Cloud Security as a German Export: C5, Sovereign Cloud, and Europe’s Advantage

8 min Reading Time

AWS has expanded its BSI-C5 attestation to 183 services in 2025 – including Singapore. A German security framework is now a reference standard in Asia. The Schwarz Group is investing 11 billion euros in STACKIT, SAP is pouring 20 billion into its Sovereign Cloud. And according to Gartner, Europe’s sovereign cloud spending will triple from 2025 to 2027. Cloud Security Made in Germany is no longer a niche product. It’s an export commodity with a growing global market.

TL;DR

• C5 as an export standard: AWS already uses the BSI-C5 attestation in 9 regions worldwide, including Singapore – a German security framework with a global footprint
• Sovereign Cloud boom: Europe’s spending will triple from $6.9 billion (2025) to $23.1 billion (2027), with global spending reaching $80 billion in 2026 (Gartner)
• German players: STACKIT (11 billion euro investment), SAP Sovereign Cloud (20 billion), T-Systems (Copernicus partner, Google Sovereign model)
• Regulatory advantage: NIS2, the EU Data Act, and the CRA structurally favor providers with European jurisdiction and verifiable data sovereignty
• German cloud market: 20 billion euros in 2025 (+17%), 90% of companies use cloud services, 82% want no US dependency (Bitkom)

The C5 Attestation: How a German Standard Is Conquering the World

The Cloud Computing Compliance Criteria Catalogue (C5) was introduced by the BSI in 2016 and fundamentally revised in 2020. It defines minimum requirements for secure cloud services across 17 domains with around 125 individual criteria. Two attestation types: Type 1 assesses design and implementation at a specific point in time, while Type 2 evaluates consistent effectiveness over a defined period.

What sets C5 apart from other frameworks is its exportability. In 2025, AWS completed its C5 Type 2 attestation for 183 services (up from 179 in 2024 and 170 in 2023 – a clear upward trend). The regions in scope: Frankfurt, Ireland, London, Milan, Paris, Stockholm, Spain, Zurich – and Singapore. A German security framework that AWS uses as a reference for the Asian market. This isn’t just theoretical export success – it’s a documented reality.

Since July 1, 2025, the C5 Type 2 attestation has been legally mandatory for cloud services processing health and social data. The C5:2025 update (Community Draft) explicitly aligns the standard with the European EUCS framework (Substantial level). This makes C5 a bridge between German national standards and European harmonization.

In international comparison, C5 positions itself between the US FedRAMP (limited to US government contracts, restricted to America) and France’s SecNumCloud (stricter but nationally confined). FedRAMP is based on NIST SP 800-53 and applies only to contracts with US federal agencies. SecNumCloud, developed by France’s ANSSI, sets the highest standards in Europe but structurally excludes US hyperscalers because it does not permit exposure to non-EU jurisdictions. C5, on the other hand, is audited by independent public accountants under ISAE 3000, is technology-neutral, and exportable – making it the most internationally successful of the three frameworks.

The practical proof: US hyperscalers had to obtain C5 attestations to remain competitive in the German and European enterprise market. AWS invests annually in expanding its C5 scope (from 170 services in 2023 to 183 in 2025). Microsoft Azure and Google Cloud have also secured C5 attestations. What began as a purely German standard has effectively become a market access requirement for the EU cloud market. This is cloud security as an export product in its purest form: not the German cloud itself being exported, but the German security framework.

Sources: AWS Blog 2025, Gartner February 2026, Bitkom Cloud Report 2025

STACKIT, SAP, T-Systems: Three German Models for Sovereign Cloud

STACKIT (Schwarz Group) is Germany’s most ambitious sovereign cloud project. The Schwarz Group (Lidl, Kaufland) is investing 11 billion euros to build its own cloud platform. STACKIT received its C5 Type 1 attestation at the end of 2023, followed by Type 2 in 2024. Additional certifications include ISAE 3000 (SOC 2), ISAE 3402, and ISO 27001. This combined certification package enables the Schwarz Group’s international customers to maintain a unified compliance baseline. In parallel, STACKIT collaborates with Google on sovereign workplace solutions – a hybrid model that combines European control with hyperscaler functionality.

SAP Sovereign Cloud (Delos) takes a different approach. SAP established its subsidiary Delos as a dedicated sovereign cloud unit and announced a 20 billion euro investment program. The positioning: SAP’s core software running on European-controlled systems. For companies that rely on SAP as the backbone of their business processes (which includes most large German enterprises), a sovereign SAP cloud isn’t just a technological preference – it’s a strategic necessity, ensuring regulatory compliance rather than superior technology.

