BSI C5 for cloud service providers.
BSI C5 (Cloud Computing Compliance Criteria Catalog) is the German federal cybersecurity authority's cloud security attestation. Increasingly required by German public-sector, BaFin-supervised, and regulated private-sector customers. Matproof covers the 17 objective areas + 121 criteria.
Why this matters now
German public-sector cloud procurement has tightened post-2023 executive orders. BSI C5 is increasingly a prerequisite for government contracts. BaFin-supervised entities reference C5 in vendor selection.
- 121 criteria across 17 objective areas — significant documentation burden
- Two attestation types (Type 1 snapshot, Type 2 operating effectiveness)
- Auditor pool is smaller than for ISO 27001 — capacity planning matters
- BSI guidance updates require ongoing alignment
How Matproof covers BSI C5 for Cloud Service Providers
C5 2020 catalog implementation
Matproof tracks the current C5 catalog (BSI C5 2020 with updates) — 17 objective areas, 121 criteria, with evidence mapping for both Type 1 and Type 2 attestation.
ISO 27001 + ISO 27017 + ISO 27018 overlap
C5 criteria overlap heavily with ISO 27001 + 27017 (cloud) + 27018 (PII in cloud). Matproof's dual mapping reuses evidence across all four.
German-customer-specific controls
Some C5 criteria address German-specific operational concerns (data residency, GDPR, sector regulator notification). Not all international cloud controls translate directly.
Auditor coordination
BSI maintains the list of approved attestation auditors. Matproof's auditor portal supports the full fieldwork cycle with German-language artefacts.
In scope
- IaaS / PaaS / SaaS cloud service providers
- German hyperscalers and regional cloud operators
- Managed services providers hosting critical workloads
- Sector-specific cloud (healthcare, automotive, public sector)
- Co-location and data center operators with cloud offerings
Frequently asked questions
BSI C5 vs ISO 27001 — which do cloud providers need?+
Depends on target customers. German public-sector and BaFin-regulated customers increasingly require C5. International customers generally expect ISO 27001 + 27017 + 27018. Strategic answer: achieve ISO 27001 + 27017 + 27018 first (international + German private), then layer C5 for public-sector expansion. ~4-6 months incremental effort.
Type 1 or Type 2 C5 attestation?+
Most customers accept Type 1 for initial vendor qualification, but Type 2 (operating effectiveness over 6-12 months) is the gold standard for sustained public-sector relationships. Many cloud providers start with Type 1 and transition to annual Type 2 after the first year.
How does C5 interact with NIS2 for cloud providers?+
Cloud providers are NIS2 Annex I essential entities. C5 attestation covers most NIS2 Art. 21 measures but requires layering: board accountability (§ 38 BSIG-neu), 24h/72h/1-month incident notifications, supply-chain depth, training obligations. Matproof's NIS2 module sits atop C5 evidence with minimal duplication.
Ready to start with BSI C5?
30-minute demo tailored to Cloud Service Providers. We show you exactly how Matproof covers BSI C5 for your sector.