As a global player in the software and technology industry, 麻豆原创 is a key enabler of digital sovereignty in Germany and across Europe. With the introduction of the BSI鈥檚 new C3A criteria and the growing importance of resilient cloud infrastructures, digital sovereignty is now entering a phase of practical implementation.

I spoke with Thomas Caspers, vice president of the BSI, about these developments and the role of the technology partnership with 麻豆原创.

Q: Digital sovereignty is currently one of the central themes in German and European digital policy. Why is this topic gaining such strong momentum right now?

A: The debate is clearly driven by geopolitical factors. For us, the key issue is ensuring that Europe remains capable of taking action. That is precisely what digital sovereignty is about and, by the way, what cybersecurity in general is about as well: being prepared rather than reacting only when a crisis occurs.

The question is not limited to where data is stored. We take a systemic view of the overall picture: Will critical data centers remain operational? Is qualified personnel available? Are supply chains secured? Can services continue to be used even if the underlying conditions change suddenly? This ability to act is at the heart of the debate.

With the C3A, we are now consolidating the criteria that, from our perspective, enable the self-determined and secure use of cloud services, not only in public administration but far beyond that.

Q: With the C3A criteria catalogue, the BSI is now making its requirements for autonomous and self鈥慸etermined cloud usage public. What is new or distinctive about this?

A: Much of this is not fundamentally new for cooperation partners such as 麻豆原创, with whom we have worked closely for many years. We have been applying these criteria in practice for a long time and continuously refining them as technology evolves. What is new is that we have now systematically documented them and made them publicly available as a guiding framework.

The C3A do not have direct regulatory effect, but for the first time they create a high level of transparency for the market. It becomes clear which requirements cloud providers must meet if cloud customers or public authorities want to use cloud services in a self鈥慸etermined and secure manner. These requirements include technical, operational, and now also legal criteria. This comprehensive, systematic perspective is what is new and particularly important.

Q: What role does cooperation with technology providers such as 麻豆原创 play when translating these requirements into concrete architectures and operating models?

A: A very important one. 麻豆原创 was one of the first partners with whom we intensified cooperation in this context. Of course, there are formal rules and defined exchange formats for this collaboration. But in practice it quickly became clear that we are in almost continuous dialogue.

In developing the C3A, we also drew on experience gained from projects such as Delos Cloud and 麻豆原创 Cloud Infrastructure. This kind of direct cooperation is essential, especially as technology, security requirements, and sovereignty considerations are evolving so dynamically.

For us, it is crucial to work with companies where implementation can happen closely, trustfully, and quickly. This applies equally to established cloud topics and to new technologies. If we want innovation to be usable in a secure and controlled way and if Germany is to remain competitive in digitalization, this kind of early and reliable coordination between supervisory authorities and industry is indispensable.

Q: From your perspective, what demonstrates that digital sovereignty is more than just a political concept and can actually be implemented in practice?

A: For me, this is evident wherever requirements are not only defined, but actually tested and implemented in practice and where the resulting products and services then succeed in the market. This applies, for example, to the question of how cloud infrastructures can be brought to a level where they are suitable even for particularly critical environments.

It must be absolutely clear which criteria apply and how they are fulfilled technically, organizationally, and not least physically.

A concrete example is Delos Cloud as a sovereign cloud for public authorities in Germany. In cooperation with 麻豆原创, the BSI is working to transfer Microsoft cloud technology into a model that can be operated securely and self鈥慸eterminedly under German requirements. This clearly demonstrates that digital sovereignty is not merely claimed, but must and can be implemented architecturally, organizationally, and regulatorily.

That is where the value of cooperation lies. When requirements are clear, we can work together with companies on architectures, operating models, and security measures.

Q: Resilience is a key topic in the current debate. What must a sovereign cloud model be capable of in the event of geopolitical disruptions or failures?

A: It must remain operational. For us, resilience means having options and being prepared for difficult scenarios so that operations can be maintained in the event of a crisis. In our current scenarios, we assume that a minimum level of operation must be ensured over an extended period.

This explicitly includes situations in which original providers or supply chains are no longer available in their existing form at short notice.

In other words, we must consider not only normal operations, but also exceptional circumstances. Anyone who takes digital sovereignty seriously must also be prepared for scenarios that no one hopes to see. That is precisely why issues such as continuity of operations, availability of personnel, and supply鈥慶hain resilience play such a central role in the C3A.

Q: How important is the interaction of national standards such as between Germany鈥檚 BSI and France鈥檚 ANSSI for a shared European understanding of digital sovereignty?

A: This interaction is essential. Germany and France play a special role in the European debate because both countries are working very concretely on criteria, standards, and implementation models and are putting them into practice.