T-Systems operates two models simultaneously. The Open Telekom Cloud is an internationally available OpenStack platform with customers in 195 countries and a 2025 IT Award Gold for Sovereign Cloud. In parallel, T-Systems partners with Google on a specific sovereign cloud model where T-Systems acts as the data trustee – all data and control remain under German law. This “hyperscaler capacity, German control” model is being discussed as a blueprint for other markets. T-Systems is also a partner in the EU’s Copernicus Data Space Ecosystem – the European Earth observation program runs on German cloud infrastructure.

The Sovereign Cloud Market Is Exploding

The numbers from Gartner (February 2026) reveal the scale: global sovereign cloud IaaS spending will reach $80 billion in 2026 – a 35.6% increase over 2025. Europe will surpass North America in sovereign cloud IaaS spending for the first time in 2027.

The European figures in detail: $6.9 billion in 2025, $12.6 billion in 2026 (+83%), and $23.1 billion in 2027. A tripling in just two years. The drivers are geopolitical tensions, uncertainty over US cloud legislation (CLOUD Act), and the EU Commission’s Digital Sovereignty Strategy.

For German cloud providers, this represents a historic opportunity. The German cloud market is growing by 17% to 20 billion euros, according to the Bitkom Cloud Report 2025. Data center investments in Germany alone reached 12 billion euros in 2025. Ninety percent of German companies now use cloud applications – up from 81% the previous year. And the demand for sovereignty is massive: 82% want no technical dependency on US cloud providers. Yet 78% feel they are already dependent in practice. Eighty-two percent would prefer hyperscalers from Germany or Europe. The Bitkom report’s title sums it up: “The Economy Calls for a German Cloud.”

The gap between aspiration and reality is the market. Eighty-two percent want European cloud solutions, but only a handful of European providers can match the functionality of US hyperscalers. This is where the German models come in: T-Systems as a data trustee over Google infrastructure, STACKIT as a fully European alternative, and SAP as a sector-specific sovereign cloud for ERP workloads. No single approach will serve the entire market, but together they cover the most critical enterprise segments.

NIS2, Data Act, and CRA: The Regulatory Triangle

Three EU regulations together create an environment that structurally favors European cloud providers.

NIS2 (in force since December 2025) directly regulates cloud providers: risk management, incident reporting, business continuity, and supply chain security are mandatory. Cloud service providers serving critical infrastructure (KRITIS) customers automatically fall under the regulation. The BSI estimates around 30,000 affected companies – and C5 is becoming the preferred compliance tool for NIS2.

The EU Data Act (applicable since September 2025) addresses switching barriers and protection against extraterritorial data access. Cloud providers must ensure that third-country governments cannot access EU data if it violates EU or national law. The penalty: up to 4% of global annual revenue. For providers under US CLOUD Act jurisdiction, this is a structural problem. For European providers with C5 attestation, it’s a competitive advantage.

The Cyber Resilience Act (CRA) (full obligations from December 2027) requires security by design and crypto agility for all products with digital elements. Cloud-based software and services are included. Combined with the post-quantum cryptography migration, the CRA creates requirements that only providers with deep security architectures can meet.

GAIA-X: From Paper Tiger to Trust Framework

GAIA-X has evolved. The original vision of a “European AWS” was never realized. Instead, what emerged is a functional certification system for trustworthy cloud services. At the 2025 Summit in Porto, the Trust Framework 3.0 “Danube” was released, enabling geographic and sectoral expansions.

The real progress: five providers (Cloud Temple, Thesee DataCenter, OPIQUAD, OVHcloud, and Seeweb) have achieved the highest GAIA-X Label Level 3. CISPE has committed to providing up to 3,000 GAIA-X-labeled services by November 2025. The CISPE Sovereign Cloud Manifesto from July 2025 outlines five themes and 20 concrete measures for sovereign cloud infrastructure in Europe.

GAIA-X isn’t a competitor to hyperscalers, but a trust framework that gives European providers a verifiable trust label. In a world where 82% of German companies want European cloud alternatives, this is a tangible market advantage. The strategic connection: GAIA-X certification combined with C5 attestation forms the strongest European cloud security package a provider can offer. For companies subject to NIS2 and needing GDPR compliance, this combination significantly reduces compliance efforts.

