Cloud Security as a German Export: C5, Sovereign Cloud, and Europe’s Advantage

8 min read

AWS has expanded its BSI-C5 certification to 183 services by 2025, including Singapore. A German security framework is now a reference standard in Asia. The Schwarz Group is investing 11 billion Euros in STACKIT, while SAP is investing 20 billion in its Sovereign Cloud. According to Gartner, Europe’s Sovereign Cloud spending will triple from 2025 to 2027. Cloud Security Made in Germany is no longer a niche product but an export item with a growing global market.

The C5-Testat: How a German Standard Conquers the World

The Cloud Computing Compliance Criteria Catalogue (C5) was introduced by the BSI in 2016 and underwent a fundamental revision in 2020. It defines minimum security requirements for cloud services across 17 thematic areas, encompassing approximately 125 individual criteria. Two types of attestation reports are available: Type 1 evaluates the design and implementation at a specific point in time, while Type 2 assesses the consistent performance over a defined period.

What sets C5 apart from other frameworks is its exportability. AWS completed its C5-Type-2 attestation report in 2025, covering 183 services (2024: 179, 2023: 170), with a clear upward trend. The regions in scope include Frankfurt, Ireland, London, Milan, Paris, Stockholm, Spain, Zurich, and Singapore. This German security framework is used by AWS as a reference for the Asian market. This is not a theoretical export success but a documented reality.

Since July 1, 2025, the C5-Type-2 attestation report has been legally mandatory for cloud services processing health and social data. The C5:2025 update (Community Draft) explicitly aligns the standard with the European EUCS framework (Level Substantial). This positions C5 as a bridge between the national German standard and European harmonization.

In international comparison, C5 sits between the US FedRAMP (limited to US government contracts) and the French SecNumCloud (strict, but nationally confined). FedRAMP, based on NIST SP 800-53, is exclusively for contracts with US federal agencies. SecNumCloud, by the French ANSSI, sets the highest standards in Europe and excludes US hyperscalers due to its non-EU jurisdiction exposure restrictions. C5, which is verified by independent auditors under ISAE 3000, is technology-neutral and exportable, making it the most internationally successful of the three frameworks.

The practical proof: US hyperscalers have had to acquire C5 attestation reports to remain competitive in the German and European enterprise markets. AWS annually invests in expanding its C5 scope, from 170 services in 2023 to 183 in 2025. Microsoft Azure and Google Cloud have also obtained C5 attestation reports. An originally purely German standard has become a prerequisite for market access to the EU cloud market. This is cloud security as an export commodity in the truest sense: not the German cloud is being exported, but the German security framework.

Sources: AWS Blog 2025, Gartner February 2026, Bitkom Cloud Report 2025

STACKIT, SAP, T-Systems: Three German Models for Sovereign Cloud

STACKIT (Schwarz Group) is the most ambitious German sovereign cloud project. The Schwarz Group (Lidl, Kaufland) is investing 11 billion Euros in building its own cloud platform. STACKIT received the C5 Type 1 certification at the end of 2023, followed by Type 2 in 2024. Additionally, it holds ISAE 3000 (SOC 2), ISAE 3402, and ISO 27001 certifications. This combined certification package provides international Schwarz Group customers with a unified compliance foundation. Concurrently, STACKIT is collaborating with Google for sovereign workplace solutions – a hybrid model that combines European control with hyperscaler functionality.

SAP Sovereign Cloud (Delos) takes a different approach. SAP has established its own sovereign cloud unit with subsidiary Delos and announced an investment program of 20 billion Euros. The positioning is to run SAP core software on European-controlled systems. For companies that use SAP as the backbone of their business processes (which is the case for most large German enterprises), a sovereign SAP cloud is a strategic necessity – not because it offers better technology, but because it guarantees regulatory security.

T-Systems operates with two models simultaneously. The Open Telekom Cloud is an internationally available OpenStack platform with customers in 195 countries and a 2025 IT Award Gold for Sovereign Cloud. Concurrently, T-Systems operates a specific sovereign cloud in partnership with Google, where T-Systems acts as a data trustee – all data and control remain under German law. This “hyperscaler capability, German control” model is being discussed as a blueprint for other markets. T-Systems is also a partner of the EU Copernicus Data Space Ecosystem – the European Earth observation program uses German cloud infrastructure.

