TL;DR: C5 attestation
- C5 attestation is Germany’s BSI-backed cloud security standard, commonly expected by enterprise buyers across the DACH region.
- The framework covers 17 security domains, including IAM, cryptography, monitoring, operational security, and supply chain oversight.
- C5 Type 2 attestation validates control effectiveness over time and is the format most enterprise teams expect.
- C5 shares strong overlap with frameworks like ISO 27001, reducing duplicate compliance work through control mapping.
- Leading AI GRC platforms like Scytale help streamline evidence collection, centralize controls, and support continuous audit readiness for C5 assessments.
Selling cloud services into Germany or the broader DACH region without C5 compliance is becoming a significant competitive disadvantage. Public sector organizations, financial institutions, healthcare providers, and large enterprises now regularly include C5 requirements as part of procurement processes and third-party risk evaluations.
For many organizations, a C5 attestation serves as a trusted indicator that a cloud provider has undergone an independent assessment of its security and operational practices. As cloud adoption continues to expand across Europe, enterprise buyers are placing greater emphasis on standardized security assurance reports that provide visibility into how vendors manage risk, protect customer data, and maintain operational resilience.
In this article, we’ll explain what C5 is, who needs it, how the C5 audit process works, and what organizations can do to prepare efficiently.
What is the Cloud Computing Compliance Criteria Catalogue (C5)?
The Cloud Computing Compliance Criteria Catalogue (C5) is a cloud security framework developed and published by Germany’s Federal Office for Information Security (BSI). First released in 2016 and updated in 2020, C5 defines a standardized set of security requirements for cloud service providers operating in the DACH region. The framework was created to improve transparency and trust in cloud security practices, particularly for organizations handling sensitive or regulated data.
C5 outlines security and operational controls across areas such as identity and access management, cryptography, logging and monitoring, incident response, infrastructure security, and supply chain risk management. It also includes transparency requirements, requiring providers to disclose information about data processing locations, subcontractors, and security procedures.
Unlike many cloud security compliance frameworks developed by private industry groups, C5 carries government-backed authority because it was created directly by the BSI. While technically voluntary, it has become a widely expected requirement for cloud providers serving enterprise, financial services, healthcare, and public sector customers across Germany and the DACH region.
C5 primarily applies to SaaS companies, cloud service providers, and hosting providers delivering cloud-based services into regulated German-speaking markets. Instead of a formal certification, organizations receive an independent attestation report issued by a qualified auditor, typically a German Wirtschaftsprüfer (CPA) or equivalent auditing firm, validating that the provider’s controls align with the BSI’s security criteria.
Streamline GRC workflows with no blind spots.
Why it matters for cloud providers in Germany and the DACH region
C5 has become a key procurement and vendor assurance requirement for organizations operating within the C5 cloud security Germany market. Enterprise customers increasingly expect independent validation of security controls, particularly when sensitive or regulated data is involved.
This is especially important in industries such as financial services, healthcare, insurance, and the public sector, where organizations often require structured evidence of a provider’s security and compliance posture before contracts can move forward. Without C5 attestation, providers may face longer procurement cycles, additional security reviews, or reduced competitiveness in regulated markets.
C5 also aligns closely with broader European security and privacy expectations, including GDPR and emerging EU cloud security initiatives. As cloud adoption continues to accelerate, the global cloud computing market is projected to reach USD 2281.1 billion by 2030, increasing both the demand for secure cloud environments and the scrutiny placed on cloud providers operating in regulated industries.
The 17 criteria domains broken down
C5 organizes its requirements across 17 security domains that evaluate the security and operational resilience of cloud service providers. The framework takes a broad approach across governance, infrastructure, operations, and data protection, helping organizations assess whether providers maintain the controls needed to securely manage customer data and cloud environments. Organizations preparing for their first C5 engagement often use the Cloud Controls Matrix (CCM) to help map and scope control coverage across these domains.
During the C5 audit process, auditors review policies, procedures, technical safeguards, monitoring activities, and supporting evidence to determine whether controls are properly designed and operating effectively. The result is a detailed assessment of the cloud provider’s security posture, helping enterprise customers and organizations operating in regulated industries evaluate vendor risk with greater confidence.
Here are the 17 criteria domains:
| Domain Code | Domain Name | What It Covers |
| ORG | Organization of Information Security | Security governance structure, responsibilities, policies, and oversight |
| PHY | Physical Security | Protection of data centers, facilities, and physical infrastructure |
| HRS | Human Resources | Security considerations during hiring, onboarding, training, and termination |
| OPS | Cloud Service Provider Operation | Day-to-day operational security management and administration |
| INC | Information Security Incident Management | Detection, reporting, response, and handling of security incidents |
| COM | Compliance Management | Adherence to legal, regulatory, and contractual security requirements |
| DPR | Data Protection | Protection of personal and sensitive data, including privacy controls |
| IAM | Identity and Access Management | User authentication, authorization, and access control management |
| SYS | System and Network Security | Security of cloud infrastructure, systems, and network environments |
| AST | Asset Management | Inventory, classification, and protection of organizational assets |
| DAT | Data Lifecycle Management | Secure handling of data from creation through deletion |
| BCM | Business Continuity Management | Resilience, disaster recovery, and continuity planning |
| SUB | Subcontractor Management | Third-party vendor oversight and supply chain security management |
| RSK | Risk Management | Identification, assessment, and mitigation of organizational risks |
| IRE | Incident Reporting | Processes for communicating and escalating security incidents |
| VUL | Technical Vulnerability Management | Identification, remediation, and management of vulnerabilities |
| DOC | Compliance Documentation | Documentation and evidence demonstrating implemented security measures |
C5 Type 1 vs C5 Type 2: what is the difference?
