BSI Updates Cloud Computing Compliance Criteria Catalog C5:2026

The Federal Office for Information Security (BSI) published an updated version of its Cloud Computing Compliance Criteria Catalogue on April 7, 2026. The new version, designated as C5:2026, establishes the minimum standards for the secure operation of cloud services and replaces the previous 2020 version.

A primary addition to C5:2026 is the inclusion of a German interpretation of the EU Cloud Certification Scheme. This update follows a comprehensive revision process conducted throughout 2025 and 2026 intended to increase quality and incorporate the latest technical developments in the cloud sector.

Standardizing Cloud Security Requirements

The C5 criteria catalogue is designed as a baseline security level for cloud services. It provides a standardized framework for examination and reporting, which allows cloud service customers to evaluate security reports as part of their own internal risk analysis.

The BSI intended the scheme to ensure a reliable definition of operational processes and technical terms. This includes establishing clear meanings for concepts such as what constitutes a location, a partition, or a shared zone within cloud operations.

Beyond these definitions, C5:2026 contains core and supplementary criteria regarding how services must be operated to maintain compliance. These requirements cover a range of classic security issues, including incident management and the securing of customer data.

Legal and Operational Disclosures

C5:2026 introduces stringent disclosure requirements for cloud service providers. Providers, as well as any parent companies they may have, are required to disclose the specific laws to which they are subject.

Operational transparency is further mandated through requirements to disclose how zones are divided and the exact location of customer data. Providers must provide extensive information to address official requests regarding customer cloud data.

These controls build upon existing IT-security levels equivalent to the IT-Grundschutz by adding specific cloud-related controls. This enables customers to evaluate how their use of cloud services relates to their own policies, the threat environment, and legal regulations such as data privacy.

Industry Impact and Regulatory Necessity

For many service providers, meeting BSI requirements is a legally mandated prerequisite for operating in specific German sectors. For example, a Type 2 certification is required for providers operating within the digital German healthcare system.

The C5 catalogue is also considered a decisive factor for several other highly regulated industries and services, including:

• Digital financial services and the banking sector
• Government agencies
• Services related to passport photos

Because the catalogue is used by providers, customers, and auditors, it creates a shared responsibility model for establishing and maintaining information security. Providers that implement these criteria can use the attestation to establish a competitive edge in the market.

Verification and Attestation Process

To demonstrate alignment with the C5 criteria, cloud service providers can mandate an examination by certified public accountants or other chosen auditors. These auditors verify whether the C5 criteria are met at the time of the investigation and, depending on the engagement type, whether they have been consistently met in the past.

The result of this process is a detailed examination report created according to international standards. This report serves as the primary document for customers and their compliance advisors to understand the security controls implemented by the provider.

Since its initial publication in 2016, the C5 framework has been adopted by a wide range of national, European, and global cloud service providers, as well as small and medium-sized providers. According to the BSI, over one hundred attestations have been granted to date.