C5: benchmark for secure cloud services in Germany

The introduction of the C5 by the German Federal Office for Information Security (BSI) has created a central standard for information security and data protection in German cloud computing.

Especially for the public sector, for municipalities, federal states and the federal government as well as for companies in the healthcare sector, the C5 certificate is a decisive proof: It guarantees that cloud providers meet the highest standards for the protection of sensitive data and the security of information – and only apply current criteria that are recognized in Germany.

What is the C5?

The C5 certificate stands for tested security, transparency and reliability in cloud services. It offers public clients and health companies a clear advantage: the selection and awarding of a cloud service is made easier by comprehensible test reports and the disclosure of relevant information. Compared to other certificates, the C5 certificate specifically focuses on German standards and thus creates trust in the security and protection of the processed data.

Added value for the public sector and health

The secure processing and storage of large volumes of data is essential for public authorities, local authorities and companies in the healthcare sector. The C5 certificate helps them to comply with legal requirements and ensure information security for all cloud services. This means that citizens, patients and customers all benefit from modern, secure and reliable digital services.

Definition: Everything you need to know about the Cloud Computing Compliance Criteria Catalogue (C5)

BSI: The BSI (German Federal Office for Information Security) is the central German authority for IT and cloud security. It develops guidelines, audits cloud providers and publishes the C5 criteria catalog as a benchmark for secure cloud services in Germany.
C5 criteria catalog: The BSI’s Cloud Computing Compliance Criteria Catalog (C5) defines over 100 binding specifications for information security, data protection and compliance for cloud services. It is the basis for the C5 certification of cloud providers.
C5 certificate: The C5 certificate is an independent test certificate that confirms that a cloud provider meets the strict C5 requirements of the BSI. It creates transparency and trust for companies, authorities and customers.
Certificate types: Type 1 checks compliance with the C5 criteria on a specific key date, type 2 over a longer period (usually 6 to 12 months). Both variants serve as proof of the security and reliability of cloud services.
Compliance and transparency: The C5 certificate documents that a cloud provider consistently complies with legal, regulatory and internal requirements. It offers customers a clear overview of security measures and compliance with current standards.
Basic protection: Basic security measures that are considered the lower limit for secure cloud operations – often based on the BSI’s IT baseline protection.

STACKIT and the C5 certificate: Systematic security – advantages at a glance

STACKIT not only meets the formal requirements of the C5 certificate – it also creates real added value for companies, authorities and organizations. The following advantages show why working with STACKIT is worthwhile.

Security made in Germany: STACKIT fulfills the current C5 criteria of the BSI. This means the highest standards of data protection, information security and compliance – tested and documented.
Full transparency: Customers gain insight into security measures and test reports. This creates trust and facilitates your own compliance work.
Legal and future security: With STACKIT, companies and authorities not only meet current legal and regulatory requirements, but also those of the future.
Support from experts: The experienced STACKIT team supports you in every phase – from consulting to implementation and ongoing operation.
Scalable cloud solutions: The STACKIT portfolio includes powerful services that can be flexibly tailored to individual requirements.
Data sovereignty through location advantage: Data processing takes place exclusively in German data centers in accordance with German law. Compliance with the C5 guidelines is a key selection criterion, especially for projects in the public sector and for the federal government.

C5 in detail: security with traceable standards

The BSI’s C5 certificate is regarded as the authoritative standard for assessing cloud security in Germany. It defines binding guidelines in various control areas – from technical security measures to organizational processes. The underlying catalog of criteria covers all relevant aspects for trustworthy cloud operations.

The focus is on the following areas, among others

Risk management: This involves systematically identifying and evaluating potential risks within the cloud infrastructure and defining suitable measures to mitigate these risks. The aim is to deal with security-relevant vulnerabilities in a transparent and comprehensible manner.
Operational security: The secure and stable operation of cloud services is ensured by defined processes for controlling, monitoring and documenting the IT systems. These include regular system checks, emergency plans and a clear allocation of roles in the operating team.
Access and identity management: It is ensured that only authorized persons can access systems and data. This includes the management of user accounts, roles and authorizations as well as multi-factor authentication.
Data encryption: Sensitive information is protected using the latest cryptographic methods – both during transmission and storage. The selection of procedures is based on recognized security standards.
Incident management: In the event of security incidents, processes must be defined to quickly identify, report and process events. This also includes analyzing the causes and implementing preventive measures.
Compliance and transparency: All security-relevant processes and measures are fully documented. This documentation forms the basis for internal controls and external evidence for customers, supervisory authorities and auditors.
Availability and reliability: The aim is to ensure a high level of operational readiness of the cloud services – even in the event of disruptions or attacks. To this end, technical and organizational measures such as redundancies, backups and emergency tests are implemented.
Regular updating of the catalog: The C5 criteria catalog is continuously developed by the BSI. This means that new threat scenarios and technological developments are taken into account promptly – for example in the areas of AI, remote work or zero trust.

