Federal Office for Information Security Publishes Community Draft of BSI C5:2025
As of July 14th, 2025, the Federal Office for Information Security published its Community Draft alongside its invitation for stakeholder feedback. The BSI Cloud Computing Compliance Criteria Catalogue is recognized as a leading international cybersecurity standard. BSI C5:2025 is expected to replace the current version, i.e., BSI C5:2020.
BSI C5:2025 and ENISA EUCS
June 2019 the European Cybersecurity Act (EUCSA) came into force. Because of it legal nature, which is a Regulation, the EUCSA is directly applicable law in each Member State. The EUCSA provides for the possibility of the European Commission to request ENISA to prepare a candidate scheme or to review an existing European cybersecurity certification scheme. Such cybersecurity scheme may apply generically or for distinct services and products.
Almost instantly, the European Commission requested ENISA to prepare a candidate scheme for Cloud Services. Once a European cybersecurity scheme has been adopted, national cybersecurity certification schemes, such as BSI C5, cease to produce effects, Art. 57.1 EUCSA. The preparation and adoption of the EUCS is halted and stuck; latest official information dates back to 2021.
Against this background, BSI clarifies, that the updated version BSI C5:2025 incorporates the European discussions and perspectives that are and were present during the preparation of EUCS. Literally, BSI states “C5:2020 as the basis for EUCS, EUCS as the basis for C5:2025”.
Updated Structure, Updated Criteria
BSI C5:2025 will update both,
- its structure and
- its material requirements (criteria).
Structural updates may not necessary result in material modifications but will most likely seek for clarifications. BSI C5:2025 aligns its structure with EUCS incorporating subcriteria to each criteria. This is also deemed beneficial to better align with internal Controls of CSP and enhance clarity and transparency for the evaluation of C5 reports.
Materially, BSI C5:2025 aligns with updated version of international standards. This relates to EUCS, but also relates to programmes such as CSA Cloud Controls Matrix v4, ISO/IEC 27001:2022 and the NIS2 directive. Topicwise, BSI C5:2025 seeks to clarify criteria's applicability to different data types, more detailed consideration of client separation and the technical implementation of sovereignty, container management, supply chain management, post-quantum cryptography and confidential computing.
Expected Future file formats of BSI C5:2025
BSI is planning to publish the final version as PDF and XLSX, each in German and English. Insofar the BSI maintains easy access and international scope of the scheme.
For the very first, BSI expects to publish the final version also as YAML. This will allow the scheme to become machine-readable. This may facilitate integration in automated compliance programmes, cybersecurity prompt-and-response services and automated comparison amongst different schemes.
Feedback open until Sept 15th, 2025
The BSI invites stakeholders to provide feedback until Sept 15th, 2025. Comments must be submitted by using the provided comment form. For ease of your read, you can download the ZIP-archive, including the XLSX form, in the related files section. At all times you can retrieve the most recent version via BSI's download portal.
According to BSI's website, feedback shall be submitted to cloudsecurity@bsi.bund.de via e-mail.