The Sovereign Cloud Market Explodes

According to Gartner’s February 2026 report, the global sovereign cloud IaaS spending will reach $80 billion in 2026, marking a 35.6% growth from 2025. Europe is projected to surpass North America in sovereign cloud IaaS spending by 2027.

European figures in detail: $6.9 billion in 2025, $12.6 billion in 2026 (an 83% increase), and $23.1 billion in 2027. This represents a tripling of the market in just two years. Key drivers include geopolitical tensions, uncertainty surrounding US cloud legislation (CLOUD Act), and the EU Commission’s digital sovereignty strategy.

For German cloud providers, this is a historic opportunity. According to the Bitkom Cloud Report 2025, the German cloud market is expected to grow by 17% to €20 billion. German investments in data centers are projected to reach €12 billion in 2025 alone. 90% of German companies are already using cloud applications, up from 81% the previous year. Additionally, 82% of companies desire sovereignty over their data, yet 78% still feel dependent on US cloud providers. 82% of companies wish for hyperscalers based in Germany or Europe. The report succinctly states: “The economy is calling for a German cloud.”

The gap between desire and reality is the market’s opportunity. While 82% of companies want European cloud solutions, only a handful of European providers can match the functionality of US hyperscalers. This is where German models come into play: T-Systems as a data trustee over Google infrastructure, STACKIT as a fully European alternative, and SAP as a sector-specific sovereign cloud for ERP workloads. No single approach will dominate the entire market, but together they cover the most critical enterprise segments.

NIS2, Data Act, and CRA: The Regulatory Triangle

Three EU regulations collectively create an environment that structurally advantages European cloud providers.

NIS2 (in force since December 2025) directly regulates cloud providers: risk management, incident reporting, business continuity, and supply chain security are mandatory. Cloud service providers serving critical infrastructure (KRITIS) customers are automatically subject to these regulations. The BSI estimates around 30,000 affected companies, and C5 certification is becoming the preferred compliance proof for NIS2.

The EU Data Act (in effect since September 2025) addresses switching barriers and protection against extraterritorial data access. Cloud providers must ensure that third-country governments cannot access EU data if it conflicts with EU or national law. The penalty framework: up to 4% of global annual revenue. For providers under US CLOUD Act jurisdiction, this presents a structural challenge. For European providers with C5 certification, it offers a competitive advantage.

The Cyber Resilience Act (full compliance required by December 2027) mandates Security by Design and crypto-agility for all products with digital elements, including cloud-based software and services. Combined with the post-quantum cryptography migration, the CRA creates requirements that only providers with robust security architectures can meet.

GAIA-X: From Paper Tiger to Trust Framework

GAIA-X has evolved. The original vision of a “European AWS” never materialized. Instead, a functional certification system for trusted cloud services has emerged. At the 2025 Summit in Porto, the Trust Framework 3.0 “Danube” was released, enabling geographic and sectoral expansions.

The real progress: Five providers (Cloud Temple, Thesee DataCenter, OPIQUAD, OVHcloud, and Seeweb) have achieved the highest GAIA-X Label Level 3. CISPE has committed to providing up to 3,000 GAIA-X-labeled services by November 2025. The CISPE Sovereign Cloud Manifesto from July 2025 outlines five themes and 20 concrete measures for sovereign cloud infrastructure in Europe.

GAIA-X is not a competitor to hyperscalers, but a trust framework that gives European providers a verifiable trust label. In a world where 82 percent of German companies want European cloud alternatives, this is a tangible market advantage. The strategic connection: GAIA-X certification and C5 certification together form the strongest European cloud security package that a provider can demonstrate. For companies that fall under NIS2 and must simultaneously comply with DSGVO, this combination significantly reduces compliance efforts.

Criticism of GAIA-X remains valid: The original ambitions were not met, governance complexity has slowed progress, and relevance to individual CIOs is limited. However, as an infrastructure layer for data sovereignty in regulated sectors (health, finance, public administration), GAIA-X is increasingly establishing itself as the standard needed to meet European compliance requirements.

