AuditXYZ

Compliance Framework

Cloud Computing Compliance Criteria Catalogue (C5)

C5 is the German BSI's cloud computing compliance criteria catalogue. This guide covers the 17 control domains, Type 1 and Type 2 reports, and how C5 attestation supports German and EU cloud markets.

$50,000–$250,0004–12 monthsAudit RequiredC5:2020
Request a ConsultationSee process
Issuing BodyGerman Federal Office for Information Security (BSI)
First Published2016-02-01
Latest VersionC5:2020
Typical Cost$50,000–$250,000
Typical Timeline4–12 months
Audit RequiredYes
Audit FrequencyAnnual audit by an independent auditor. Type 2 reports cover a minimum observation period of 6 months.
Geographygermany, european-union

C5: Germany BSI Cloud Computing Compliance Guide

The Cloud Computing Compliance Criteria Catalogue (C5) is the German Federal Office for Information Security (BSI) standard for assessing the security of cloud services. C5:2020 defines minimum security requirements that cloud providers must meet to serve German government agencies and is increasingly expected by German enterprises. The standard has gained recognition across the European Union as a robust cloud security assessment framework.

What C5 Covers

C5:2020 includes 17 control domains with 121 basic criteria and additional criteria for handling highly confidential data. Domains cover organizational security, personnel, asset management, physical security, operational security, identity and access management, cryptography, communication security, portability, procurement, compliance, and incident management.

A distinctive feature of C5 is its transparency requirements — cloud providers must disclose environmental parameters including data center locations, jurisdiction, certifications, and technical details about their infrastructure. This enables customers to make informed risk assessments about the cloud service.

Who Needs C5 Attestation

C5 is required for cloud services used by German federal agencies and is increasingly expected by German state governments and regulated industries. German financial institutions subject to BaFin oversight often require C5 attestation from cloud providers. Any cloud provider targeting the German public sector or enterprise market benefits from C5 attestation. Major cloud providers including AWS, Azure, and Google Cloud have obtained C5 attestation.

Implementation Approach

C5 assessments follow a structure similar to SOC 2, with Type 1 (design adequacy at a point in time) and Type 2 (operating effectiveness over a period) reports. Begin with a gap assessment against C5 criteria. Implement required controls and environmental parameters. Engage an independent auditor to conduct the assessment. Type 2 reports require a minimum six-month observation period.

Cost Considerations

C5 attestation typically costs $50,000 to $250,000 depending on scope and report type. Organizations with existing ISO 27001 certification or SOC 2 reports find significant overlap, reducing incremental effort. The investment provides access to the German cloud market — the largest in Europe — and increasingly serves as a differentiator across EU markets.

Get the C5 starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

iso-27001soc-2csa-ccmens

Get matched with a C5 auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

CSA CCM
Framework
The CSA Cloud Controls Matrix is the leading cloud security control framework. This guide covers CCM v4 domains, STAR assessment levels, and how to use CCM for cloud security governance.
View
ENS
Framework
ENS is Spain's mandatory security framework for public sector information systems. This guide covers system categorization, security measures, certification requirements, and compliance for cloud providers.
View
ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View
SOC 2
Framework
SOC 2 is the leading security compliance framework for SaaS companies selling to US enterprises. This guide covers Type I vs Type II, trust service criteria, costs, and the audit process.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View