Glossary · EU Cybersecurity BSI C5 (Cloud Computing Compliance Criteria Catalogue)
German federal cybersecurity agency (BSI) standard defining minimum security baseline for cloud services serving German public-sector and regulated industries. Widely treated as the German equivalent of SOC 2.
## What BSI C5 actually is
BSI C5 — Cloud Computing Compliance Criteria Catalogue — is the cloud security standard published by **Germany's Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI)**. First published in 2016 (C5), revised in 2020 (C5:2020), it defines a comprehensive security baseline for cloud services and the audit process by which providers can demonstrate compliance.
C5 is similar in scope to SOC 2 (US) or ISO 27001/27017 (international) but is tailored to **German legal and regulatory requirements** and is widely treated as the de facto cloud security standard for German public-sector and regulated-industry buyers.
## What BSI C5 covers
C5:2020 includes around **125 controls** across 17 areas including:
- Organization of information security
- Personnel security
- Asset management
- Physical security
- Operational security
- Identity and access management
- Cryptography
- Communications security
- Portability and interoperability
- Procurement, development, and modification
- Control and monitoring of providers and suppliers
- Incident management
- Business continuity
- Compliance
- Dealing with investigative requests from government authorities
- Product safety and security
- Privacy
The compliance-with-investigative-requests control area is particularly important for **sovereignty assessment** — it addresses how the provider handles foreign-government data requests, which is where US [CLOUD Act](/en/glossary/cloud-act/) exposure becomes visible.
## How BSI C5 audits work
BSI C5 uses an **attestation model** similar to SOC 2:
### Type 1 attestation
Auditor verifies that controls are designed appropriately at a point in time. Lower cost; faster.
### Type 2 attestation
Auditor verifies that controls operated effectively over a defined period (typically 6-12 months). More rigorous; this is what regulated buyers expect.
Audits are performed by independent auditors qualified by BSI. The audit report (C5 Attestation Report) is shared with the provider's customers under confidentiality.
## Why BSI C5 matters
### 1. German market access
For cloud providers wanting to serve German enterprises, especially regulated industries (banking under BaFin, healthcare under SGB, public sector under federal procurement), C5 attestation is effectively required.
### 2. Reveals sovereignty exposure
C5 control BC-01 ("Dealing with Investigative Requests from Government Authorities") forces providers to document their exposure to foreign law. This makes CLOUD Act, FISA 702, and similar exposures legible and auditable.
### 3. Foundation for EUCS
The pan-European [EUCS](/en/glossary/eucs/) cybersecurity certification scheme draws substantially on C5. C5-attested providers will be well-positioned for EUCS.
### 4. Bridge from international to German standards
C5 maps to ISO 27001, ISO 27017, ISO 27018, and SOC 2. Providers with those certifications can typically achieve C5 with incremental effort.
## Notable C5-attested providers
C5 is widely held among European cloud providers and increasingly by hyperscalers' German offerings:
### European providers with C5
- **Hetzner** — German hyperscaler alternative
- **IONOS** — German cloud and hosting
- **Open Telekom Cloud** — Deutsche Telekom's cloud
- **plusserver** — German managed cloud
- **STACKIT** — Schwarz Group's enterprise cloud
- Various German managed-service providers
### Hyperscalers
- **AWS** has C5 attestation for German regions
- **Microsoft Azure** has C5 for German offerings
- **Google Cloud** has C5 for European regions
Note: hyperscaler C5 attestation does not solve CLOUD Act exposure. C5 documents the exposure; it does not eliminate it.
## BSI C5 vs other schemes
| Scheme | Country | Scope | Relationship to C5 |
|--------|---------|-------|-------|
| BSI C5 | Germany | Cloud security | This standard |
| SecNumCloud | France | Cloud security + sovereignty | Stricter on sovereignty |
| [Cloud de Confiance](/en/glossary/cloud-de-confiance/) | France | Sovereignty wrapper | Builds on SecNumCloud |
| SOC 2 | US/international | General security | Substantially overlapping |
| ISO 27001/27017 | International | Information security | C5 builds on these |
| EUCS (draft) | EU | Pan-European cloud cyber | Likely incorporates C5 elements |
## What BSI C5 means in practice
### For German buyers
C5 attestation is the minimum credible cloud security signal. Type 2 attestation is the buyer expectation.
### For European cloud providers
C5 is investment-worthy: the audit is rigorous and expensive but opens the German market.
### For cross-border SaaS
If you're a European SaaS serving German enterprises, your cloud infrastructure needs C5 even if you don't have it directly — your provider must.
### For sovereignty evaluation
C5 alone is not a sovereignty certification. The German equivalent is the BSI's separate work on cloud sovereignty criteria, which builds on C5 plus additional jurisdiction-of-control requirements.
## What 2026-2027 brings
- **C5:2025 revision** — periodic updates aligned with NIS2 and EUCS work
- **EUCS finalization** — if and when EUCS lands, C5-attested providers will likely be advantaged
- **Increasing buyer rigor** — German enterprises increasingly request Type 2 C5 + explicit CLOUD Act analysis
- **Hyperscaler sovereign offerings** — C5 attestation extended to dedicated sovereign hyperscaler regions
## Practical implications
For most European tech buyers:
- **If you serve German enterprises**: your cloud provider needs C5
- **If you're evaluating European cloud providers**: C5 attestation is a meaningful quality signal
- **If you're assessing sovereignty**: C5 documents exposure but doesn't eliminate it — look beyond C5 to legal structure
- **If you're a German public-sector or regulated-industry buyer**: this directly affects your procurement
For everyday SaaS choices, your providers' cloud infrastructure C5 status is usually adequate due-diligence baseline.
Was this helpful?
Thanks for your feedback!