BSI C5_AdobeStock_1398718505

BSI C5 Type 2 Attestation: Mandatory in the Healthcare Sector

Type 2 - also for KRITIS and authorities

BSI C5 Type 2 Attestation Are Becoming Increasingly Important for Cloud Computing
08.05.2025
Cloud
Amazon Web Services
Managed Services
Security

BSI C5 (Cloud Computing Compliance Criteria Catalogue) is a catalog of criteria from the German Federal Office for Information Security (BSI) that defines the minimum requirements for secure cloud computing. A C5 Type 2 attestation is considered the best proof of effective security management in the cloud. In the healthcare sector, for example, such a BSI C5 Type 2 attestation will be required from July 1, 2025. Providers of SaaS solutions in the healthcare sector will then also have to meet these requirements.

 

Because Arvato Systems is C5 Type 2 attested, it can continue to pave the way to cloud-based offerings for these software manufacturers - as a German provider.

The BSI's C5 criteria catalog specifies minimum requirements for secure cloud computing and is primarily aimed at professional cloud providers, their auditors, and their customers. The BSI first published its C5 catalog in 2016 and fundamentally revised it in 2019. An important aim of C5 is to support cloud customers in their risk management and provide them with guidance when selecting suitable cloud technologies and partners. BSI C5 is fundamentally aimed at all types of cloud service models, be they Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or Infrastructure-as-a-Service (IaaS) services. At the same time, this means that a cloud computing workload can only be C5-compliant if all three provider companies involved - software manufacturer, cloud service provider, and cloud provider - have the corresponding C5 attestation.

C5 Control Areas and C5 Requirements

The C5 catalog is divided into a total of 17 control areas with more than 100 requirements. The most important of these control areas and requirements include:

  • Organization of information security: Defined roles and responsibilities, security guidelines, Information Security Management System (ISMS)
  • Personnel management: Employee security checks, training, and awareness
  • Access control: Access only according to the "need to know" principle, multi-factor authentication
  • Cryptography: Strong encryption for data transmission and storage, as well as key management
  • Physical security: Access controls to data centers and video surveillance
  • Operational security: Patch management, logging, and security incidents are documented and handled
  • Communication security: network segmentation, encrypted connections, protection against man-in-the-middle attacks
  • Supplier relationships: Security requirements for subcontractors, such as IaaS and platform providers
  • Cloud-specific requirements: separation of clients (multi-tenancy), control over data storage location,s and interface security
  • Compliance and audit: Traceability of all measures, support for audits, C5 testing by an auditor or inspection body.

A C5 Attestation Is Not a Certificate

If a cloud service provider wishes to receive a full C5 attestation, an external audit by a certified auditing company is required. In this context, it is important to note that the BSI distinguishes between two different categories of attestation in its C5 catalog: a type 1 "audit and reporting" and a more stringent type 2. Arvato Systems has a type 2 C5 attestation for its data centers, which was carried out by the auditing firm HLB Stückmann, Bielefeld. While a C5 type 1 certificate confirms that a cloud provider generally follows the methodology of the BSI C5 catalog, a C5 type 2 certificate proves that this company has actually implemented C5 effectively. The C5 catalog explicitly states: "In the opinion of the BSI, Type 2 testing and reporting is required to generate an appropriate level of significance." The BSI also expressly emphasizes that a BSI C5 attestation is not a BSI C5 certificate, as the BSI itself does not act as a certification body for auditors. The reliability of a C5 attestation, therefore, only depends on the auditor. However, the C5 catalog explicitly requires that the auditing company must be certified in accordance with the IDW PS 880 or ISAE 3000 auditing standards.

The BSI C5 Type 1 attestation...

  • focuses primarily on the technical and organizational design of the cloud provider's IT security measures
  • based primarily on a self-declaration by the cloud provider
  • checks whether concepts, agreements and processes are in place that meet the IT security requirements of the C5 catalog
  • is, however, also less meaningful in terms of the effectiveness of the security measures
  • is no longer sufficient to meet the regulatory requirements with regard to secure cloud computing in some sectors now or in the near future: for example in the critical infrastructure (KRITIS) or healthcare sectors.

The BSI C5 Type 2 attestation...

  • examines in particular the effectiveness of the measures taken by the cloud provider in accordance with the requirements of BSI C5
  • includes an in-depth review by a certified auditor, which takes about three months
  • checks the effectiveness of C5 security controls and their consistent application over time
  • includes spot checks of technology, management processes and personnel
  • is already a mandatory criterion for KRITIS organizations and for companies in the healthcare sector from July 2025 when choosing a provider of SaaS, PaaS or IaaS services.

