Germany's Sovereign Cloud Has a Google Problem
Germany just made cloud sovereignty measurable. Whether that measurement means anything is a different question.
In April 2026, the Federal Office for Information Security published what it calls the Criteria Enabling Cloud Computing Autonomy — a framework that defines, for the first time, what German agencies and critical-infrastructure companies can actually require of a cloud provider. BSI Germany Operational independence. Jurisdictional control over data access. Workforce nationality requirements. These are not aspirations anymore; they are a checklist. HostingJournalist
Thales and Google Cloud announced on May 20 that they are building a German sovereign cloud to that checklist. The new entity will be owned by Thales, staffed by German personnel, and legally independent from Google. It enters preview now and is targeted for general availability by the end of 2026. Thales press release
It is the first sovereign cloud product in Europe explicitly designed to meet the new C3A framework. That is the headline.
The question underneath is whether the C3A framework, or any framework built on top of American cloud infrastructure, can actually deliver what it promises.
The France test
Thales and Google have done this before. In France, their joint venture, branded PREMI3NS, achieved SecNumCloud 3.2 qualification from ANSSI at the end of 2025. SecNumCloud is the French government's gold-standard certification for trusted cloud services. To earn it, the PREMI3NS offering cleared 276 requirements across 15 security domains. Futurum Group
Here is the part the press releases do not dwell on: that certification was achieved by embedding Google Cloud's underlying infrastructure inside a Thales-controlled operating entity. ANSSI certified the wrapper, not the pipe. Google still runs the hardware. Thales owns the relationship, the contracts, and on paper, the operational independence. Google Cloud blog
This is the structural question that matters for Germany too. When a German hospital or a federal ministry moves data onto the new Thales-Google sovereign cloud, who controls what happens to that data if a US court issues a valid legal demand under the CLOUD Act? The C3A framework specifies operational independence and jurisdictional control as criteria. But those criteria were written knowing that the infrastructure underneath is American, and knowing that the CLOUD Act does not care about contractual wrappers.
Thales and Google did not answer that question in their public announcement. The joint venture's incorporation documents and governance agreements, filed with the German commercial registry, would. Those documents have not been made public.
What changed in April
The C3A framework matters because it converts a political argument into a technical one. Before April, sovereign cloud in Germany meant different things to different vendors. SAP and Microsoft's DelosCloud took one approach. Schwarz Group's Stackit took another. T-Systems and Google collaborated on a third. None of them could point to a common standard and say: we meet it. HostingJournalist
C3A changes that. It creates a baseline. Regulated buyers, government agencies, energy grids, healthcare networks, now have a document they can wave at vendors and say: prove you meet this.
Thales-Google is positioned to be first through that door. Deutsche Telekom and SAP won the broader federal BMDS cloud tender. RCR Wireless But the sovereign cloud layer above that, for the highest-sensitivity workloads, is still open territory. C3A is the fence that will decide who gets in.
The competitive pressure on AWS and Microsoft is real. Both operate European sovereign clouds. Neither has announced a plan to certify against C3A. If their structures cannot satisfy the framework's criteria for operational independence and jurisdictional control, they are excluded from whatever government and critical-infrastructure contracts require it, a large and growing segment of the regulated cloud market in Europe.
The adoption question
France qualified PREMI3NS at the end of 2025. It took years to get there. Customer adoption has been cautious. Thales itself is the first SAP customer on the platform. OpenText signed on. The French sovereign cloud market is real but has not scaled quickly.
Germany's federal procurement process is slower and more politically complicated than France's. The new Thales-Google entity does not enter general availability until the end of 2026. Even then, winning government contracts requires navigating procurement rules, security reviews, and agency-by-agency migration decisions that can take years post-certification.
The press release announcing the partnership described it as an industry-first: a pan-European, geo-redundant, sovereign cloud offering. Thales press release That framing is accurate in a narrow technical sense. Whether European government agencies actually buy that capability, at the prices required, is the question the announcement does not answer.
What we do not know
The C3A framework is a transparency instrument, not a binding certification requirement. It establishes what sovereignty should look like; it does not automatically exclude vendors that do not meet it. BSI Germany
We do not know whether the German joint venture governance agreements give Thales genuine operational control over encryption keys, data access decisions, and breach notification, the three points where CLOUD Act exposure is highest. Those are the documents that would answer the sovereignty question definitively.
We do not know whether AWS or Microsoft will seek C3A certification, or whether they believe their existing sovereign structures already satisfy the framework's criteria. Both companies declined to comment for this article.
We do not know how quickly German agencies will move sensitive workloads to any sovereign cloud, given the federal procurement timeline.
What we know is this: Germany published a standard. Thales and Google are first to claim they meet it. The answer to whether that claim holds lives in documents that have not been shared.
Thales and Google Cloud declined to comment beyond their published announcement. AWS and Microsoft did not respond to requests for comment.