BSI C5:2026 published by Federal Office for Information Security

The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (BSI)) has been renowned for its Cloud Computing Audit for approximately a decade. Considering ENISA (European Union Agency for Cybersecurity) has been working on EUCS (European Cybersecurity Scheme) pursuant the European Cybersecurity Act (EUCSA) almost since its coming into force in 2019, an updated version of BSI C5 could have become obsolete. 

However, BSI called for feedback for an updated version by mid-2025. In early 2026, the Federal Office completed its work and officially published the most recent version of its BSI Cloud Computing Compliance Criteria Catalogue, i.e. BSI C5:2026. 

According to BSI, the latest version translates complex security requirements for future-proof cloud services into verifiable criteria. It shall provide both businesses and public authorities with reliable information for their own risk management, while offering cross-market transparency and guidance when selecting cloud providers.

C5 remains an audit-based certification performed by qualified auditors subject to ISAE 3000 and IDW PS-860 alongside ISAE 3402 and IDW PS 951, or any equivalents thereof. 

C5:2026 has been refined to address technological advances and the current threat landscape. For the first time, the catalogue explicitly includes topics such as 

• Container Management, 
• Post-Quantum Cryptography (PQC) and 
• Confidential Computing

Existing focus areas, such as client isolation (multi-tenancy) and supply chain management have been further sharpened. 

Notably, to support automated GRC (Governance, Risk, and Compliance) processes, C5:2026 is provided in a machine-readable format.

The C5:2026 is closely aligned with the European Cybersecurity Scheme (EUCS) in terms of both content and structure. 

In addition, the current versions of other relevant criteria catalogues and regulatory requirements were taken into account in the development of C5:2026, such as the 

• CSA Cloud Controls Matrix Version 4, 
• ISO/IEC 27001:2022 and
• the NIS2 Directive.

Following the Community Draft consultation and in accordance with the past publication cycle, it is not expected that there will be any updated version of BSI C5 any time soon. BSI C5:2026 will probably build the de facto market standard of Cloud Security in Europe for another five years, unless EUCS will be finished any time sooner. 

In respect of Cloud Sovereignty, stakeholders should monitor BSI announcements closely. BSI has confirmed that a separate, complementary catalogue focusing on sovereignty criteria will be released to expand upon the technical security foundation of C5.

For ease of your read, you can download the relevant files in the related files section below. At all times you can retrieve the most recent version via BSI's download portal.