What is the difference between Type 1 and Type 2?

Type 1 assesses the appropriateness of the measures' design as of a specific date. Type 2 additionally assesses their effectiveness over a period.

Do I necessarily need a C5 attestation?

That depends on the sector. In healthcare (patient data in the cloud), a Type 2 attestation has been mandatory since July 2025; in public procurement it is de facto required. In other areas it is a competitive advantage.

When does C5:2026 apply?

C5:2026 has been final since April 2026. For new Type 2 assessment periods it is expected to become binding from June 2027; existing C5:2020 attestations benefit from a transition period.

Does an ISO 27001 certification help?

Yes. C5:2026 closely follows ISO/IEC 27001:2022. Existing ISMS evidence can be mapped to C5 criteria in Sightadel and reused.

ISO 27001 ISO 9001 ISO 42001 NIS2 GDPR BSI C5:2026 NIST CSF 2.0 SOC 2

BSI C5:2026 · Cloud security

BSI C5:2026: Making Cloud Security Provable

The BSI's Cloud Computing Compliance Criteria Catalogue (C5) has been Germany's leading security standard for cloud services since 2016. In April 2026, the BSI published the third generation, C5:2026 — it replaces C5:2020 and now comprises 168 criteria across 17 topic areas. This page explains what the C5 is, who needs a C5 attestation (and who does not), what changed with C5:2026, and how to prepare for the criteria with Sightadel — without setting up an advisory project around every audit cycle.

What Is the BSI C5?

The C5 is a criteria catalog issued by Germany's Federal Office for Information Security (BSI). It defines minimum information security requirements for cloud services and makes the security level of different providers comparable.

Importantly, the C5 is not a classic BSI certificate. Compliance with the criteria is attested by independent auditors under the international assurance standard ISAE 3000. The result is a C5 attestation report that cloud customers request and evaluate.

There are two assurance types:

Type 1 (design assessment): The auditor confirms that the security measures are appropriately designed as of a specific date.
Type 2 (operating effectiveness): The auditor additionally confirms that the measures operated effectively over a period of time. Type 2 is the more meaningful variant and is increasingly required in regulated sectors.

Who Is a C5 Attestation Relevant For — and Who Not?

C5 is relevant for you if …

… you provide cloud services and need to demonstrate trust and comparability in the German or European market. In several sectors, a C5 attestation is effectively a market-entry requirement:

Healthcare: Since July 2025, a C5 Type 2 attestation has been mandatory for cloud services that process patient data (Section 393 SGB V / DigiG).
Public administration: For cloud procurement by German federal authorities, the C5 is de facto mandatory.
Financial sector: The C5 attestation is recognized as complementary evidence for ICT risk management requirements under DORA.

… or if you consume cloud services and need to assess the security level of your providers in a structured way as part of your own risk management.

C5 is probably not directly relevant for you if …

… your organization does not offer cloud services and does not procure cloud for regulated or particularly sensitive data. For purely locally operated IT with no cloud involvement, the C5 plays no immediate role.

The same caveat applies here: if you are part of a cloud supply chain as a supplier or subprocessor, your clients may still require C5 evidence from you.

What Changed with C5:2026?

C5:2026 builds on C5:2020 but responds to six years of technological and regulatory change. The key updates:

More criteria, new structure. 168 instead of 121 criteria, now with clearly delineated subcriteria that are easier to map to internal controls.
New topic areas. Addressed specifically for the first time: container management, confidential computing, and post-quantum cryptography.
Tightened requirements. Among others, tenant separation, supply chain management, and identity & access management were made stricter (with an explicit reference to zero-trust models).
European compatibility. C5:2026 is aligned with the European certification scheme EUCS (Substantial level) and takes ISO/IEC 27001:2022, the CSA Cloud Controls Matrix v4, and NIS2 into account.
Differentiated additional criteria. Additional criteria are now distinguished into "sharpening" and "complementing."

A transition period applies to existing C5:2020 attestations: C5:2026 is expected to become binding for new Type 2 assessment periods from June 2027.

The Typical Challenge in C5 Preparation

A C5 audit is extensive and cost-intensive. In preparation, we see three recurring problems:

Evidence scattered across teams and tools. The evidence for 168 criteria lives in tickets, wikis, emails, and spreadsheets. The auditor asks for it — and the search starts over every time.
Annual effort instead of ongoing readiness. For Type 2 attestations, effectiveness must be demonstrated across the entire period. Organizations that only start collecting shortly before the audit end up with gaps.
Version jump as a project risk. Moving from C5:2020 to C5:2026 means delta work. Without a clean mapping of existing measures, it turns into a fresh start.

How Sightadel Simplifies C5 Preparation

Sightadel is the compliance portal within the Pervigon Security Suite. It represents C5:2026 as a structured criteria catalog to which you assign measures, owners, and evidence — with a completion status you can retrieve at any time.

Faster to audit-ready. The C5:2026 catalog is built into the portal. Instead of starting with an Excel list, you map existing measures to the criteria and immediately see where evidence is missing.

Continuously audit-ready, not last-minute. Evidence and ownership are maintained on an ongoing basis. For a Type 2 attestation, this lets you demonstrate continuous effectiveness rather than reconstructing it afterward.

Version change without a fresh start. When moving from C5:2020 to C5:2026, Sightadel shows which of your existing measures cover which new or sharpened criteria — and where real gaps remain.

Reuse of evidence. Because C5:2026 closely follows ISO/IEC 27001:2022 and NIS2, a piece of evidence entered once is automatically mapped to the related requirements of those standards. You maintain it once, not per framework.

No external consultants as a permanent crutch. The domain mapping logic is built into the portal and supported by the neoAI core. The auditor remains responsible for the attestation — the ongoing preparation is handled by your own team.

C5 with Sightadel in Practice

1
Map.Assign existing measures to the 168 C5:2026 criteria. Result: an initial completion status per topic area.
2
Close gaps.Gap analysis, a prioritized action plan with owners and deadlines — focused on the new topics (containers, confidential computing, post-quantum).
3
Maintain evidence.Attach evidence on an ongoing basis, document effectiveness across the Type 2 period.
4
Support the attestation.Provide the auditor with the required state in a structured way.

Frequently Asked Questions About the BSI C5

No. The C5 is a criteria catalog. Compliance is attested by an auditor under ISAE 3000; the result is an attestation report, not a BSI certificate.

C5 Readiness as a State, Not an Annual Project

A C5 attestation is not a one-off event but a recurring proof. Sightadel keeps your completion status continuously current — across version changes, auditable, and without every audit triggering a new project.

See your C5:2026 status in Sightadel.

Book a demo