Certification: The testing process at a glance

Before a cloud provider receives the C5, it undergoes a multi-stage testing process. This ensures that not only individual objectives are met, but also that the entire security concept is comprehensibly documented and effectively implemented.

1. Gap analysis

The first step is to take stock: a gap analysis is carried out to determine the differences between the current security level and the requirements of the C5 catalog. The cloud provider’s existing documentation serves as the central basis for this.

2. Catalog of measures

Based on the analysis, a concrete action plan is drawn up. The aim is to systematically fulfill all outstanding requirements. The process is often tackled with the help of external consultants or auditors, for example through workshops or technical recommendations.

3. Audit and testing

The actual audit is carried out by independent, qualified auditors in accordance with the internationally recognized ISAE 3000 auditing standard, checking whether the defined security controls are effective and whether all evidence has been fully and comprehensibly documented.

4. The different types of attestation

Depending on the scope of the audit, you can choose between two types:

Version 1: Confirmation that all requirements were met at the time of the audit (key date audit).

Version 2: Proof that the requirements have been consistently met over a longer period of time – usually 6 to 12 months.

After successful completion, the C5 certificate is awarded. It is limited in time and must be renewed regularly. For customers, it is transparent proof of the provider’s security quality – and an important tool for their own risk and compliance assessment.

Practical tips and information about the C5 test report: find out what you should look out for

We offer you audited cloud services that meet the highest standards of security and compliance.

Choose your cloud provider carefully: When choosing your cloud partner, make sure they have a current C5 audit certificate – ideally type 2. This provides the most comprehensive proof of ongoing compliance with security requirements.
Check the certificate regularly: Ask to see the valid C5 certificate and – if available – the associated test report. This will give you clarity about the current security status of the service provider and possible restrictions.
Use C5 as part of your compliance strategy: Integrate the C5 test certificate specifically into your own risk analysis. It provides reliable information for audits, documentation and internal inspection processes.
Don’t forget your duty to cooperate: Customers also have responsibilities – for example in the secure configuration of services, in access management or in the selection of suitable protection mechanisms.
Involve support from STACKIT: The STACKIT team is experienced and available to advise you – from implementation to compliance documentation. This allows you to meet all requirements efficiently and with foresight.
Combine security modules: Supplement C5-certified cloud services with additional measures such as ISO certifications, zero-trust architectures or backup solutions. This increases protection and strengthens your overall strategy.

Our tip: The BSI offers further information and topics relating to cloud computing standards on its website.

Get started in the cloud with certified security

The C5 certificate is the binding benchmark for a secure, trustworthy and legally compliant cloud service in Germany – and is therefore a key selection criterion, especially for the public sector and regulated industries such as healthcare.

With STACKIT, you are choosing a cloud provider that not only fulfills the current C5 objectives, but also accompanies you competently and in partnership on your way to the secure cloud – from implementation to support.

FAQ – frequently asked questions about the C5 certificate

What is the difference between the different certificate variants?

Type 1 confirms that the requirements were met at the time of the audit (key date audit). Type 2 goes further and proves that the requirements have been consistently met over a longer period of time – usually 6 to 12 months.

Is the C5 certificate mandatory for cloud providers?

No, it is not a legal requirement, but it is increasingly becoming a prerequisite – for example in public tenders or for companies with high security and compliance requirements.

How long is a C5 audit valid for?

As a rule, the certificate is valid for one year. After that, a new audit is required to keep the status up to date.

What are the benefits of the C5 audit report for me as a customer?

The certificate creates transparency and legal certainty. It helps you to strengthen your company’s cloud compliance – and shows that your provider meets high data protection and information security standards.

As a customer, what do I need to be aware of despite the C5 certificate?

Even with a C5 certificate, you still bear responsibility – for example, for the secure configuration of your services or identity management. Use STACKIT’s support to implement all requirements in the best possible way.