What is the C5 certificate?

The introduction of the C5 certificate by the German Federal Office for Information Security (BSI) has created a central standard for information security and data protection in German cloud computing.

Especially for the public sector, for municipalities, federal states and the federal government as well as for companies in the healthcare sector, the C5 certificate is a decisive proof: It guarantees that cloud providers meet the highest standards for the protection of sensitive data and the security of information - and that they only apply current criteria that are recognized in Germany.

The C5 certificate stands for tested security, transparency and reliability in cloud services. It offers public clients and health companies a clear advantage: the selection and awarding of a cloud service is made easier by comprehensible test reports and the disclosure of relevant information. Compared to other certificates, the C5 certificate specifically focuses on German standards and thus creates trust in the security and protection of the processed data.

Added value for the public sector and health

The secure processing and storage of large volumes of data is essential for public authorities, local authorities and companies in the healthcare sector. The C5 certificate helps them to comply with legal requirements and ensure information security for all cloud services. This means that citizens, patients and customers all benefit from modern, secure and reliable digital services.

• BSI: The BSI (German Federal Office for Information Security) is the central German authority for IT and cloud security. It develops guidelines, audits cloud providers and publishes the C5 criteria catalog as a benchmark for secure cloud services in Germany.
• C5 criteria catalog: The BSI's Cloud Computing Compliance Criteria Catalog (C5) defines over 100 binding specifications for information security, data protection and compliance for cloud services. It is the basis for the C5 certification of cloud providers.
• C5 certificate: The C5 certificate is an independent test certificate that confirms that a cloud provider meets the strict C5 requirements of the BSI. It creates transparency and trust for companies, authorities and customers.
• Certificate types: Type 1 checks compliance with the C5 criteria on a specific key date, type 2 over a longer period (usually 6 to 12 months). Both variants serve as proof of the security and reliability of cloud services.
• Compliance and transparency: The C5 certificate documents that a cloud provider consistently complies with legal, regulatory and internal requirements. It offers customers a clear overview of security measures and compliance with current standards.
• Basic protection: Basic security measures that are considered the lower limit for secure cloud operations - often based on the BSI's IT baseline protection.

STACKIT not only meets the formal requirements of the C5 certificate - it also creates real added value for companies, authorities and organizations. The following advantages show why working with STACKIT is worthwhile.

• Security made in Germany: STACKIT fulfills the current C5 criteria of the BSI. This means the highest standards of data protection, information security and compliance - tested and documented.
• Full transparency: Customers gain insight into security measures and test reports. This creates trust and makes their own compliance work easier.
• Legal and future security: With STACKIT, companies and authorities not only meet current legal and regulatory requirements, but also those of the future.
• Support from experts: The experienced STACKIT team supports you in every phase - from consulting to implementation and ongoing operation.
• Scalable cloud solutions: The STACKIT portfolio includes powerful services that can be flexibly tailored to individual requirements.
• Data sovereignty through location advantage: Data processing takes place exclusively in German data centers in accordance with German law. Compliance with the C5 guidelines is a key selection criterion, especially for projects in the public sector and for the federal government.

The BSI's C5 certificate is regarded as the authoritative standard for assessing cloud security in Germany. It defines binding guidelines in various control areas - from technical security measures to organizational processes. The underlying catalog of criteria covers all relevant aspects for trustworthy cloud operations.

The focus is on the following areas, among others

• Risk management: This involves systematically identifying and evaluating potential risks within the cloud infrastructure and defining suitable measures to mitigate these risks. The aim is to deal with security-related vulnerabilities in a transparent and comprehensible manner.
• Operational security: The secure and stable operation of cloud services is ensured by defined processes for controlling, monitoring and documenting the IT systems. These include regular system checks, emergency plans and a clear allocation of roles in the operating team.
• Access and identity management: It is ensured that only authorized persons can access systems and data. This includes the management of user accounts, roles and authorizations as well as multi-factor authentication.
• Data encryption: Sensitive information is protected using the latest cryptographic methods - both during transmission and storage. The selection of procedures is based on recognized security standards.
• Incident management: In the event of security incidents, processes must be defined to quickly identify, report and process events. This also includes analyzing causes and implementing preventive measures.
• Compliance and transparency: All security-relevant processes and measures are fully documented. This documentation forms the basis for internal controls and external evidence for customers, supervisory authorities and auditors.
• Availability and reliability: The aim is to ensure a high level of operational readiness of the cloud services - even in the event of disruptions or attacks. To this end, technical and organizational measures such as redundancies, backups and emergency tests are implemented.
• Regular updating of the catalog: The C5 criteria catalog is continuously developed by the BSI. This means that new threat scenarios and technological developments are taken into account promptly - for example in the areas of AI, remote work or zero trust.

We offer you audited cloud services that meet the highest security and compliance requirements.

• Choose your cloud provider carefully: When selecting your cloud partner, make sure they have a current C5 audit certificate - ideally type 2. This provides the most comprehensive proof of ongoing compliance with security requirements.
• Check the certificate regularly: Ask to see the valid C5 certificate and - if available - the associated test report. This will give you clarity about the current security status of the service provider and possible restrictions.
• Use C5 as part of your compliance strategy: Integrate the C5 test certificate specifically into your own risk analysis. It provides reliable information for audits, documentation and internal review processes.
• Don't forget your duty to cooperate: Customers also have responsibilities - for example in the secure configuration of services, in access management or in the selection of suitable protection mechanisms.
• Involve support from STACKIT: The STACKIT team is experienced and available to advise you - from implementation to compliance documentation. This allows you to meet all requirements efficiently and proactively.
• Combine security modules: Supplement C5-certified cloud services with additional measures such as ISO certifications, zero-trust architectures or backup solutions. This increases protection and strengthens your overall strategy.

Our tip: The BSI offers further information and topics relating to cloud computing standards on its website.

The C5 certificate is the binding benchmark for a secure, trustworthy and legally compliant cloud service in Germany - and is therefore a key selection criterion, especially for the public sector and regulated industries such as healthcare.

With STACKIT, you are choosing a cloud provider that not only fulfills the current C5 objectives, but also accompanies you competently and in partnership on your way to the secure cloud - from implementation to support.

What is the difference between the different types of certificate?

Type 1 confirms that the requirements were met at the time of the audit (key date audit). Type 2 goes further and proves that the requirements have been consistently met over a longer period of time - usually 6 to 12 months.

Is the C5 certificate mandatory for cloud providers?

No, it is not a legal requirement, but it is increasingly becoming a prerequisite - for example in public tenders or for companies with high security and compliance requirements.

How long is a C5 audit valid for?

As a rule, the certificate is valid for one year. After that, a new audit is required to keep the status up to date.

What are the benefits of the C5 audit report for me as a customer?

The certificate creates transparency and legal certainty. It helps you to strengthen your company's cloud compliance - and shows that your provider meets high standards of data protection and information security.

What do I need to be aware of as a customer despite the C5 certificate?

Even with a C5 certificate, you still bear responsibility - for example, for the secure configuration of your services or identity management. Use STACKIT's support to implement all requirements in the best possible way.