heise PlusAbo

Criticism of BSI framework: apparent sovereignty for European cloud?

According to the EU cloud association CISPE, the BSI's new C3A criteria catalog does not protect against US laws but cements dependence on tech giants.

listen Print view
In the center a red security lock with a finger on it, surrounded by other security locks in blue. Schematic representation.

(Image: Ole.CNX / Shutterstock.com)

5 min. read
By
Contents

The debate about digital sovereignty in Europe has long since stopped at the computer clouds. The Federal Office for Information Security (BSI) is currently at the center of criticism with its recently published C3A (Cloud Computing Autonomy) criteria catalog. The European cloud association CISPE and several providers from the old continent are raising serious accusations against it: The Bonn-based authority promises independence, but ultimately legitimizes the uninterrupted use of US hyperscalers as subcontractors. It thus opens the door wide to extraterritorial risks and structural vendor lock-ins.

The CISPE analysis, available to heise online, identifies major loopholes in the C3A catalog. The framework stipulates that the primary cloud provider must be under European control. However, the BSI drastically softens this line for the far more important subcontractors: they are only required to have a registered main branch in Germany or the EU.

Actual ownership control by European companies is not required. Within the framework of C3A, European providers can therefore easily rely on US infrastructure giants that are fully subject to access by foreign authorities and laws such as the US Cloud Act. This means they may have to disclose data to authorities in the USA.

Bureaucracy instead of real protection

This extraterritorial openness is not prevented by the regulations, but formalized. The catalog merely requires providers to conduct an annual risk analysis of such foreign access. Critics criticize this as paper tiger bureaucracy: there is no obligation to technically minimize or organizationally exclude the identified risks. Furthermore, since the consideration is limited to customer-generated information, other critical data pools such as metadata, telemetry, or account information remain completely unprotected.

At the same time, the BSI is creating hurdles that seem insurmountable for the broad European SME sector. For example, the catalog requires providers within the EU to maintain a daily copy of the source code and to operate their own build environments to be able to independently patch software in an emergency. While this sounds like maximum resilience, according to CISPE, it is unfamiliar with economic reality. No European medium-sized company has the negotiating power or resources to force global software corporations to grant access to proprietary source code or to independently develop complex third-party software.

Competitive disadvantage for SMEs

Thus, the framework achieves the opposite of its goal: it in fact excludes innovative European SMEs and favors those constructs that rely on the technology of US hyperscalers anyway. The authors of the position paper cite the German cloud model Delos from SAP and Microsoft as a prominent example. Such large projects could meet the extreme requirements for source code storage. However, they thus cement precisely the technological dependence that Europe actually wants to overcome.

Videos by heise

The problem is exacerbated by the lack of any interoperability or portability requirements that would offer protection against unfair provider changes or sudden terminations. The association criticizes that the BSI focuses almost exclusively on the provider itself remaining operational in a crisis. The customer's freedom to flexibly migrate their data or to detach themselves from proprietary systems plays no role in the catalog.

Decision of direction for Europe

In view of the Cloud & AI Development Act (CADA) planned by the EU Commission in the context of the package for technological sovereignty, the BSI framework threatens to set a dangerous precedent. The European tech scene faces a decision of direction on which definition of digital sovereignty will apply in the future: genuine operational and technological independence or a bureaucratically controlled but continuous interdependence with global tech monopolies.

In contrast, Luise Kranich, head of the Technology Strategy department at the BSI, recently emphasized that sovereignty is not to be equated with isolation: complete self-sufficiency and maximum influence on providers is not only impossible, but also not desired. The office is therefore focusing on making dependencies controllable with C3A. Kranich defended the fact that the draft was submitted to US corporations for review in advance as a strategic stress test: “If they say: 'You can do that,' then we are not strict enough.” The hyperscalers must recognize that more is required “than a small project in a German data center.”

Read also

(nen)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten