New minimum requirements for the security of cloud services

With the upcoming version C5:2025 of the criteria catalogue, which is currently available as a community draft, the German Federal Office for Information Security (BSI) is setting new standards for the assessment of cloud security. Compared to the 2020 version, the catalogue will be significantly expanded - both in terms of content and structure.

The new requirements will come into force for audit periods from 1 January 2027. Early implementation is strongly recommended, especially for cloud providers that offer their services in regulated or security-critical markets.

The new catalogue distinguishes between two groups of additional criteria:

• Additional Sharpening: These criteria tighten existing requirements, for example through higher technical standards, tighter tolerances or stricter verification requirements.
• Additional Complementing: These points add new content to existing criteria, for example on technologies or governance aspects that were not previously covered.

This differentiation allows for more targeted adjustments to different protection needs and industry-specific requirements. The Basic Criteria continue to describe the minimum level of requirements to be fulfilled by the cloud service provider.

At 169 criteria, the catalogue of criteria in Community Draft C5:2025 is significantly more extensive than its predecessor with 121 criteria. A more detailed analysis reveals the following:

• The Community Draft C5:2025 continues to have the 17 categories already known under BSI C5:2020. Only the Identity and Access Management category (previously abbreviated as IDM) is now also shown in abbreviated form as "IAM".
• In total, 37 of the criteria IDs from the BSI C5:2020 criteria catalogue have been assigned new or amended titles in the current Community Draft, but in many cases these are reformulations and / or concretisations of the issues known from BSI C5:2020.
• A particular focus was placed on the expansion of the categories Procurement, Development and Modification of Information Systems (DEV), Cryptography and Key Management (CRY), Operations (OPS) and Asset Management (AM), as the following graphical analysis shows.

The structure of the criteria has also been refined. The introduction of sub-criteria and the systematic separation of basic and additional requirements makes implementation easier to audit. As a result, the audit report must in future provide detailed evidence of which requirements have been met and how, how deviations have been dealt with and how subcontractors (e.g. data centres) are involved.

C5:2025 will develop into an even more comprehensive standard in the future. For cloud providers, this means more documentation as well as increased time and labour costs. Customers will benefit from greater transparency and better comparability.

In view of the mandatory introduction from 2027, providers and customers should start implementation now. The transition requires adjustments at a technical, organisational and contractual level - and will play a central role in future tenders and certifications. Those who act early will position themselves as a trustworthy partner in the market.

Our experts can advise you on questions and support you in preparing for the new BSI C5 regulations. Please feel free to contact us.