C3A: what Germany's cloud sovereignty doctrine means for Guadeloupe

🇫🇷 Lire en français : C3A : ce que la souveraineté allemande dit à la Guadeloupe🇫🇷 Lire en français : C3A: what Germany's cloud sovereignty doctrine means for Guadeloupe

In late April 2026, Germany’s BSI published a technical document quietly titled Criteria enabling Cloud Computing Autonomy — C3A for short. No press fanfare, just a PDF available for free download. But read what it contains, and it is the clearest grammar of digital sovereignty ever written in Europe: 90 days of disconnected cloud autonomy, source code backups every 24 hours, local engineers capable of compiling and delivering emergency patches without depending on anyone. Here in Guadeloupe, this document deserves to be read twice.

What C3A actually says  

The BSI is Germany’s federal cybersecurity agency — the German equivalent of France’s ANSSI, responsible for the digital security of a country of 84 million people. Not a think tank, not an advocacy group. When it publishes, people read.

  Tip

C3A asks a simple question: does your cloud service keep running if its connection to an extra-European provider is cut? If the answer is no, it is not a sovereign cloud — whatever label it carries.

A few criteria give a sense of the ambition:

• 90 days of disconnected operation (criterion SOV-4-10) — a service claiming sovereignty must be able to run for three months with no connection to extra-European infrastructure.
• Source code backup every 24 hours, minimum five versions, in a portable format usable by authorities.
• Local engineers capable of compiling and delivering an emergency patch without third-party dependency. No remote support, no waiting.
• Documented and tested offline mode — not just theoretical.
• Defence-state clause allowing the government to take direct physical control of the infrastructure if necessary.

What changes with C3A is not the vocabulary — Europeans have been talking about digital sovereignty for a decade. It is the shift from discourse to evaluation grid, and the fact that these criteria are entering German public procurement tenders. Sovereignty stops being a political slogan and becomes a contractual clause.

“Why does this concern us here — we’re not Berlin”  

That is the objection I hear most often when I raise digital resilience with decision-makers in Guadeloupe. And it is precisely backwards: we are more exposed than Berlin, not less.

Our digital dependency is a cascading one: Guadeloupe → France → Europe → Big Tech → United States. Each link is a potential breaking point. Emails, payments, cloud platforms, marketing tools, websites and sometimes backups all depend on technical ecosystems designed, hosted and operated thousands of kilometres away.

And unlike a German public procurement officer, I observe here a second layer of risk that mainland providers rarely factor in: hurricanes, earthquakes, coastal flooding, extended power outages, island logistics fragility. A digital breakdown in Guadeloupe never arrives alone. It compounds a network cut, a blocked road, a team that cannot get moving. That superposition of risks makes the question structurally different from a mainland European SME. Berlin has to prepare for geopolitical rupture. Here, you also have to prepare for the hurricane that arrives during the outage.

The trap of “i bon kon-sa”  

And yet, in most of the significant digital projects I see moving through here — public authorities, local government bodies, large private clients — resilience is treated as a when we get around to it, not as a structural criterion. The conversation covers performance, design, features, user experience. Rarely business continuity.

That is the trap of “i bon kon-sa” (Guadeloupean Creole — “it’s working fine, no worries”). As long as everything runs, the subject feels distant. The payment terminal processes, Gmail responds, the cloud is reachable. Until the day it no longer is. And that day, the real question becomes: do we have an alternative?

  Note

Two patterns I see repeating across Guadeloupe. On one side, organisations that believe they have backups — a local hard drive no one has checked in months, a cloud account whose password no one can remember, a restoration procedure no one has ever tested. When the incident arrives — a ransomware attack, a break-in, flooding like the kind that hit Petit-Pérou in Les Abymes — the discovery is brutal: everything, or nearly everything, is gone. Instead of a few hours to rebuild, weeks of revenue evaporate.

On the other side, organisations that took the subject seriously beforehand. Tested backups, written procedures, documented access credentials, an identified provider. When the incident arrives — and it does — they are back up within a day or the next morning. The difference was not made during the crisis. It was made six months earlier.

A backup you have never verified you can actually restore is not a backup — it is an illusion.

Four questions to ask in the next procurement process  

  Tip

The most effective way to introduce resilience into a Guadeloupean organisation is not a policy memo — it is a clause in the next tender document.

No small business in Guadeloupe needs 90 days of disconnected cloud autonomy — the scale is not the same as the BSI’s. But the logic is transferable. Here are four questions any decision-maker should be able to ask a provider before signing:

1. Does a documented and tested degraded mode exist? Not on paper — actually tried. If the answer is “we’ve never tested it”, that is equivalent to not having one.
2. Are backups genuinely recoverable, offline, by our own team? The question is not “do you make backups” — it is “how long does it take us to restart if everything is lost”.
3. Is the provider reachable on a Saturday morning when a hurricane is approaching? Or is support sitting in Paris, Bangalore or Manila, with a 48-hour response time and a time zone that does not cooperate?
4. Is the dependency map current? Do we know who we depend on for each link — hosting, DNS, email, payments, backups — and what happens if one of them disappears?

These are not IT department questions. They are business continuity questions. A local authority, an association, a medical practice, a cooperative: everyone should be able to answer them. For a deeper analysis, I’ve laid out the full framework in this dedicated article.

What about us — local providers?  

This resilience requirement is not only addressed to decision-makers. It is addressed to us, agencies and local service providers in Guadeloupe as well. I have seen too often — in others’ work and sometimes in my own — digital projects delivered without ever seriously asking what happens when the infrastructure behind them stops responding.

Being a competent local provider in 2026 no longer means simply knowing how to build a clean website and put it online. It also means knowing how to document a restoration procedure, test backups, design a degraded mode, and choose a hosting provider you can recover from if that provider disappears. The value of a provider is not measured only when things go well — it is measured above all when things go wrong.

Resilience is not built on the day of the hurricane  

The German C3A is not a template to copy-paste. It is a compass. It says that we can — and should — place digital continuity at the same level as fire safety, hurricane evacuation procedures or financial compliance: a serious subject, treated seriously, built into projects from the start.

For a Guadeloupean organisation, that begins with a clear picture of the current situation. Not a corporate cybersecurity audit applied to a reality it does not understand — a field-based exercise that starts from our territory, our risks, our actual dependencies. That is what I call a digital resilience audit: dependency mapping, domain-by-domain scoring, 24h / 48h / 72h scenarios, prioritised action plan.

This is not German-style sovereignty. It is Caribbean common sense.