Germany Stack and C3A: Digital sovereignty is finally taking shape

Q4 2026 marks the start of the trial phase of the Germany stack - and with C5:2026, C3A and the EUCS sovereignty grid, digital sovereignty will be measurable for the first time in 2026. Three BSI and EU catalogs now answer the three questions that have so far caused cloud procurement to fail.

The situation: the buzzword becomes a blueprint

The Deutschland-Stack (D-Stack) is a framework consisting of five elements - target vision, ecosystem, standards, portfolio, technology - and is due to be completed by the end of 2027. The BMDS, headed by Matthias Burgfried, and the Federal Office for Information Security (BSI) are in charge. B1 Systems, Noris Network and Secunet, among others, are involved, supported by the Sovereign Cloud Stack (SCS) as an open source foundation.

The first test phase will start in the fourth quarter of 2026, and the test environment for the German EUDI wallet has been announced for early 2027. The maturity of the preparatory work is remarkable: around 960 pages of consultation feedback and over 800 openly documented issues - a stack that is being developed under real load, not on the drawing board.

Experience shows that the success of such initiatives stands and falls with a single question: How can procurement recognize a sovereign solution in the procurement process? This question was answered a few weeks ago.

Three certifications, three clear answers

The BSI and the EU have delivered three building blocks that together provide operational guidance for digital sovereignty for the first time:

C5:2026 answers the security question. The revised version of the Cloud Computing Compliance Criteria Catalogue takes into account CSA Cloud Controls Matrix v4, ISO/IEC 27001:2022 and the NIS2 guideline and adds thematic focuses on container management, supply chain security, post-quantum cryptography, confidential computing and client separation (BSI, 07.04.2026).

C3A (Criteria enabling Cloud Computing Autonomy) answers the question of sovereignty. While the C5 checks how secure a cloud service is, the C3A checks how self-determined it remains usable (see also: Vergabeblog, 30.04.2026).The toughest test criterion is the Disconnect Capability (SOV-4-09-C): The service must continue to run without loss of availability, integrity, authenticity and confidentiality if it is disconnected from the platform of a non-European operator.

EUCS answers the European connection question. The EU-wide cybersecurity certification scheme works with eight sovereignty objectives (SOV-1 to SOV-8) and the SEAL levels, which we have broken down in detail here: "Cloud Sovereignty Framework - how the EU is finally making cloud sovereignty measurable".

The sequence is remarkable: the national sovereignty criterion (C3A) comes first, followed by the European consensus (EUCS). For the first time, anyone responsible for cloud procurement now has a closed test grid in their hands - and no longer has to derive what can be considered "sovereign" from ISO 27001 building blocks and marketing brochures. We have set out here what the C3A criteria actually mean for SMEs, clinics, law firms and public authorities: "BSI makes cloud sovereignty measurable: what the new C3A criteria mean for companies".

Where sovereignty makes sense - and where it doesn't have to be

The second piece of good news about the new catalogs is that they do not force anyone to go into full lockdown. C3A and EUCS make it explicit that sovereignty is applied according to protection needs, not according to a blanket "all or nothing" approach. This is in line with the BSI line, which focuses on "controllable dependencies" rather than self-sufficiency.

Experience has shown that workloads can be sorted into three categories:

Sovereignty is mandatory. Client confidentiality, patient data, classified information, regulated consulting files, financial and official communication, ePA connections, M&A documents. This is where C3A Disconnect Capability and SEAL levels on EUCS High come into play.

Sovereignty makes strategic sense. Collaboration in regulated industries, document storage with client and patient reference, e-signature, identity and key management. This is where C5:2026 plus C3A modules pay off directly in tenders.

Sovereignty is optional. Public marketing assets, public product information, web analytics without personal reference. Classic C5 or ISO 27001 security is sufficient here.

This differentiation was not clearly possible before C3A. Now it is - and for the first time makes procurement decisions comprehensibly documentable for IT management, data protection and management.

Four levers that companies can implement immediately

1. Add a C3A reference to tender criteria. Explicitly refer to the Disconnect Capability (SOV-4-09-C) and C5:2026 - not just to ISO 27001 or "EU data center".
   
   
2. Check cloud contracts against the applicable law. The decisive factor is not the zip code of the data center, but the jurisdiction of the contractual partner. Background: "Data protection in the cloud - US laws versus GDPR"
   
3. Link protection requirement classes with the three sovereignty levels. Experience has shown that one hour of a management workshop is enough to define level 1, 2 or 3 for each workload category.
   
   
4. Rehearse the exit scenario once. One disconnect test per year clarifies faster than any compliance discussion whether a provider can really be used in a sovereign manner - and at the same time strengthens resilience against failure and lock-in risks.

If you pull these four levers, you have taken care of the operational part of the sovereignty debate - and can conduct the strategic discussion at eye level. The CISPE initiative from March, in which 25 European cloud CEOs called for clear procurement rules, shows how the industry is supporting this politically (heise, 18.03.2026). With C3A and EUCS, these demands are now being given a technical benchmark.

Sovereign infrastructure as a foundation - why SecureCloud actively welcomes this development

SecureCloud operates its platform 100% in Germany on its own hardware at noris network AG, BSI C5 and ISO 27001 certified, without a US parent company and without third country access. SecureShare, SecureWork, SecureSign and SecureMail are designed precisely for the use cases that are now neatly addressed with the C3A standard: Law firms, tax consultancies, clinics, banks and financial service providers, public authorities and industry.

We see the release of C3A and the trial phase of the Germany stack for what it is: a long overdue common ground where sovereign providers, procurement and users speak the same language for the first time.

Conclusion: Three answers, one standard

In 2026, digital sovereignty has gone from being a political demand to a verifiable procurement criterion. C5:2026 says how secure. C3A says how self-determined. EUCS says how European. Anyone who organizes their cloud strategy along these three answers now has clear guidance - and a measurable benchmark for any future discussion.