BSI C5:2026 published by Federal Office for Information Security
The German Federal Office for Information Security (BSI) has published the final version of C5:2026. Alongside this update, a separate set of criteria dedicated to Cloud Sovereignty has been announced to complement the catalogue.
TL;DR / Summary
- BSI C5:2026 officially published as the successor to C5:2020
- BSI C5:2026 maintains alignment with international standards and evolving regulatory requirements
- A complementary Criteria Catalogue regarding Cloud Sovereignty is expected shortly.
Subject Matter
According to BSI, the latest version translates complex security requirements for future-proof cloud services into verifiable criteria. It shall provide both businesses and public authorities with reliable information for their own risk management, while offering cross-market transparency and guidance when selecting cloud providers.
C5 remains an audit-based certification performed by qualified auditors subject to ISAE 3000 and IDW PS-860 alongside ISAE 3402 and IDW PS 951, or any equivalents thereof.
C5:2026 has been refined to address technological advances and the current threat landscape. For the first time, the catalogue explicitly includes topics such as
- Container Management,
- Post-Quantum Cryptography (PQC) and
- Confidential Computing
Existing focus areas, such as client isolation (multi-tenancy) and supply chain management have been further sharpened.
Notably, to support automated GRC (Governance, Risk, and Compliance) processes, C5:2026 is provided in a machine-readable format.
Alignment with EUCS, other Standards and Regulatory Requirements
The C5:2026 is closely aligned with the European Cybersecurity Scheme (EUCS) in terms of both content and structure.
In addition, the current versions of other relevant criteria catalogues and regulatory requirements were taken into account in the development of C5:2026, such as the
- CSA Cloud Controls Matrix Version 4,
- ISO/IEC 27001:2022 and
- the NIS2 Directive.
Next steps
Following the Community Draft consultation and in accordance with the past publication cycle, it is not expected that there will be any updated version of BSI C5 any time soon. BSI C5:2026 will probably build the de facto market standard of Cloud Security in Europe for another five years, unless EUCS will be finished any time sooner.
In respect of Cloud Sovereignty, stakeholders should monitor BSI announcements closely. BSI has confirmed that a separate, complementary catalogue focusing on sovereignty criteria will be released to expand upon the technical security foundation of C5.
For ease of your read, you can download the relevant files in the related files section below. At all times you can retrieve the most recent version via BSI's download portal.