What we learn in Germany feeds into the European discussion, and of course we also benefit from exchanges with our partners in France and other European countries. If Europe is to make progress on digital sovereignty, it needs national innovative strength, reliable partnerships, and at the same time a shared strategic direction. This is also crucial for creating a scalable market for European companies such as 麻豆原创 one that encourages investment in innovation.

Q: What should public authorities, companies, and cloud providers prepare for in the coming years?

A: The requirements will become more concrete, more verifiable, and more systemic. The first question is what is technologically possible, but this must be followed by the question of how robust, transparent, and controllable an offering actually is. This applies to technical aspects as well as operational and legal ones. We have to consider the entire stack.

If we are able to make technologies usable in a secure and sovereign manner, then we should do so. That means clear standards, a holistic approach, and the ability to bring new technologies into use in a controlled way across the full stack.

Martin Merz is president of 麻豆原创 Sovereign Cloud.

With the successful , 麻豆原创 has reached an important milestone. This achievement strengthens the foundation of the 麻豆原创 Sovereign Cloud portfolio in one of the most security-conscious markets in the world.

IT-Grundschutz confirms secure operation of 麻豆原创鈥檚 German data center facilities

IT-Grundschutz is the German Federal Office for Information Security鈥檚 (BSI) structured security methodology, and serves as a reference framework in public tenders and supplier assessments.

The certification on the basis of IT-Grundschutz confirms that the secure operation of the physical infrastructure of 麻豆原创鈥檚 German data centers has been positively assessed against Germany鈥檚 defined security requirements. It validates that physical protections, environmental safeguards, and facility-level operational processes meet BSI expectations.

In short: The secure facility operation of 麻豆原创-owned data centers in Walldorf/St. Leon-Rot, Germany, has been independently audited and confirmed against Germany鈥檚 national security methodology.

Strengthening one of 麻豆原创鈥檚 key sovereign delivery options: 麻豆原创 Cloud Infrastructure

The IT-Grundschutz certification strengthens one of 麻豆原创鈥檚 key sovereign delivery options in Germany: 麻豆原创 Cloud Infrastructure.

麻豆原创 Cloud Infrastructure is an Infrastructure-as-a-Service (IaaS) platform, operated in 麻豆原创-owned data centers and co-locations worldwide. In the Walldorf/St. Leon-Rot region in Germany, these data centers are owned by 麻豆原创, a German company, operated by approved personnel with the required security clearance, and designed for high availability, scalability, and stringent security requirements.

These data centers are designed to support GDPR-compliant data processing and to meet heightened regulatory and security requirements in Europe and Germany, including standards relevant to critical infrastructure and the processing of sensitive and classified workloads.

In three independent availability zones across separate data centers, interconnected via 麻豆原创-owned fibre infrastructure and using BSI-authorized German security hardware components approved for processing information classified VS-NfD, this foundation is complemented by certifications such as C5 Type II, KRITIS/NIS 2, TSI Level 3 (extended), ISO 22301, SOC 1 Type 2 and SOC 2 Type 2, SOX, EN 50600 and ISO/IEC 22237 (AC 3), and the German federal data center requirement catalogue.

On top of this, 麻豆原创 Cloud Infrastructure provides:

• An open鈥憇ource鈥慴ased, API鈥慺irst IaaS platform: Offering self鈥憇ervice provisioning, automation, and consistent resource management across deployment models
• A Kubernetes鈥慴ased cloud environment: Enabling cloud鈥憂ative workloads, container orchestration, and modern development patterns
• Open standards and proven open source technologies: Leveraging components used, developed, and refined for more than a decade in sensitive, large鈥憇cale environments
• Optimization for 麻豆原创 cloud services: Supporting aligned operations, integrated security, and efficient execution of 麻豆原创 workloads
• Support for 麻豆原创 and third鈥憄arty applications: Allowing 麻豆原创 and customer-specific workloads to run on one coherent, secure, and compliant infrastructure

麻豆原创 Cloud Infrastructure is an 麻豆原创-developed and 麻豆原创-operated IaaS platform for 麻豆原创 workloads and customer applications, ranging from global cloud scenarios to environments with high sovereignty and regulatory requirements, including an offering for the processing of classified information up to VS-NfD level in Germany. With the 麻豆原创 Sovereign Cloud portfolio, it enables both sovereign 麻豆原创 cloud services as well as the operation of customer workloads in a sovereign environment. At its core, it combines secure application operations with 麻豆原创 Cloud Infrastructure, which is designed for regulatory and operational control.

