The digital law: time-critical requirements for cloud service providers

Anyone wishing to offer cloud services in the healthcare sector will need a positive certificate in accordance with BSI C5 in future.

Digitalisation in Germany is a recurring topic in the media. The need for digitalisation in the healthcare sector is no exception. With the publication of the Digital Act (DigiG) on 26 March 2024, Section 393 of the German Social Code (SGB V) now provides regulatory authorisation for the use of cloud computing in the healthcare sector, which affects all IT service providers working in this field.

The DigiG aims to simplify and secure interactions between patients and doctors by means of digital solutions. At the heart of the law is the electronic patient record (ePA). However, the law also covers areas such as digital medication overviews and the further development and binding nature of e-prescriptions.

In addition to the content specifications for the digitisation of the healthcare system, the law also sets out specific requirements for cloud service providers who offer their solutions to hospitals, other healthcare providers or for data transmission between the parties involved, for example. The aim is to counter the IT security and cyber risks associated with digitisation.

With its Cloud Requirements Catalogue (BSI C5), the Federal Office has established uniform criteria that cloud service providers can use to align their internal control systems. The 13 sub-areas of the requirements catalogue cover not only "classic" IT security topics such as information security organisation, cryptography and physical security, but also topics such as portability, handling investigation requests and product security. Cloud service providers can have the conformity of their cloud models with the BSI C5 criteria confirmed after a successful audit by an auditing firm. The corresponding audit has a defined observation period and must therefore be repeated regularly (so-called Type 2 audit).

According to the Digital Act, data processing agencies (IT service providers) must provide proof of a current BSI – C5 – Type 1 certificate from 30 June 2024 and a current BSI – C5 – Type 2 certificate from 1 July 2025. Proof of successful certification has since been a prerequisite for continued service provision in the healthcare sector.

Early preparation helps to avoid delays and maintain performance levels for clients. However, we also know from experience that an initial audit can be very time-consuming: first, the cloud offering must be presented in a verifiable system description. In addition, the assessment requires that IT controls based on the requirements catalogue have already been derived, implemented and documented (known as the observation period or performance period). If necessary, a preliminary analysis is required to determine the current maturity level of the controls and identify any areas for improvement. As a result, the preparation and subsequent assessment can quickly take several months.

You should therefore obtain a comprehensive overview of the current status and scope of your existing audits and certificates. The BSI C5 criteria catalogue has various overlaps with widely used audits, such as ISO 27001 or SOC 2. This means it can be easily combined with comparable IT security standards. 

KPMG can support you in identifying areas for action through the targeted evaluation of your control coverage and can also audit your internal control system according to the BSI C5 criteria. Please feel free to contact our experts.