Where Regulatory Requirements Make the C5 Type 2 Attestation Necessary

C5 testing is playing a role in more and more industries and regulatory contexts, with the trend clearly moving away from C5 type 1 testing and towards type 2 testing.

  • Federal authorities have been obliged since 2020 to apply the C5 criteria when using cloud services as a minimum standard in accordance with Section 8 BSIG (German Federal Office for Information Security Act) - the type 1 certificate is mandatory for providers, although a type 2 certificate is preferred.
  • In the healthcare sector, a BSI C5 Type 1 certificate was still sufficient until June 30, 2025 - but this will no longer be the case from July 1, 2025. The reason for this is Section 393 SGB V (Fifth Book of the German Social Code), which regulates the use of the cloud in the healthcare sector and the processing of social and health data. Paragraph 4 explicitly requires a current C5 Type 2 certificate or a corresponding certificate that is at least equivalent to the C5 standard. This applies to all cloud computing services that are used to process social and health data and that are used by health insurance funds and their associations, as well as the health insurance funds' service providers, such as doctors and pharmacies, or their associations.
  • It is well known that critical infrastructure operators (KRITIS) are also subject to special obligations due to a whole range of laws and regulations. It can be assumed that ensuring state-of-the-art IT security means that KRITIS companies may only use cloud computing services that are certified in accordance with C5 Type 2. Incidentally, cloud service providers themselves can also be classified as KRITIS companies. In this case, they are obliged under Section 8a BSIG to provide evidence of relevant audits and certifications anyway, and not just with regard to the requirements of their customers. One thing is certain: In the KRITIS context, a certificate in accordance with BSI C5 Type 2 is practically indispensable for cloud providers.

How the Public Cloud Can Also Be Used in Compliance with C5

There are now a variety of requirements and factors that necessitate the use of cloud computing, which often includes the technical capabilities of hyperscalers. However, in strictly regulated industries in particular, the need for compliance can pose a certain challenge. Although a cloud provider such as Amazon Web Services (AWS) has had a BSI C5 attestation since 2016, and currently even a Type 2 certificate, it is limited to certain German regions such as Frankfurt. It is also important to note that a type 2 C5 certificate must be renewed annually in order to remain valid.

 

If companies from a strictly regulated industry, such as healthcare, want to retain maximum IT security, data security, cloud sovereignty, and control, it may make sense to transfer at least parts of their workloads to a German AWS partner with its own data center and current C5 Type 2 attestation. In such a model, for example, the lion's share of the workloads could remain with AWS, while security-critical backups are run specifically in the data center of the German AWS partner.

The Greatest Possible Flexibility in Cloud Operation Thanks to Arvato Systems

AWS Partner Logo

Arvato Systems, for example, is now an AWS Premier Tier Services Partner and has been taking on tasks in the areas of cloud migration, cloud integration, and cloud managed services for German customers for a long time. At the same time, we also have our own German data centers with BSI C5 Type 2 attestation. For software providers in the healthcare sector, this means that we can offer them a SaaS deployment model in the AWS public cloud - at the US hyperscaler - but can also take over operations in our German data center for the particularly security-critical parts of their system. Such a model is conceivable for hospital information systems, which are still mostly operated on-premises. The distributed cloud operating model described opens up the possibility for a software manufacturer to offer its system via SaaS and as far as possible in the public cloud, whereby it is expressly a German provider that guarantees conformity with C5 Type 2.

Always exactly the BSI C5 compliance you need

At Arvato Systems, we give you the greatest possible freedom of choice when it comes to the C5-compliant operation of your workloads: completely on a US hyperscaler such as AWS or Azure, in hybrid models or completely in our own German data centers. We also give you the option of simply migrating between these scenarios should a new assessment of the situation require it. With our support, your cloud computing is always future-proof. We always offer you exactly the C5 compliance that is required in your individual case, including C5 Type 2 attestation. Please feel free to contact us.

You May Also Be Interested In

Digital Sovereignty with AWS

Protect your data and safeguard your company's independence with our AWS-based cybersecurity and cloud solutions. Stay in control of your IT infrastructure - secure, compliant, and future-proof.

Cloud solutions for healthcare

Secure cloud solutions and cloud migration for Healthcare with Arvato Systems. Optimize your IT infrastructure and benefit from our expertise.

Written by

KevinChristopherFechtel
Kevin Christopher Fechtel
Expert for Amazon Web Services