The criticism of GAIA-X remains valid: the original ambitions weren’t met, governance complexity slowed progress, and relevance for individual CIOs is limited. But as an infrastructure layer for data sovereignty in regulated sectors (healthcare, finance, public administration), GAIA-X is increasingly establishing itself as the standard needed to demonstrably meet European compliance requirements.

The Export Advantage: Why German Cloud Security Is in Global Demand

The C5 attestation demonstrates the mechanism: a standard strict enough to build trust yet flexible enough to work internationally. SecNumCloud (France) is stricter but structurally excludes US hyperscalers – limiting its reach. FedRAMP (US) applies only to US government contracts. C5 occupies the middle ground: high standards, international applicability, and technology neutrality.

For German companies like T-Systems, STACKIT, and SAP, this means their cloud infrastructure and security architecture are internationally exportable because they’re based on a standard that even hyperscalers accept. The T-Systems model (hyperscaler technology under German data trusteeship) could become an export model for other countries seeking cloud functionality without sacrificing data sovereignty.

The Made-for-Germany initiative – with 735 billion euros in investment – will channel some of these funds into cloud infrastructure. And the regulatory cascade (NIS2, Data Act, CRA, EUCS) creates a market where compliance isn’t a cost factor but a selling point. Cloud Security Made in Germany is thus transforming from a location-based safeguard into an export product.

In October 2025, CISPE explicitly warned against US hyperscalers marketing “cloud sovereignty” without meeting the structural requirements. True sovereignty, they argue, can only be guaranteed by providers with a European headquarters. This isn’t an abstract debate – it has concrete consequences: companies subject to the EU Data Act must ensure their cloud providers don’t pose extraterritorial data access risks. A US provider exposed to the CLOUD Act cannot provide this guarantee, even if its data center is in Frankfurt.

For the German economy, this creates a threefold advantage. First, German cloud providers benefit from regulation-driven demand (NIS2, Data Act, and CRA create compliance needs that European providers can better address). Second, the C5 framework is in international demand as an export standard because it builds trust without excluding technologies. Third, the combination of research expertise (Fraunhofer, BSI), operational cloud infrastructure (T-Systems, STACKIT, SAP), and regulatory rigor (GDPR, NIS2, Data Act) forms an ecosystem no other European country can match in breadth. France has SecNumCloud but lacks a comparable SME sector with cloud needs. The Netherlands has strong hosting infrastructure but no security standard with C5’s reach. Germany has both – and just needs to market it consistently.

Frequently Asked Questions

What is the BSI-C5 attestation?

The Cloud Computing Compliance Criteria Catalogue from the BSI (Federal Office for Information Security) defines minimum requirements for secure cloud services across 17 domains with around 125 individual criteria. Type 2 attestations evaluate consistent effectiveness over a defined period and have been mandatory for health data since July 2025.

How big is the sovereign cloud market?

According to Gartner, global sovereign cloud IaaS spending will reach $80 billion in 2026. Europe’s spending will triple from $6.9 billion (2025) to $23.1 billion (2027). Europe will surpass North America in sovereign cloud IaaS spending for the first time in 2027.

Which German cloud providers have C5 attestations?

IONOS, PlusServer, q.beyond AG, and STACKIT (Schwarz Digits) are among the certified German providers. AWS, Microsoft Azure, and Google Cloud have also obtained C5 attestations to remain competitive in the European market.

What’s the difference between C5, FedRAMP, and SecNumCloud?

C5 (BSI/Germany) is technology-neutral and internationally exportable. FedRAMP (US) applies only to US government contracts. SecNumCloud (ANSSI/France) is the strictest but structurally excludes US hyperscalers. C5 occupies the middle ground: high standards with broad applicability.

Is GAIA-X still alive?

Yes, but with a more realistic scope than at launch. GAIA-X isn’t a competitor to hyperscalers but a trust framework and certification system. Trust Framework 3.0 “Danube” was released at the end of 2025. Five providers have achieved the highest Label Level 3. CISPE has committed to 3,000 labeled services.

Further Reading

• Supply Chain Security: From Compliance Burden to Competitive Advantage
• Post-Quantum Cryptography: Germany Prepares
• Reboot Germany: 735 Billion Euros, Three SMEs, and the Question of Whether the Crisis Is Really That Bad

Header Image Source: Pexels / Panumas Nikhomkhai (px:1148820)

About the author: Alec Chizhik

More articles by Alec Chizhik