BSI C5 — Germany's Cloud Computing Compliance Catalogue

The Cloud Computing Compliance Criteria Catalogue (C5) is published by the Bundesamt für Sicherheit in der Informationstechnik (BSI), the German federal information-security agency. C5 defines a baseline of 121 information-security objectives that German government, banking, insurance, and increasingly enterprise procurement teams expect a cloud service to satisfy.

C5 attestation is performed by an independent auditor under ISAE 3000 / ISAE 3402-style examination. The result is a Type 1 attestation (controls design at a point in time) or Type 2 attestation (controls operating effectiveness over a period).

For VDR procurement involving German banking, insurance, government, or large-enterprise counterparties, BSI C5 attestation is often a hard requirement.

Last updated: May 2026.

C5 Control Themes

  • Organization of information security.
  • Security policies and instructions.
  • Personnel.
  • Asset management.
  • Physical security.
  • Operations.
  • Identity and access management.
  • Cryptography and key management.
  • Communication security.
  • Portability and interoperability.
  • Procurement, development and modification of information systems.
  • Control and monitoring of service providers and suppliers.
  • Security incident management.
  • Business continuity management.
  • Compliance.
  • Dealing with investigation requests from government agencies (a German speciality).
  • Product security.

VDR Providers Holding C5

  • [netfiles](/providers/netfiles) — C5.
  • [idgard](/providers/idgard) — C5.
  • [Brainloop](/providers/brainloop) — C5.
  • [Drooms](/providers/drooms) — ISO 27001 / 27018; C5 status varies by deployment, confirm with sales.

Who Asks for C5

  • German federal and state-government procurement.
  • BaFin-supervised banks and insurers.
  • Listed German companies (e.g., DAX-40 procurement teams).
  • Defense and dual-use contractors.
  • Large industrials with regulated subsidiaries.

Frequently Asked Questions

Is C5 required by law?

It is not a legal requirement in itself but is referenced in BaFin BAIT / VAIT / KAIT guidance and in many German federal procurement frameworks. For regulated industries, C5 is effectively mandatory.

Type 1 or Type 2 attestation?

Type 2 (operating effectiveness over six to twelve months) is preferred. Type 1 is a starting point but does not satisfy regulated buyers on its own.

Is BSI C5 different from ISO 27001?

Yes — C5 is more prescriptive and includes German-specific items such as government-investigation-request handling. ISO 27001 is the baseline ISMS framework; C5 stacks on top with cloud- and Germany-specific controls.

Further Reading