Welcome to GRC Lab, a weekly newsletter where we provide actionable advice to help you launch, grow and accelerate your career in Governance, Risk and Compliance.

The German Federal Office for Information Security (BSI) recently released the Community Draft for the 2025 version of the Cloud Computing Compliance Criteria Catalogue—commonly known as C5.

For organizations relying on cloud services, C5 has become a primary benchmark for assessing vendor security. It pushes beyond simple checkboxes, requiring providers to prove that their security controls actually work.

With the 2025 draft, the BSI is updating the framework to address modern realities like Artificial Intelligence in control systems, sustainability reporting, and stricter data sovereignty requirements.

Here is a detailed look at what C5 is, how the framework functions, and what is changing in this latest version.

What is C5?

C5 stands for Cloud Computing Compliance Criteria Catalogue. It is a government-backed standard that defines a baseline level of information security for cloud service providers (CSPs).

Unlike a simple certification where a provider passes a test once and receives a badge, C5 acts as a reporting standard. It provides a structured catalog of criteria that an independent auditor uses to evaluate the provider. The output is not a certificate, but a detailed attestation report. This report gives customers transparency into the provider’s internal processes, allowing them to make informed risk assessments.

While developed in Germany, C5 is recognized internationally and is often used by hyperscalers (like AWS, Microsoft Azure, and Google Cloud) to demonstrate compliance across European markets.

How the Framework Works

The C5 framework operates on the principle of transparency. It dictates what must be audited, but it relies on international auditing standards for how it is done.

The Audit Standard: ISAE 3000

C5 audits are conducted according to the ISAE 3000 standard. This is a rigorous assurance standard used by accountants and auditors. It ensures that the audit is objective and evidence-based.

There are generally two types of reports a provider can issue:

• Type 1: Confirms that the provider’s security controls are designed correctly at a specific point in time.

• Type 2: Confirms that the controls were not only designed correctly but were also operating effectively over a specific period (typically 6 to 12 months). Most mature organizations require a Type 2 report.

Anatomy of the C5:2025 Criteria

The 2025 draft retains the core structure of previous versions but refines the content. The catalog is divided into specific domains and criteria types.

1. Basic vs. Additional Criteria

The criteria are split into two levels to accommodate different security needs:

• Basic Criteria: These are the mandatory minimums. To state compliance with C5, a cloud provider must meet all basic criteria. These cover standard industry best practices for secure cloud operations.

• Additional Criteria: These are context-specific measures. While technically optional for a general C5 report, they are often required for providers aiming to serve government entities or industries with high protection needs. A key focus here is “Technical Service Sovereignty”—ensuring the cloud service can operate independently of non-EU interference.

2. The Boundary Conditions (BCs)

Before getting into the technical controls, C5 requires providers to disclose “Boundary Conditions.” These describe the environment in which the cloud service operates.

The 2025 draft introduces critical updates here:

• BC-01 (Jurisdiction & Data Location): Providers must clearly state applicable law and jurisdiction. Crucially, they must now explicitly list locations for customer data, account data, and derived data (like logs and telemetry). This separation is vital for addressing sovereignty risks, such as foreign support teams accessing sensitive metadata.

• BC-06 (Sustainability & ESG): New in 2025. This promotes transparency regarding environmental impact. Providers are encouraged to disclose data on energy efficiency, water usage, and adherence to standards like ISO 14001 or the EU Corporate Sustainability Reporting Directive (CSRD).

• BC-07 (AI in Internal Controls): New in 2025. This does not just cover AI as a product sold to customers; it covers AI used by the provider to run their systems. If a provider uses AI models for internal control activities (e.g., anomaly detection in logs), they must disclose whether the model is proprietary or third-party, and how they ensure the model remains secure.

3. The Domains

The criteria themselves are grouped into roughly 17 thematic domains called areas. While the exact count of criteria can fluctuate slightly between drafts, they generally cover:

C5 vs. SOC 2: What Are the Differences?

While both frameworks are used to prove a cloud provider’s security, they differ significantly in origin, flexibility, and philosophy.

