C5: Cloud Computing Compliance
Criteria Catalogue

The Cloud Computing Compliance Criteria Catalogue (C5) is an attestation standard for cloud services developed by Germany's Federal Office for Information Security (BSI). C5 defines minimum requirements for the information security of cloud providers and creates transparency about their actual security level. The current version C5:2020 comprises 121 criteria in 17 requirement domains addressing both technical and organizational security aspects. A C5 attestation enables cloud customers to assess a provider's security based on independently verified evidence, without having to conduct their own expensive audits. Internationally, C5 is comparable to SOC 2 (USA) or ISO 27017 (cloud-specific ISO standard), but with German/EU-specific requirements including mandatory transparency about data locations and applicable legal systems.

A C5 Type 1 attestation confirms that the security controls described by the cloud provider are appropriately designed at the point of assessment (design review). The auditor evaluates whether the existing controls are fundamentally suitable to meet C5 requirements. A Type 1 attestation provides no information about whether the controls are actually effective in operations. A C5 Type 2 attestation additionally tests the operational effectiveness of security controls over a defined observation period of typically 6 to 12 months. Type 2 is significantly more meaningful and is preferred or required by German federal agencies and under the DigiG. For most regulatory requirements, Type 1 is sufficient as an entry point; Type 2 should be the long-term target.

C5 is effectively mandatory for cloud providers serving German federal agencies since 2020 - federal agencies require corresponding evidence before cloud adoption. Through the Digital Healthcare Modernization Act (DigiG), C5 was legally mandated via §393 SGB V from July 2025 for cloud services in healthcare: health insurers, hospitals and other healthcare providers may only process social security data in clouds whose providers hold a valid C5 attestation. The German Federal Financial Supervisory Authority (BaFin) expects C5 from cloud providers in the financial sector under BAIT/VAIT requirements. KRITIS operators should also consider C5 in the context of their statutory due diligence obligations.

C5:2020 organizes its 121 criteria into 17 requirement domains: (1) Organizational Security (OIS), (2) Security Policies (SP), (3) Asset Management (AM), (4) Physical Security (PS), (5) Operational Security (OS), (6) Identity and Access Management (IDM), (7) Encryption and Key Management (CRY), (8) Communication Security (CS), (9) Portability and Interoperability (PI), (10) Availability (SOS), (11) Incident Management (IR), (12) Procurement, Development and Maintenance (DEV), (13) Compliance and Data Privacy (COM), (14) Change Management (CHA), (15) Information Security Risk Management (RMG), (16) Audit Management (AUD), (17) Supplier Relationships (SSO). Each domain contains specific, auditable requirements with corresponding evidence requirements.

C5 and ISO 27001 overlap significantly in content - an existing ISO 27001 certificate is an excellent foundation for a C5 attestation and substantially reduces the additional effort. However, C5 is more cloud-specific and concretizes many ISO 27001 requirements for the cloud context: tenant separation, transparency requirements towards customers, portability and specific GDPR data privacy requirements are topics that C5 addresses in considerably more detail. ISO 27001 provides the general ISMS framework; C5 delivers the cloud-specific requirements catalog. In practice, a combined audit is recommended to leverage synergies. Organizations combining an ISO 27001 certificate with a C5 attestation demonstrate a comprehensive security posture.

A distinctive feature of C5 are the extensive transparency requirements: cloud providers must publish a system description in the attestation disclosing subcontractors and their security level, data storage locations and processing (particularly outside the EEA), applicable legal systems and potential government access, and the architecture of the cloud environment. These "environment information" enable cloud customers to make informed risk assessments - particularly relevant for US cloud providers and the CLOUD Act. For providers, this means: full transparency about all sub-service providers that provide security-relevant services.

A C5 attestation is conducted by an independent auditing firm based on the international assurance standard ISAE 3000 (revised) or its German equivalent IDW PS 860. The auditor assesses all 121 C5 criteria in four phases: First, the cloud provider creates a detailed system description covering architecture, controls and scope. The auditor then plans audit procedures and, for Type 2, determines the observation period (6-12 months). During execution, the auditor examines through document analysis, interviews, observations and sampling. Finally, the auditor produces the attestation report in SOC 2 format with an audit opinion and findings per criterion. Costs range from EUR 80,000 to EUR 250,000 for a Type 2 attestation depending on scope.

ISAE 3000 (revised) - International Standard on Assurance Engagements - is the standard developed by the IAASB (International Auditing and Assurance Standards Board) for assurance engagements outside traditional financial audits. C5 attestations are based on this standard (or its German equivalent IDW PS 860), because it creates a unified framework for quality, independence and reporting. ISAE 3000 distinguishes between Reasonable Assurance (positive confirmation that controls are effective - required for Type 2) and Limited Assurance (negative assurance - may suffice for Type 1). ISAE 3000 is also the basis for SOC 2 reports (AICPA), enabling combined C5/SOC 2 audits with significant efficiency gains.

Hospital information systems and all cloud services processing social security data of statutorily insured persons must from July 1, 2025 be sourced from providers with a valid C5 attestation. This covers practically all cloud services in patient care: electronic health record platforms, telematics infrastructure connectors, cloud-based laboratory information systems, radiology PACS solutions and billing systems. Hospitals and other healthcare providers bear the responsibility to use only C5-attested providers and document this. Providers without an attestation effectively lose market access in the German healthcare market.

Yes - C5 and SOC 2 Type II (the American equivalent standard) are content-compatible and are frequently assessed together. Many international cloud providers pursue both attestations: SOC 2 for the US market and C5 for Germany and Europe. The AICPA and BSI have published a mapping table documenting overlaps between Trust Service Criteria (SOC 2) and C5 criteria. A combined audit achieves significant efficiency gains as many controls and evidence can be used for both standards. For an international cloud provider with German customers from regulated industries, the combination C5 + ISO 27001 + SOC 2 is the recommended attestation strategy.

The BSI announced in late 2025 that an updated version of the C5 catalog would be published in Q1 2026. C5:2025 is expected to incorporate current developments - anticipated additions include enhanced supply chain security requirements, AI-specific cloud services and zero trust architectures, as well as closer alignment with the EU Cybersecurity Certification Scheme (EUCS). Until publication, C5:2020 remains the applicable standard. Organizations beginning C5 preparation now are well-advised: existing criteria will likely be extended, not fundamentally changed. A solid C5:2020 foundation will facilitate the transition to the new version considerably.

AWARE7 supports cloud providers and cloud customers along the entire C5 journey: For cloud providers, we conduct a C5 Readiness Assessment - a structured comparison of existing security controls against all 121 C5 criteria with clear gap reporting and a prioritized action plan. We support building missing controls, creating required documentation and the system description, through to a pre-attestation readiness review. As an offensive security company, we also conduct the C5-required penetration tests and vulnerability assessments. For cloud customers from regulated industries (healthcare, finance), we review whether existing provider attestations cover their own regulatory requirements.