BSI C5 2026 is published! With the BSI C5 2026, Germany’s Federal Office for Information Security has released the next generation of its criteria catalogue for secure cloud computing. The new edition replaces the C5:2020 version, integrates current threats such as post-quantum risks, and establishes a closer alignment with the European Cybersecurity Certification Scheme for Cloud Services (EUCS). For regulated industries, the bar for secure cloud services has been raised noticeably.
What the BSI C5 2026 delivers
The Cloud Computing Compliance Criteria Catalogue has been Germany’s most important security standard for cloud providers and cloud users since 2016. It translates complex security requirements into auditable criteria and creates comparability between providers. C5 audits are carried out by certified public auditors who, after a successful examination, attest that a cloud provider meets the defined security criteria.
With the publication of the BSI C5 2026, the agency takes the technological developments of recent years into account. In terms of content and structure, the catalogue is closely aligned with the work on the European certification scheme EUCS and can in parts be read as its German interpretation. The current versions of the CSA Cloud Controls Matrix v4, ISO/IEC 27001:2022, and the NIS2 Directive were also taken into consideration.
New topics in the criteria catalogue
Three subject areas are addressed explicitly for the first time in the BSI C5 2026. Container management receives significantly more detailed requirements than in the previous version, reflecting a technology that has long become standard in modern cloud architectures. Confidential computing is anchored as an independent subject area, closing a gap that previous audit catalogues had barely been able to capture.
Particular attention should be paid to the inclusion of post-quantum cryptography. Chapter 5.8 contains comprehensive requirements for effective encryption, including the use of hybrid procedures intended to harden algorithms that are foreseeably becoming too weak. With this, the BSI is responding to a development that will only become operationally relevant for many cloud providers in the coming years, but whose preparation must already begin today.
Existing topics have been sharpened. Multi-tenancy separation and supply chain management are addressed more specifically than before. Classic areas such as the protection of customer data and incident management also remain a fixed component of the catalogue.
Structural changes and machine readability
Structurally, the catalogue has been significantly revised. C5 criteria now consist of distinct sub-criteria. Additional criteria are classified according to whether they sharpen existing basic criteria with stricter requirements or complement them with new requirements. This differentiation is intended to make auditing, mapping, and evaluation easier.
An important innovation will follow shortly: the catalogue will be made available in a machine-readable format for the first time, with YAML, XLSX, and PDF planned in both German and English. This will simplify its use within governance, risk, and compliance processes and create a common language for how cloud security is described, audited, and assessed. For the automation of audit processes and the integration into existing compliance platforms, this is a central step.
Relevance for regulated industries
For many sectors, a C5 attestation is hardly a voluntary distinction but rather a de facto market access requirement. In the digital healthcare sector, a Type 2 attestation has been mandatory since July 2025 whenever patient data is processed in a cloud environment. The C5 also serves as a key standard in the banking sector, in digital financial services, and for government bodies.
The effort required for a formal attestation remains high. The audit is extensive and cost-intensive, making it primarily feasible for established providers. For smaller and mid-sized cloud providers, the hurdle remains, even though the machine-readable provision of the catalogue may help reduce manual effort in the long run.
In addition to the security criteria described in the C5, the BSI plans to publish general sovereignty criteria for cloud computing solutions in the near future. This will create a second framework that addresses not only security questions but also aspects of digital sovereignty.
Recommendations for cloud providers and users
Cloud providers should carry out a gap analysis between their current setup and the requirements of the BSI C5 2026 at an early stage. Particular attention should be paid to the new subject areas of container management, post-quantum cryptography, and confidential computing, as these are where the largest gaps in existing environments are to be expected. Supply chain processes should also be reviewed, since the sharpened criteria call for stricter evidence regarding the security of subcontractors.
Cloud users should examine, in ongoing procurement procedures, whether existing C5:2020 attestations from their providers include a credible roadmap for the transition to the new catalogue. Information security officers should incorporate the catalogue into internal risk assessments at an early stage, particularly where regulatory requirements such as NIS2, DORA, or healthcare-sector obligations apply.
