Since the cooperation agreement of 2024, SAP and the BSI have been working together to translate secure digitalization into concrete solutions. As a global player in the software and technology industry, SAP is a crucial factor for the digital sovereignty of Germany and Europe.
With the new C3A criteria BSI (Federal Office for Information Security) and the growing importance of resilient cloud infrastructures, a phase of practical implementation of digital sovereignty is now beginning. We spoke to Thomas Caspers, Vice President of the BSI, about this development and the role of the technology partnership with SAP.
Digital sovereignty is currently one of the central topics in German and European digital policy. Why is the topic gaining so much importance now?
Thomas Caspers: The discussion is clearly geopolitically driven. For us, it is crucial that Europe remains able to act. This is exactly what digital sovereignty and cybersecurity in general are all about: being prepared instead of reacting in an emergency.
The question is not just where data is located. We look systemically at the overall picture: Will critical data centers remain operational? Is staff available? Are supply chains secured? Can services continue to be used even if conditions suddenly change? This ability to act is the core of the debate.
With the C3A, we are now bundling the criteria that, in our view, enable self-determined and secure use of cloud offerings, not only in public administration, but far beyond.
With the C3A criteria catalog, the BSI is now making its requirements for autonomous or self-determined cloud use public. What is new or special about it?
Much of this is not fundamentally new for cooperation partners like SAP, with whom we have been working closely for a long time. We have been using these criteria in practice for years and are constantly developing them further with technical progress. The new thing is that we have now systematically written them down and made them public as a guiding framework for action.
The C3A does not have a direct regulatory effect, but does create a high level of transparency for the market for the first time. It becomes clear which requirements cloud providers must meet if cloud customers or authorities want to use cloud offerings independently and securely. These include technical, operational and now also legal criteria. It is precisely this systematic all-round view that is new and important.
What role does collaboration with technology providers such as SAP play when such requirements are to be translated into concrete architectures and operating models?
A very important one. SAP was one of the first partners with whom we worked more closely in this context. Of course, there are formal rules and defined exchange formats for this collaboration. But in practice it quickly became clear that we are actually in constant communication. At C3A, we also built on the experiences we had in the context of Delos Cloud and SAP Cloud Infrastructure. It is precisely this direct cooperation that is needed when technologies, security and sovereignty requirements continue to develop so dynamically.
It is crucial for us to work with companies with whom we can implement closely, trustingly and quickly. This applies to classic cloud topics as well as to new technologies. If we want innovation to be usable safely and in a controlled manner and for Germany to remain competitive in digitalization, this early and reliable coordination between supervision and industry is exactly what is needed.
In your opinion, what shows that digital sovereignty does not remain just a political concept but can be implemented in practice?
For me, this is always evident where requirements are not only described, but also tested and implemented in practice. And based on this implementation, products and services then successfully exist on the market. This applies, for example, to the question of how cloud infrastructures can be brought to a level at which they can also be used in particularly critical environments. It must be very clear which criteria apply and how they are met technically, organizationally and, last but not least, physically.
A concrete example of this is Delos Cloud as a sovereign cloud for authorities in Germany. In exchange with SAP, the BSI is working on converting Microsoft cloud technology into a model that can be operated securely and self-determined under German requirements. This is precisely what shows that digital sovereignty cannot and must be implemented architecturally, organizationally and regulatoryally.
This is what makes collaboration so valuable. When requirements are clear, we can work with companies on architectures, operating models and security measures.
A central point in the current debate is resilience. What does a sovereign cloud model have to do if geopolitical upheavals or failures occur?
It must remain operational. For us, resilience means having options and being prepared for difficult scenarios in order to be able to maintain operations in an emergency. In our current scenarios, we assume that minimal operation must be ensured over a longer period of time. We also explicitly consider situations in which original providers or supply chains are no longer available in their current form in the short term.
This means: We not only have to consider normal operations, but also exceptional cases. Anyone who is serious about digital sovereignty must also be prepared for scenarios that no one wants. This is precisely why issues such as business continuity, staff availability and supply chain resilience play such a large role in the C3A.
How important is the interaction of national standards, for example between the BSI in Germany and ANSSI in France, for a common European understanding of digital sovereignty?
This interaction is essential. Germany and France play a special role in the European discussion because both countries are working very specifically on criteria, standards and implementation models. And also put them into use.
We bring what we learn in Germany into the European debate. And conversely, we also benefit from the exchange with our partners in France and other European countries. If Europe wants to make progress in digital sovereignty, it needs national innovative strength, reliable partners and, at the same time, a common direction. This is also fundamental to creating a scalable market for European companies like SAP that promotes investment in innovation.
What should authorities, companies and cloud providers prepare for in the coming years?
The requirements are becoming more concrete, verifiable and systemic. First comes the question of what is technologically possible, but then the question must follow how resilient, transparent and controllable an offer actually is. This applies to technical aspects as well as operational and legal ones. We have to look at the entire stack.
If we can make technologies usable safely and confidently, then we should do that. This means: clear standards, a holistic approach and the ability to bring new technologies into application along the full stack in a controlled manner.
About the interviewee: Thomas Caspers is Vice President of the Federal Office for Information Security (BSI).
