced criticisms. The BSI does not address this aspect. It focuses on implementing the criteria of the Cloud Sovereignty Framework, not without extending some of them. Two objectives are nevertheless left out: security/compliance (already covered by publications such as C5, “the German SecNumCloud”) and environmental considerations (not within the agency’s remit).
The criteria for evaluating offerings are to be selected “à la carte,” depending on the use cases. Some are described as “additional”: they raise the level of requirements or broaden their scope.
Strategic Sovereignty
Whether it concerns jurisdiction, the location of the headquarters, or the effective control, the BSI introduces a dual EU–Germany lens. These are to be chosen on a case-by-case basis.
As for the criterion on the headquarters’ location, the agency specifies that it also covers potential subcontractors. It adds that “effective control” means the ability to exert direct or indirect influence over key strategic, financial, or operational decisions.
Another criterion to assess is customers’ advance notice—at least 90 days prior—to events that could affect the C3A controls associated with a service (ownership changes, equity changes, governance changes, etc.).
Legal and Jurisdictional Sovereignty
The C3A includes a criterion requiring a CSP to identify, at least once per year, any extraterritorial law that directly relates to its services and that has cross-border implications for their availability, and for the confidentiality and integrity of client data.
The BSI has also established a criterion relating to the state of defense—Germany’s legal framework distinguishes this from states of tension, internal emergency, and catastrophe. If an EU member state—or only Germany, as an option—declares such a state of defense, it must be able, within the limits of legal possibilities, to assume control of cloud operations, with the necessary physical assets and personnel. This means that the CSP must have documentation, source code, and administration tools in a portable format, the framework clarifies.
Data Sovereignty
The C3A distinguishes client data, data relating to accounts, and so-called “derived” data (resulting from interaction with cloud services). For client data, two criteria on localization of storage and processing are proposed: EU or Germany. For the other data types, the framework offers only the EU option.
Regarding external management of encryption keys, the expectation is that the CSP offers this for IaaS and PaaS. Or that it provides functionally equivalent mechanisms. The option is rarer for SaaS, acknowledges the BSI; but it should be offered if it is “technically feasible and appropriate.”
Another element expected: enabling the integration of third-party identity providers. Among the additional criteria there are notably:
- Implement this integration using open standards
- Support a stateless authentication model that avoids storing accounts in the CSP’s directory
- Authorization controllable via dynamic claims and attributes issued directly by the identity provider
There is also a criterion for supervision: the ability to record, retain, and consult logs of access to client data. And, possibly (additional criteria), to enable granular filtering and provide real-time access to data streams via standardized APIs.
The C3A adds a criterion for encryption of client data, with a key available exclusively outside the CSP’s environment.
Operational Sovereignty
A dual geographic lens is also applied to operational staff. One criterion requires that the personnel involved be both citizens and residents of EU countries. The Germany-only criterion concerns residence (not necessarily citizenship). The staff in question includes anyone with logical or physical access to the operating infrastructure. It also covers customer support and all individuals who perform a governance role for the CSP.
The C3A also makes another geographic distinction regarding teleworking. It requires, on the one hand, that administrative access to the systems used to operate the services be restricted to the EU. On the other hand, any access performed outside the EU—or outside Germany—should, in general, be subject to technical restrictions.
Connectivity: At Least One Alternate EU-Based Provider
The framework includes a criterion for redundant connectivity. In case of disruption affecting one provider, failover to other providers must allow the SLAs to be maintained. At least one of these alternative providers must be located in the EU. And, potentially (additional criterion), these providers must not be part of the CSP’s corporate structure.
The same redundancy logic applies to the SOC. It must, by choice, be located in the EU or in Germany. In the event of a disconnection, the CSP must be able to deliver a autonomous SOC that is also located in the EU or in Germany.
The C3A also includes a criterion concerning updates and operational data. They must be received and validated within a secured network zone controlled by the CSP. The CSP must also verify the presence of vulnerabilities in the updates. Optionally, the CSP may implement the network zone on dedicated physical systems.
Still within operational sovereignty, the C3A mandates monitoring of any data exchange between the CSP and third parties. This should be reflected in the documentation of the data types involved and the data flows.
CSPs must also be able to disconnect all connections to networks outside the EU, without compromising the availability, integrity, authenticity, and confidentiality of their services. This includes heartbeats and license servers, as noted. CSPs must test their disconnect procedures and ensure they operate independently of non-European entities. They must be able to restore connectivity and have a process to install updates if the environment has been offline for up to 90 days.
Supply Chain Sovereignty
For each service, the CSP is expected to identify the software components and their countries of origin. It should provide clients, on request, with a “list of relevant suppliers.” All while maintaining a process to identify and mitigate dependencies, including preserving an architectural flexibility that supports substitutions.
This same logic applies to hardware dependencies and dependencies on external services. The C3A adds the need for a process to identify and mitigate risks related to export restrictions and disruptions to the supply chain.
Technological Sovereignty
The requirements for backup of the source code must enable operation without relying on external dependencies. This includes the build scripts and deployment toolchains. The backup must be accompanied by documentation that enables continued development of the code.
The C3A also establishes as a criterion the existence of contingency strategies in case of disconnection from third parties: alternate software vendors, internal remediation capabilities, compensating security controls, and so on. It may ultimately require (an additional criterion) that the CSP has its own teams and local environments to compile, test, and deploy security patches independently. In all cases (the primary criterion), it is ensured that only authorized personnel have access to the environments necessary to maintain the services, and that contingency procedures exist.
