Skip to main content
Contact
Submit RFP

      The final version of BSI C5:2026 has been published. The new version of the criteria catalogue replaces the current standard C5:2020. The German Federal Office for Information Security (BSI) is thus setting new standards for the assessment of cloud security. Compared to the 2020 version, the catalogue has been significantly expanded both in terms of content and structure.

      The new requirements will become binding for assessment periods from 1 June 2027. Adoption of the new criteria is already permitted before the effective date. Early implementation is strongly recommended, especially for cloud providers that offer their services in regulated or security-critical markets.

      Examples of this include, in particular:

      • the financial sector (e.g. banks, insurance companies), 
      • the healthcare sector (e.g. hospitals, health insurance funds, digital health applications), 
      • public administration and providers in the field of e-government
      • operators and suppliers of critical infrastructure (KRITIS), for example in the energy, water, transport or telecommunications sectors.

      Inclusion of current regulatory developments

      The development of the new criteria catalogue was based in particular on the requirements of the announced European Cybersecurity Certification Scheme for Cloud Services (EUCS). The CSA Cloud Controls Matrix, the current ISO/IEC 27001 standard and the provisions of the Network and Information Security Directive 2 (NIS2) were also taken into account. This is intended to ensure a high level of compatibility between the applicable standards.

      Ready to talk? Contact us

      Background:

      The Cloud Computing Compliance Criteria Catalogue (C5) of the German Federal Office for Information Security (BSI) defines minimum requirements for the security of cloud services. The catalogue serves as a guide for the selection of cloud services and is aimed at professional cloud providers as well as their auditors and customers.

      Stronger structuring of the criteria

      Based on the EUCS, the criteria in the new C5 standard are now divided into clearly defined sub-criteria. This should enable a more precise transfer to the controls of the cloud providers. A distinction is made between the Basic Criteria, which continue to represent the minimum requirements to be met, and the Additional Criteria, which can be met voluntarily.

      The additional criteria are further subdivided into additional sharpening, which sets stricter specifications for existing requirements, and additional complementing, which covers complementary areas. This distinction allows for more targeted adjustments to different protection needs and industry-specific requirements.

      As a result, the audit report must in future provide detailed evidence of which requirements have been met and how, how deviations have been dealt with and how subcontractors (e.g. data centres) are involved.

      Extensive catalogue of criteria

      With 168 criteria, the BSI C5:2026 catalogue of criteria is significantly more extensive than its predecessor with 121 criteria. As can be seen in the diagram below, the new criteria are spread across several control areas.

      New criteria have been added and changes have been made to the titles and control descriptions of existing criteria. Some of these changes are of a more formal nature and are due to rewording. In some cases, the content of criteria has been adapted and new sub-criteria have been added or existing ones specified.

      Significant changes relate to the following topics, among others:

      • All in all, more comprehensive process documentation is required. This includes guidelines and standards that were previously not required as well as additional requirements for the content of guidelines.
      • In order to deal with external organisations, increased transparency and control are required, particularly in the area of data processing.
      • With the increased establishment of home office regulations at companies, the associated security risks are now also reflected in the C5 standard.
      • In addition, the topic of key management has been significantly expanded in the new version. While there are only two controls in the previous version, the topic has been expanded to 14 controls in the new standard.
      • In the area of operations (OPS), the focus is placed on secure processing and operational procedures. This will be further expanded by new controls on the topics of patch management, confidential computing and container management.

      New catalogue of criteria will apply from June 2027

      C5:2026 will develop into an even more comprehensive standard in the future. For cloud providers, this means more clarity in mapping, but also more testing effort. Customers benefit from greater transparency and better comparability.

      In view of the mandatory introduction from 1 June 2027, providers and customers should start implementation now. The transition requires adjustments at a technical, organisational and contractual level and will play a central role in future tenders and certifications. Those who act early will position themselves as a trustworthy partner in the market.

      Our experts will advise you on questions and support you in preparing for the new regulations. Please feel free to contact us.

      Interested in our services? Contact us

      More KPMG insights for you

      Your contacts