BSI C5 Type 2 Attestation: Mandatory in the Healthcare Sector

BSI C5 (Cloud Computing Compliance Criteria Catalogue) is a catalog of criteria from the German Federal Office for Information Security (BSI) that defines the minimum requirements for secure cloud computing. A C5 Type 2 attestation is considered the best proof of effective security management in the cloud. In the healthcare sector, for example, such a BSI C5 Type 2 attestation will be required from July 1, 2025. Providers of SaaS solutions in the healthcare sector will then also have to meet these requirements.

Because Arvato Systems is C5 Type 2 attested, it can continue to pave the way to cloud-based offerings for these software manufacturers - as a German provider.

The BSI's C5 criteria catalog specifies minimum requirements for secure cloud computing and is primarily aimed at professional cloud providers, their auditors, and their customers. The BSI first published its C5 catalog in 2016 and fundamentally revised it in 2019. An important aim of C5 is to support cloud customers in their risk management and provide them with guidance when selecting suitable cloud technologies and partners. BSI C5 is fundamentally aimed at all types of cloud service models, be they Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or Infrastructure-as-a-Service (IaaS) services. At the same time, this means that a cloud computing workload can only be C5-compliant if all three provider companies involved - software manufacturer, cloud service provider, and cloud provider - have the corresponding C5 attestation.

The C5 catalog is divided into a total of 17 control areas with more than 100 requirements. The most important of these control areas and requirements include:

• Organization of information security: Defined roles and responsibilities, security guidelines, Information Security Management System (ISMS)
• Personnel management: Employee security checks, training, and awareness
• Access control: Access only according to the "need to know" principle, multi-factor authentication
• Cryptography: Strong encryption for data transmission and storage, as well as key management
• Physical security: Access controls to data centers and video surveillance
• Operational security: Patch management, logging, and security incidents are documented and handled
• Communication security: network segmentation, encrypted connections, protection against man-in-the-middle attacks
• Supplier relationships: Security requirements for subcontractors, such as IaaS and platform providers
• Cloud-specific requirements: separation of clients (multi-tenancy), control over data storage location,s and interface security
• Compliance and audit: Traceability of all measures, support for audits, C5 testing by an auditor or inspection body.

If a cloud service provider wishes to receive a full C5 attestation, an external audit by a certified auditing company is required. In this context, it is important to note that the BSI distinguishes between two different categories of attestation in its C5 catalog: a type 1 "audit and reporting" and a more stringent type 2. Arvato Systems has a type 2 C5 attestation for its data centers, which was carried out by the auditing firm HLB Stückmann, Bielefeld. While a C5 type 1 certificate confirms that a cloud provider generally follows the methodology of the BSI C5 catalog, a C5 type 2 certificate proves that this company has actually implemented C5 effectively. The C5 catalog explicitly states: "In the opinion of the BSI, Type 2 testing and reporting is required to generate an appropriate level of significance." The BSI also expressly emphasizes that a BSI C5 attestation is not a BSI C5 certificate, as the BSI itself does not act as a certification body for auditors. The reliability of a C5 attestation, therefore, only depends on the auditor. However, the C5 catalog explicitly requires that the auditing company must be certified in accordance with the IDW PS 880 or ISAE 3000 auditing standards.

C5 testing is playing a role in more and more industries and regulatory contexts, with the trend clearly moving away from C5 type 1 testing and towards type 2 testing.

• Federal authorities have been obliged since 2020 to apply the C5 criteria when using cloud services as a minimum standard in accordance with Section 8 BSIG (German Federal Office for Information Security Act) - the type 1 certificate is mandatory for providers, although a type 2 certificate is preferred.
• In the healthcare sector, a BSI C5 Type 1 certificate was still sufficient until June 30, 2025 - but this will no longer be the case from July 1, 2025. The reason for this is Section 393 SGB V (Fifth Book of the German Social Code), which regulates the use of the cloud in the healthcare sector and the processing of social and health data. Paragraph 4 explicitly requires a current C5 Type 2 certificate or a corresponding certificate that is at least equivalent to the C5 standard. This applies to all cloud computing services that are used to process social and health data and that are used by health insurance funds and their associations, as well as the health insurance funds' service providers, such as doctors and pharmacies, or their associations.
• It is well known that critical infrastructure operators (KRITIS) are also subject to special obligations due to a whole range of laws and regulations. It can be assumed that ensuring state-of-the-art IT security means that KRITIS companies may only use cloud computing services that are certified in accordance with C5 Type 2. Incidentally, cloud service providers themselves can also be classified as KRITIS companies. In this case, they are obliged under Section 8a BSIG to provide evidence of relevant audits and certifications anyway, and not just with regard to the requirements of their customers. One thing is certain: In the KRITIS context, a certificate in accordance with BSI C5 Type 2 is practically indispensable for cloud providers.

There are now a variety of requirements and factors that necessitate the use of cloud computing, which often includes the technical capabilities of hyperscalers. However, in strictly regulated industries in particular, the need for compliance can pose a certain challenge. Although a cloud provider such as Amazon Web Services (AWS) has had a BSI C5 attestation since 2016, and currently even a Type 2 certificate, it is limited to certain German regions such as Frankfurt. It is also important to note that a type 2 C5 certificate must be renewed annually in order to remain valid.

If companies from a strictly regulated industry, such as healthcare, want to retain maximum IT security, data security, cloud sovereignty, and control, it may make sense to transfer at least parts of their workloads to a German AWS partner with its own data center and current C5 Type 2 attestation. In such a model, for example, the lion's share of the workloads could remain with AWS, while security-critical backups are run specifically in the data center of the German AWS partner.