The Export Advantage: Why German Cloud Security is in Demand Internationally

The C5 certification demonstrates the mechanism: a standard that is strict enough to build trust and flexible enough to function internationally. SecNumCloud (France) is more stringent but excludes US hyperscalers structurally, limiting its reach. FedRAMP (USA) is only applicable to US government contracts. C5 strikes the middle ground: high requirements, international applicability, and technological neutrality.

For German companies like T-Systems, STACKIT, and SAP, this means their cloud infrastructure and security architecture are exportable internationally because they are based on a standard that hyperscalers also accept. The T-Systems model (hyperscaler technology under German data trusteeship) could become an export model for other countries that want cloud functionality without giving up data sovereignty.

The Made-for-Germany Initiative with a 735 billion Euro investment volume will direct a portion of these funds to cloud infrastructure. The regulatory cascade (NIS2, Data Act, CRA, EUCS) creates a market where compliance is not a cost factor but a selling point. Cloud Security Made in Germany will thus transition from a location-based advantage to an export product.

CISPE explicitly warned in October 2023 about US hyperscalers advertising with the term “cloud sovereignty” without meeting the structural prerequisites. True sovereignty, according to this position, can only be guaranteed by providers with a European headquarters. This is not an abstract debate but has tangible consequences: companies subject to the EU Data Act must ensure that their cloud providers do not bring extraterritorial data access risks. A CLOUD Act-exposed US provider cannot give this guarantee, even if they operate a data center in Frankfurt.

For the German economy, this results in a triple advantage. First, German cloud providers benefit from regulation-induced demand (NIS2 plus Data Act plus CRA create compliance needs that European providers can better meet). Second, the C5 framework is increasingly sought after as an export standard internationally because it builds trust without excluding technologies. Third, the combination of research expertise (Fraunhofer, BSI), operational cloud infrastructure (T-Systems, STACKIT, SAP), and regulatory rigor (DSGVO, NIS2, Data Act) creates an ecosystem that no other European country can offer in this breadth. France has SecNumCloud but lacks a comparable mid-sized sector with cloud demand. The Netherlands have strong hosting infrastructure but no comparable security standard with the reach of C5. Germany has both and just needs to market them consistently.

Frequently Asked Questions

What is the BSI-C5 Certification?

The Cloud Computing Compliance Criteria Catalogue of the BSI defines minimum requirements for secure cloud services in 17 thematic areas with approximately 125 individual criteria. Type-2 certificates verify consistent performance over a defined period and have been mandatory for health data since July 2025.

How large is the Sovereign Cloud Market?

According to Gartner, global sovereign cloud IaaS spending will reach $80 billion in 2026. European spending will triple from $6.9 billion (2025) to $23.1 billion (2027). Europe will overtake North America for the first time in 2027.

Which German Cloud Providers Have C5 Certifications?

IONOS, PlusServer, q.beyond AG, and STACKIT (Schwarz Digits) are among the certified German providers. AWS, Microsoft Azure, and Google Cloud have also obtained C5 certifications to remain competitive in the European market.

What is the Difference Between C5, FedRAMP, and SecNumCloud?

C5 (BSI/Germany) is technology-neutral and exportable internationally. FedRAMP (USA) is only applicable to US government contracts. SecNumCloud (ANSSI/France) is the strictest but excludes US hyperscalers structurally. C5 positions itself in the middle: high requirements with broad applicability.

Is GAIA-X Still Alive?

Yes, but with a more realistic scope compared to its launch. GAIA-X is not a competitor to hyperscalers but rather a trust framework and certification system. The Trust Framework 3.0 “Danube” was released at the end of 2025. Five providers have achieved the highest label level 3. CISPE has committed to 3,000 labeled services.

Read More

• Supply Chain Security: From Compliance Obligation to Competitive Advantage
• Post-Quantum Cryptography: Germany Prepares for the Future
• Reboot Germany: 735 Billion, Three Mittelstand Companies, and the Question of Whether the Crisis Is Really That Bad

Source Image: Pexels / Panumas Nikhomkhai (px:1148820)

About the author: Alec Chizhik

More articles by Alec Chizhik