Home/Insights/BSI C5: Establishing itself as a cross-industry standard for cloud security
Published on 17. December 2025
Reading time approx. 3 Minutes
Advisory & IT Audit & Assurance

BSI C5: Establishing itself as a cross-industry standard for cloud security

  • The BSI C5 is mandatory in the healthcare sector, only with a C5 Type 2 attestation since July 1, 2025.
  • C5 creates verifiable transparency and goes beyond classic ISMS certifications.
  • The C5:2025 extends the focus to supply chain, AI, and technical security.
Frank Reutter
Partner
Auditor, Certified Tax Advisor, CISA, Graduate in Business Informatics
T +49 221 949 909 316
Send Inquiry
Nicolas Fehrenbach
Manager
T +49 6196 76114 718
Send Inquiry
Write to us without obligation:
Get in touch now
The BSI C5 is establishing itself as the standard for secure cloud computing in Germany. For the healthcare sector, it is mandatory due to DigiG and § 393 SGB V. Since July 1, 2025, a C5 Type 2 attestation is mandatory, which proves the effective implementation of the requirements over a period of time. The article provides an overview and outlook on the BSI C5:2025.

From the Reporting Trends & Solutions newsletter Subscribe to newsletter

The BSI C5: More than a criteria catalog

The “Cloud Computing Compliance Criteria Catalogue” (C5) of the German Federal Office for Information Security (BSI) (short: BSI C5) specifies the minimum requirements for secure cloud computing. The primary target is to create an objectifiable level of trust in the information security of cloud providers and their cloud services. For cloud providers, the BSI C5 serves as a guideline for secure cloud computing, while it offers cloud customers a reliable basis for their own risk management and the control of their service providers.

Compliance with the requirements of the BSI C5 is demonstrated by means of an attestation based on the international audit standard ISAE 3000 (Revised) by independent auditors. This underlines the high degree of obligation and the audit depth, which goes beyond a certification of a management system (e.g. an information security management system – ISMS).

Regulatory foundations

The criteria of the BSI C5 are not a recommendation for organizations in the healthcare sector, but represent a binding regulatory requirement. Section 393 SGB V, established by the Digital Act (DigiG), which came into force on July 1, 2024, requires service providers, health insurance funds and their processors to provide proof of compliance with the requirements of the BSI C5 as soon as patient data is processed in a cloud. Until June 30, 2025, a C5 Type 1 attestation was sufficient to prove compliance with the requirements of the BSI C5. Since July 1, 2025, the BSI requires proof of a C5 Type 2 test.

Under certain conditions, the BSI offers the possibility of a transitional period in the event of a missing C5 Type 2 attestation by July 1, 2025. For organizations in the healthcare sector that do not (yet) fully meet the requirements, the law (§ 393 Para. 4 SGB V) provides for a limited and temporary transitional option for the recognition of alternative evidence (e.g. a valid ISO/IEC 27001 certificate). However, this option is subject to the following conditions:

  1. Gap analysis: A systematic comparison of the controls (e.g. from ISO/IEC 27001) with the C5 basic criteria must be demonstrated.
  2. Action plan: A binding plan to close the identified gaps must be submitted (usually with a 12-month implementation period).

Classification in practice

Although the legal obligation to submit a C5 certificate currently only applies to the processing of patient data, the BSI C5 is increasingly establishing itself as a relevant quality feature for secure cloud services across all industries.

More and more companies – also outside the healthcare sector – are demanding a C5 attestation from their cloud service providers in order to guarantee a transparently verifiable level of security. This means that the BSI C5 is increasingly becoming a market-driven seal of approval that creates trust and has already become an important distinguishing feature for cloud providers.

Outlook on the BSI C5:2025

The BSI is continuously developing the C5. The current community draft of the C5:2025 (the final version is expected for the end of 2025) already shows clear further developments that aim at aligning with the European certification scheme – EUCS (Level Substantial) – as well as new technological risks.

Based on the BSI publications to date, the following topics in particular will be given greater consideration:

  • Supply Chain: Increased requirements for the control of service providers.
  • New technologies: Addressing new risk areas through requirements for the use of artificial intelligence.
  • Technical depth: More specific requirements for product safety, the separation of environments and vulnerability management.

Conclusion

The BSI C5 is increasingly developing into a central reference framework for verifiable security and transparency in cloud computing. Regardless of legal obligations, it is gaining importance as a generally recognized standard and serves companies as a reliable basis for risk assessment and the selection of cloud providers. The continuous development of the BSI C5 underlines that cloud security will continue to be a current and dynamic topic in the future.

Related Posts

All Posts related to this Topic
18.12.2025

Ready for 2026: Overview of key changes from 2026

The new year 2026 holds some innovations for companies that need to be considered and whose effects need to be...
Advisory & IT
18.12.2025

ESMA & BaFin: Audit Priorities for Fiscal Year 2025

ESMA and BaFin have published their audit priorities for 2025. For capital market-oriented companies, the focus is on geopolitical risks,...
Audit & Assurance