Securance logo

What is BSI C5

What is BSI C5, and is it mandatory in Germany?

Adam nowakowski Vk Rq5w3as CA unsplash

If you're a cloud provider selling into the German market, or a SaaS company whose customers include German public bodies, banks, or healthcare organisations, you've probably heard the name BSI C5 come up in a sales conversation or procurement questionnaire. Maybe someone asked you for a C5 attestation and you weren't sure what they meant. Or perhaps you're wondering whether you actually have to get one.

Here's the short answer: it depends on your industry and customers. But the long answer is worth reading, because getting this wrong can cost you deals.

 

What BSI C5 actually is

BSI C5 stands for Cloud Computing Compliance Criteria Catalogue. It was developed by Germany's national cybersecurity authority, the Bundesamt für Sicherheit in der Informationstechnik (BSI), first published in 2016 and substantially updated since. The catalogue currently covers 121 mandatory controls across 17 security domains, things like identity management, cryptography, incident response, tenant separation, and data residency.

Unlike ISO 27001, which certifies your information security management system, C5 is an attestation. An accredited third-party auditor examines your cloud service's controls and issues a Type 1 report (a snapshot at a point in time) or a Type 2 report (evidence that controls operated effectively over an observation period, typically six to twelve months). Since July 2025, Type 2 is the expected standard for most regulated use cases.

The BSI released C5:2026 in April 2026, introducing stricter requirements around data sovereignty, AI-assisted controls, and supply chain transparency, so if you're planning an audit, it's worth checking you're scoping against the current version.

 

Is BSI C5 mandatory?

Not universally, but for large parts of the German market, it's effectively non-negotiable.

Government and public sector: German federal authorities have been required since 2020 to apply C5 as a minimum security baseline when procuring cloud services. If you want a contract with a German public body, a C5 Type 2 attestation isn't optional.

Healthcare: Under Section 393 of the Fifth Book of the German Social Code (SGB V) and the Digital Act (DigiG), a C5 Type 2 attestation has been legally mandatory for cloud providers handling health and social data since 1 July 2025, as confirmed by Rödl & Partner in their December 2025 industry analysis.

Critical infrastructure (KRITIS): Operators in energy, finance, transport, and telecoms must meet strict BSI security standards under the German IT Security Act (BSIG). C5 is the accepted framework for demonstrating cloud security compliance in this context.

B2B private sector: Technically voluntary, but German enterprises in financial services, insurance, and professional services routinely require C5 from their cloud suppliers. Refusing to produce one is often a deal-breaker in procurement.

 

Who typically gets asked for C5

In practice, requests for C5 attestations come at you from a few directions:

  • Cloud infrastructure providers (IaaS, PaaS) selling to German enterprise customers
  • SaaS vendors processing sensitive data for German clients in regulated sectors
  • Data centres with German or European customers in public procurement
  • Any tech company responding to a German public sector tender

If your security questionnaire includes a line asking about BSI C5, this is why.

 

How C5 sits alongside ISO 27001, SOC 2, NIS2, and DORA

C5 isn't a replacement for the standards you probably already know, it builds on them. ISO 27001 establishes your information security management system and is often a prerequisite before pursuing C5. SOC 2 validates security controls for a broader, often North American audience. C5 goes deeper into cloud-native specifics: encryption key management, logging, tenant isolation, and data residency transparency that ISO 27001 doesn't prescribe in the same way.

For companies operating across Europe, C5 also maps neatly onto the technical requirements of NIS2 and DORA. Auditors reviewing your NIS2 compliance posture or your DORA ICT risk management will recognise C5 controls as strong evidence of operational security. The compliance comparison for SaaS and tech teams is a good place to understand where those frameworks overlap.

If you've already completed ISO 27001 certification, a significant portion of C5's 17 control domains will already be covered. That's genuine leverage, a combined audit rather than two separate projects.

 

The certification process and timeline

Getting a C5 attestation follows a predictable sequence:

  1. Gap analysis (months 1–2): Map your existing controls to C5's 121 criteria and identify what's missing. If you have ISO 27001 or SOC 2 already, this stage is considerably shorter.
  2. Remediation and implementation (months 2–5): Close the gaps, policies, technical controls, logging, documentation.
  3. Type 2 observation period (months 6–11): Your auditor observes controls operating in practice over six to twelve months.
  4. Attestation report (month 12): The auditor issues the report. Annual renewal is required.

Timeline: On average, the full process might take three to six months from scoping to attestation for well-prepared organisations, but that assumes solid prior compliance foundations. Starting from scratch, twelve months is realistic.

Combining C5 with an existing SOC 2 or ISO 27001 audit cycle meaningfully reduces cost and effort, which is exactly the logic behind Securance's Single Audit, Multiple Standards approach, covering SOC 1, SOC 2, ISAE 3402, ISO 27001, NIS2, and DORA in one streamlined process.

 

C5 readiness checklist

Before you engage an auditor, run through these:

  • Existing ISO 27001 or SOC 2 documentation mapped to C5 control domains
  • Asset inventory covering all in-scope cloud services and data categories
  • Encryption and key management policies aligned with BSI requirements
  • Access control and identity management processes documented and operating
  • Logging and monitoring configured for the required retention periods
  • Incident response procedures tested and evidenced
  • Vendor and supply chain security assessments in place
  • Internal audit or review function able to produce evidence for a 6–12 month observation period

If several of these feel uncertain, a gap analysis is the right first step rather than jumping straight to audit.

 

Frequently asked questions

Is BSI C5 mandatory in Germany? For German federal authorities, healthcare cloud providers, and KRITIS-adjacent services, yes. For private sector B2B, it's contractually mandatory in many cases even if not prescribed by law.

Do I need C5 if I already have ISO 27001? ISO 27001 covers your security management system but doesn't go into cloud-specific controls the way C5 does. Clients in German regulated sectors will typically ask for C5 specifically. That said, ISO 27001 gives you a strong head start, the ISO 27001 vs SOC 2 comparison explains how those foundations carry across.

What's the difference between Type 1 and Type 2? Type 1 is a point-in-time snapshot confirming controls exist. Type 2 confirms they operated effectively over a defined period. Since July 2025, Type 2 is required in healthcare and strongly preferred across the rest of the market.

Does C5 apply outside Germany? C5 is a German standard with no direct equivalent in other European countries. However, it's increasingly referenced in European procurement and recognised as a credible security benchmark across the EU. If you serve German clients, it's relevant regardless of where you're headquartered.

Can I do C5 alongside my NIS2 or DORA compliance work? Absolutely, and you should. The control overlap is substantial. Running them together through an integrated audit is significantly more efficient than treating them as separate projects. Securance's advisory team covers DORA compliance and NIS2 requirements alongside C5 preparation.

 

How Securance can help

Securance works with SaaS and tech companies across Europe that are navigating exactly this kind of compliance complexity. Trusted by 800+ professional firms and SMEs, with 96% customer satisfaction across more than 1,800 audits performed, the team brings together advisory, assurance, and cybersecurity services in a single, coordinated process.

If you're facing a C5 request from a prospect or a public sector tender, the first conversation you need is a gap analysis, understanding where you stand today and what the realistic path looks like. That's exactly what Securance's free consultation covers.

Schedule a free consultation and let's work out what your C5 journey looks like from where you are now.