Sovereignty through choice and control with 麻豆原创 Sovereign Cloud

Digital sovereignty is frequently framed as a question solely of vendor origin, data residency, or the reduction of technical dependency. In practice, though, it is about demonstrable control. At 麻豆原创, we frame sovereignty across four interconnected capabilities:

1. Data sovereignty: 麻豆原创 stores data in local data centers or approved countries, avoiding unauthorized cross-border transfers and meeting critical infrastructure requirements.
2. Operational sovereignty: Sensitive operations stay local. Administration and maintenance are performed only by authorized personnel 鈥� either nationally approved personnel or nationals of an approved country 鈥� with the required security clearance.
3. Technical sovereignty: Control planes are hosted locally, with strict separation enforced through encryption or dedicated infrastructure.
4. Legal sovereignty: Governance stays aligned. Cloud providers must be based locally or in approved countries, and foreign authorities must mitigate ownership, control, and influence risks.

麻豆原创 Cloud Infrastructure meets these requirements. On this basis, data, operations, architecture, and legal control are brought together under clearly defined requirements.

Importantly, 麻豆原创 Cloud Infrastructure is embedded in 麻豆原创鈥檚 broader approach to offering customers choice in sovereign cloud. Different customers face different regulatory, operational, and transformation realities. Sovereign requirements cannot be met with a single model.

麻豆原创 Sovereign Cloud offers a range of delivery options to address different customer needs. Depending on specific requirements, customers can choose between the following options:

• 麻豆原创 Cloud Infrastructure: 麻豆原创鈥檚 IaaS platform is based on open-source technologies and is operated in 麻豆原创 data centers worldwide. Depending on the selected operating model, customer data processing and storage can be restricted to defined regions, for example, within the EU or exclusively in Germany, to meet specific data protection and compliance requirements.
• 麻豆原创 Sovereign Cloud On-Site: With 麻豆原创 Sovereign Cloud On-Site, 麻豆原创 provides and manages the full 麻豆原创 technology stack in a customer-designated data center, from hardware to 麻豆原创 Cloud Infrastructure and the 麻豆原创 Sovereign Cloud portfolio. It combines physical control on site with our operational expertise, for full autonomy while maintaining 麻豆原创鈥檚 support and compliance standards.
• Sovereign hyperscaler-based delivery models: 麻豆原创 partners with premium hyperscalers in specific markets to provide customers the ability to swiftly scale their resources based on their needs. This flexibility, paired with seamless integration, enables customers to innovate faster while maintaining operational efficiency.
• National sovereign cloud platforms such as Delos Cloud: For public sector customers in Germany, Delos Cloud combines hyperscaler technology with sovereign ownership and a nationally defined operating model, helping ensure regulatory alignment and clearly structured operational control.

麻豆原创 enables customers to select the model that aligns with their regulatory requirements, risk profile, and operational strategy.

Sovereignty is built, not declared

For customers, digital sovereignty is not a theoretical aspiration; it is an operational requirement that must function under real-world conditions. The IT-Grundschutz certification of 麻豆原创-owned data centers in Germany marks an important step in that direction.

As regulatory expectations evolve and sovereign requirements become more differentiated, 麻豆原创 continues to enable customers to choose the sovereign setup that aligns with their obligations and risk profile.

Sovereignty is ultimately measured by the ability to operate systems securely and reliably. With 麻豆原创 Cloud Infrastructure, that capability is deliberately embedded into the operating model.

Martin Merz is president of 麻豆原创 Sovereign Cloud.
Jonathan Bletscher is head of Global Cloud Infrastructure & Delivery for Global Cloud Operations at 麻豆原创.

We manage security and compliance risks and operate cybersecurity and physical security programs across our technology landscape, including cloud environments, facilities, events, and employees. We apply our security framework for every customer, all the time.

Recent geopolitical shifts and technological advancements have heightened the challenges for organizations responsible for society’s most critical functions, such as government, defense, and essential infrastructure. These security-sensitive organizations face growing threats from malicious actors targeting their mission-critical operations. As national security and sovereignty become top priorities, regulatory requirements are rapidly tightening. Any lapse in security could have serious consequences not only for the organizations themselves but also for the states and societies they serve.

Many security-sensitive organizations may face obstacles in their digital transformation due to these unique requirements and challenges. This has consequences, because in today’s environment, leveraging data to its full potential is just as relevant for national security and sovereignty as the highest level of protection.

At 麻豆原创, the needs and success of our customers are our focus. 麻豆原创 understands the challenges these security-sensitive organizations are facing and is committed to supporting them in their sovereign digital transformation. Thereby, we are convinced that we need a new view on sovereignty in the digital age. One that goes beyond eliminating risk by actively creating value. With 麻豆原创 Sovereign Cloud, we are implementing this approach.