1. Origin and Market Focus

• SOC 2 (System and Organization Controls 2): Developed by the AICPA (American Institute of Certified Public Accountants). It is the de facto standard in the US market and is widely recognized globally for SaaS companies.

• C5: Developed by the BSI (German Federal Office for Information Security). It is essential for doing business in Germany (especially with the public sector) and is increasingly respected across the EU as a “higher bar” for transparency.

2. Principles vs. Criteria

• SOC 2 is Principles-based: It uses “Trust Services Criteria” (Security, Availability, Confidentiality, Processing Integrity, Privacy). Only “Security” is mandatory; the provider chooses which of the others to include. The provider also defines their own controls to meet these criteria. This offers flexibility but can lead to variability in report quality.

• C5 is Criteria-based: It is prescriptive. The BSI defines a specific catalog of “Basic Criteria” that must be met. A provider cannot simply “scope out” a difficult requirement if it is a Basic criterion. This ensures a consistent minimum baseline across all C5 reports.

3. Depth of Transparency
C5 places a heavier emphasis on “system description” transparency. The “Boundary Conditions” (like the new AI and jurisdiction disclosures) force providers to reveal structural details about their service—such as data locations and legal subjection—that might be glossed over in a standard SOC 2 report.

4. Combined Audits
Because both standards use the ISAE 3000 auditing framework, they are often audited simultaneously (”audit once, report twice”). A provider can map their internal controls to both the SOC 2 criteria and the C5 catalog, saving time and costs while satisfying both US and EU customers.

What Has Changed in the 2025 Draft?

The C5:2025 draft represents a significant structural and content modernization, largely driven by alignment with the European Union Cybersecurity Certification Scheme (EUCS).

1. Integration of Modern Standards and Feedback

The BSI didn’t work in isolation. The draft incorporates:

• Updated Standards: Alignment with CSA Cloud Controls Matrix v4, ISO/IEC 27001:2022, and the NIS2 Directive.

• Community Input: Feedback from cloud providers, auditors, and consultants was directly used to refine existing criteria and address practical hurdles found in C5:2020.

2. New Technical Focus Areas

The catalog has been expanded to address specific modern technologies and challenges:

• Emerging Tech: New criteria cover Container Management, Post-Quantum Cryptography, and Confidential Computing.

• Supply Chain Security: Enhanced focus on supply chain management risks.

• Sovereignty & Separation: Deeper examination of tenant separation and the technical implementation of data sovereignty.

• Data Applicability: Sharpened definitions on how individual criteria apply to different data types.

3. Structural Overhaul for Clarity

The structure has been revamped to make auditing easier and more transparent, mirroring the EUCS approach:

• Sub-Criteria: Criteria are now broken down into distinct sub-criteria. This makes it easier to map controls to internal systems and simplifies the audit process.

• Sharpen vs. Complement: “Additional Criteria” are now explicitly classified to avoid ambiguity:

  • Additional Sharpen: Stricter requirements that elevate an existing basic criterion.

  • Additional Complement: Entirely new requirements that supplement the basics.

4. Machine-Readable Formats

While the Community Draft is available in English (PDF and XLSX), the final version will mark a technological shift. It will be published in German and English across PDF, XLSX, and YAML formats. This move to machine-readable formats paves the way for automated auditing and continuous compliance monitoring, replacing manual spreadsheets with code.

Conclusion

C5:2025 represents the evolution of cloud security from purely technical “firewalls and passwords” to a broader view of risk. It acknowledges that legal jurisdiction, AI reliance, and environmental impact are now part of the security conversation.

For cloud customers, this draft indicates that future attestation reports will provide more data points for vendor risk assessment. For cloud providers, it is a signal to prepare for deeper scrutiny regarding their data supply chains and automated control systems.

Cut Implementation Time in Half

You know that achieving ISO 27001 certification is a critical milestone for your organization and a major step for your career. But right now, the path forward feels less like a clear roadmap and more like a frustrating maze?

Then our ISO/IEC 27001 Lead Implementer Course is exactly what you need!

Enroll Now