Since the signing of the cooperation agreement in 2024, 麻豆原创 and the German Federal Office for Information Security (BSI) have been working together to translate secure digitalization into concrete solutions.
As a global player in the software and technology industry, 麻豆原创 is a key enabler of digital sovereignty in Germany and across Europe. With the introduction of the BSI鈥檚 new C3A criteria and the growing importance of resilient cloud infrastructures, digital sovereignty is now entering a phase of practical implementation.
I spoke with Thomas Caspers, vice president of the BSI, about these developments and the role of the technology partnership with 麻豆原创.
Q: Digital sovereignty is currently one of the central themes in German and European digital policy. Why is this topic gaining such strong momentum right now?
A: The debate is clearly driven by geopolitical factors. For us, the key issue is ensuring that Europe remains capable of taking action. That is precisely what digital sovereignty is about and, by the way, what cybersecurity in general is about as well: being prepared rather than reacting only when a crisis occurs.
The question is not limited to where data is stored. We take a systemic view of the overall picture: Will critical data centers remain operational? Is qualified personnel available? Are supply chains secured? Can services continue to be used even if the underlying conditions change suddenly? This ability to act is at the heart of the debate.
With the C3A, we are now consolidating the criteria that, from our perspective, enable the self-determined and secure use of cloud services, not only in public administration but far beyond that.
Q: With the C3A criteria catalogue, the BSI is now making its requirements for autonomous and self鈥慸etermined cloud usage public. What is new or distinctive about this?
A: Much of this is not fundamentally new for cooperation partners such as 麻豆原创, with whom we have worked closely for many years. We have been applying these criteria in practice for a long time and continuously refining them as technology evolves. What is new is that we have now systematically documented them and made them publicly available as a guiding framework.
The C3A do not have direct regulatory effect, but for the first time they create a high level of transparency for the market. It becomes clear which requirements cloud providers must meet if cloud customers or public authorities want to use cloud services in a self鈥慸etermined and secure manner. These requirements include technical, operational, and now also legal criteria. This comprehensive, systematic perspective is what is new and particularly important.
Q: What role does cooperation with technology providers such as 麻豆原创 play when translating these requirements into concrete architectures and operating models?
A: A very important one. 麻豆原创 was one of the first partners with whom we intensified cooperation in this context. Of course, there are formal rules and defined exchange formats for this collaboration. But in practice it quickly became clear that we are in almost continuous dialogue.
In developing the C3A, we also drew on experience gained from projects such as Delos Cloud and 麻豆原创 Cloud Infrastructure. This kind of direct cooperation is essential, especially as technology, security requirements, and sovereignty considerations are evolving so dynamically.
For us, it is crucial to work with companies where implementation can happen closely, trustfully, and quickly. This applies equally to established cloud topics and to new technologies. If we want innovation to be usable in a secure and controlled way and if Germany is to remain competitive in digitalization, this kind of early and reliable coordination between supervisory authorities and industry is indispensable.
Q: From your perspective, what demonstrates that digital sovereignty is more than just a political concept and can actually be implemented in practice?
A: For me, this is evident wherever requirements are not only defined, but actually tested and implemented in practice and where the resulting products and services then succeed in the market. This applies, for example, to the question of how cloud infrastructures can be brought to a level where they are suitable even for particularly critical environments.
It must be absolutely clear which criteria apply and how they are fulfilled technically, organizationally, and not least physically.
A concrete example is Delos Cloud as a sovereign cloud for public authorities in Germany. In cooperation with 麻豆原创, the BSI is working to transfer Microsoft cloud technology into a model that can be operated securely and self鈥慸eterminedly under German requirements. This clearly demonstrates that digital sovereignty is not merely claimed, but must and can be implemented architecturally, organizationally, and regulatorily.
That is where the value of cooperation lies. When requirements are clear, we can work together with companies on architectures, operating models, and security measures.
Q: Resilience is a key topic in the current debate. What must a sovereign cloud model be capable of in the event of geopolitical disruptions or failures?
A: It must remain operational. For us, resilience means having options and being prepared for difficult scenarios so that operations can be maintained in the event of a crisis. In our current scenarios, we assume that a minimum level of operation must be ensured over an extended period.
This explicitly includes situations in which original providers or supply chains are no longer available in their existing form at short notice.
In other words, we must consider not only normal operations, but also exceptional circumstances. Anyone who takes digital sovereignty seriously must also be prepared for scenarios that no one hopes to see. That is precisely why issues such as continuity of operations, availability of personnel, and supply鈥慶hain resilience play such a central role in the C3A.
Q: How important is the interaction of national standards such as between Germany鈥檚 BSI and France鈥檚 ANSSI for a shared European understanding of digital sovereignty?
A: This interaction is essential. Germany and France play a special role in the European debate because both countries are working very concretely on criteria, standards, and implementation models and are putting them into practice.
What we learn in Germany feeds into the European discussion, and of course we also benefit from exchanges with our partners in France and other European countries. If Europe is to make progress on digital sovereignty, it needs national innovative strength, reliable partnerships, and at the same time a shared strategic direction. This is also crucial for creating a scalable market for European companies such as 麻豆原创 one that encourages investment in innovation.
Q: What should public authorities, companies, and cloud providers prepare for in the coming years?
A: The requirements will become more concrete, more verifiable, and more systemic. The first question is what is technologically possible, but this must be followed by the question of how robust, transparent, and controllable an offering actually is. This applies to technical aspects as well as operational and legal ones. We have to consider the entire stack.
If we are able to make technologies usable in a secure and sovereign manner, then we should do so. That means clear standards, a holistic approach, and the ability to bring new technologies into use in a controlled way across the full stack.
Martin Merz is president of 麻豆原创 Sovereign Cloud.