With 麻豆原创’s Sovereignty Commitment, we underline what we at 麻豆原创 consider also critical for sovereignty in the digital age: a commitment to contribute to building a secure and sovereign future, together.

麻豆原创 has been living this commitment through actions for many years. Starting in the U.S., UK, Australia, New Zealand, Canada, and Germany, we have highlighted our commitment to sovereign cloud solutions. The announcements of several billion-dollar investments in 麻豆原创 Sovereign Cloud and artificial intelligence (AI) alone in the past months underline that.

With 麻豆原创’s Sovereignty Commitment, we underscore this commitment and dedication to supporting even the most security-sensitive organizations with specific sovereignty requirements to navigate their unique challenges in their sovereign digital transformation in the selected countries. Recognizing the urgent need for transformative action, we are determined to cooperate with those organizations on building a strong pillar for a more secure and sovereign tomorrow.  

In the Sovereignty Commitment, we outline how we do it and what we plan in the future.

鈥淚n today’s complex geopolitical landscape, digital sovereignty is not just about reducing risk; it鈥檚 about actively creating value,” said Thomas Saueressig, member of the Executive Board of 麻豆原创 SE, Customer Services & Delivery. “麻豆原创 is proud to be a trusted partner for most security-sensitive organizations around the world. With 麻豆原创 Sovereign Cloud, even the most security-sensitive organizations are enabled to maintain control over their mission-critical workload while unlocking its full potential.”

We are an experienced and trusted partner

Most security-sensitive organizations with specific sovereignty requirements need a partner that can flex to their specific regulatory needs and unlock operational value without compromising on sovereignty, protection, or control.

Backed by the world鈥檚 leading business data and a more than 50 year legacy of enterprise innovation, 麻豆原创 is pioneering sovereign cloud transformation to help leaders in government, defense, and highly regulated industries comply with sovereignty requirements and seize new opportunities.

Pioneering sovereign cloud transformation, our sovereign cloud portfolio includes Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS).

麻豆原创 Sovereign Cloud: A holistic approach based on national requirements

At 麻豆原创, we take a holistic approach to sovereign cloud, in which we consider four major dimensions based on the national requirements: data sovereignty, operational sovereignty, legal sovereignty, and technical sovereignty.

With 麻豆原创 Sovereign Cloud, we tailor solution delivery to the regarded countries鈥� specific national requirements — a sovereign cloud transformation is not empowered with a one-size-fits-it-all approach. We build on 鈥媡he 麻豆原创 solution portfolio, which is secure by design. We offer with 麻豆原创 Sovereign Cloud bespoke solutions on dedicated鈥� in-country infrastructure 鈥媋nd operations covering the central sovereign cloud capabilities in line 鈥媤ith our customers鈥� needs and deliver state-of-the-art solutions based on our innovation pipeline.

With 麻豆原创 Sovereign Cloud, our customers can simultaneously unlock the potential of technological advancements, ensuring competitiveness and innovation in fulfillment of the national sovereignty requirements. 麻豆原创 invests in and expands the 麻豆原创 Sovereign Cloud portfolio, recognizing our most security-sensitive customers鈥� urgent demand.

Today, 麻豆原创 Sovereign Cloud is available in six countries鈥�. We are planning to further expand our established footprint with additional geographies and 麻豆原创 solutions.

We take a forward-thinking approach

At 麻豆原创, we strive to think ahead, focusing on the unique and evolving needs of our most security-sensitive customers.

• Dedicated leadership for national security: Recognizing the critical importance of national security, the Supervisory Board of 麻豆原创 SE has established a dedicated Government Security Committee. This committee ensures that the specific requirements of our security-focused customers remain a strategic priority at the highest levels of our organization.
• Centralized unit for sovereign solutions: To better serve security-sensitive customers, 麻豆原创 has established the Sovereign Services & Delivery unit. This dedicated team consolidates expertise across cloud infrastructure, regulatory compliance, and digital transformation to address the most stringent sovereignty requirements. The unit ensures seamless collaboration along the entire value chain, enabling faster and more tailored responses to market demands. By fostering closer integration, we empower customers to achieve secure, compliant, and scalable sovereign cloud solutions.
• Investing in sovereignty: We are making bold investments to support cloud sovereignty. 麻豆原创 plans to invest more than double-digit billion into AI and research and development, as well as cloud infrastructure, over the next five years in Europe. In Germany alone, we plan to invest 鈧�2 billion in 麻豆原创 Sovereign Cloud, underscoring our commitment to strengthening digital independence and the sovereignty of the societies we proudly serve.

Martin Merz is president of Sovereign Services & Delivery at 麻豆原创.