C5 attestations for SaaS providers are available in two formats, and the distinction is important for enterprise procurement and security reviews.
C5 Type 1 evaluates whether controls are properly designed at a specific point in time. The auditor reviews policies, procedures, and control design, but does not assess whether those controls operate consistently over time. Because it can be completed more quickly, Type 1 is often used as an initial milestone toward broader compliance goals.
C5 Type 2 provides a higher level of assurance by evaluating both control design and operating effectiveness over an observation period, typically 6-12 months. This demonstrates that controls function consistently in real-world operations, making Type 2 the standard most enterprise customers and regulated industries expect from cloud providers.
AI-native GRC for how teams work today.
How the C5 attestation process works
C5 attestation follows a structured, multi-phase process designed to assess a cloud provider’s security controls. Understanding each phase helps organizations plan timelines, allocate resources, and avoid delays during the audit.
Phase 1: Scoping
Define which systems, services, infrastructure components, and environments fall within the audit scope. Well-defined scoping reduces unnecessary audit complexity while ensuring the attestation aligns with customer and regulatory expectations.
Phase 2: Gap analysis
A gap analysis compares existing controls against the 17 C5 domains to identify missing controls, documentation gaps, and process weaknesses. The findings help prioritize remediation efforts and establish a realistic audit timeline.
Phase 3: Control implementation and documentation
Organizations implement missing controls, strengthen internal processes, and prepare the policies and documentation auditors will review. For Type 2 engagements, controls must be fully operational before the observation period begins.
Phase 4: Evidence collection
Teams collect supporting evidence across all in-scope domains, including logs, configurations, access reviews, incident records, and policy documentation. Evidence collection and control mapping across the 17 C5 domains is often the most time-consuming phase, especially when evidence is distributed across multiple systems. Many organizations use continuous control monitoring and automated evidence collection to reduce manual effort, shorten audit preparation, and maintain ongoing control visibility.
Phase 5: Auditor engagement and fieldwork
A qualified German Wirtschaftsprüfer (CPA firm) or equivalent approved auditor reviews documentation, tests controls, and interviews key personnel to validate compliance with C5 requirements. The fieldwork phase assesses both the design and effectiveness of controls based on the attestation type.
Phase 6: Report issuance
After completing fieldwork, the auditor issues the formal C5 attestation report detailing the audit scope, controls assessed, and any identified exceptions. This report is typically shared with enterprise customers and procurement teams during vendor security reviews.
Overlap with ISO 27001, SOC 2 and other frameworks
C5 was designed to align closely with established security and compliance frameworks, making it easier for organizations to extend existing GRC programs rather than rebuilding controls from scratch. Organizations already certified against ISO 27001 can typically reuse many existing controls, policies, and operational processes, with additional work focused primarily on C5’s cloud-specific requirements.
There is also strong alignment between C5 and SOC 2, particularly across areas such as access management, monitoring, change management, and risk management. While the frameworks use different structures and terminology, organizations can often reuse substantial evidence and documentation across both engagements.
By mapping controls across multiple frameworks, organizations can reduce duplicated work, streamline audit preparation, and maintain a more scalable compliance program. This unified approach is commonly used by growing SaaS companies managing multiple enterprise and regulatory requirements simultaneously.
| Framework | Overlap With C5 | Key Difference |
| ISO 27001 | Extensive overlap across security and operational controls | ISO 27001 is a certification; C5 is a cloud-focused attestation |
| SOC 2 | Strong overlap in access control, monitoring, and risk management | SOC 2 follows Trust Services Criteria, while C5 uses BSI-defined domains |
| EU Cloud Certification Scheme (EUCS) | Closely aligned cloud security requirements | EUCS is an upcoming EU-wide scheme; C5 is the current German standard |
Common challenges to watch out for
C5 preparation introduces several operational and audit challenges that organizations should anticipate early in the process. Identifying these challenges in advance helps teams plan more effectively, avoid delays, and maintain a more smoother attestation process.
C5 engagements also require coordination across multiple teams, systems, and workflows. Without structured processes and ongoing visibility into controls and evidence, organizations may face delays, duplicated work, and increased audit complexity throughout the engagement.
Some of the most common challenges include:
- Evidence collection at scale: Gathering audit evidence across 17 domains, cloud environments, vendors, and internal teams can quickly become resource-intensive without structured workflows.
- Manual control mapping: Managing mappings across C5, ISO 27001, SOC 2, and other frameworks manually often creates duplicated work and consistency issues.
- Auditor availability: Qualified C5 auditors are more limited than SOC 2 or ISO 27001 auditors, and availability may require booking months in advance.
- Observation period management: Type 2 engagements require controls to operate consistently throughout the full observation period to avoid audit exceptions.
- Continuous maintenance: Maintaining BSI C5 compliance requires continuous monitoring and regular evidence collection rather than periodic audit preparation.
How automation simplifies C5 attestation
The operational complexity of C5 preparation is where top cloud compliance tools deliver the greatest value. By integrating directly with cloud infrastructure, identity providers, and operational systems, automated platforms automatically collect and organize evidence, reducing the reliance on manual audit preparation.
Continuous monitoring helps maintain current control visibility throughout the observation period, while automated gap detection enables teams to identify and remediate issues earlier in the process. Cross-framework control mapping further improves efficiency by aligning controls and evidence across C5, ISO 27001, SOC 2, GDPR and other frameworks within a centralized control environment.
Always-on GRC. Built for modern teams.
Streamlining C5 attestation with Scytale’s AI GRC platform
Scytale helps cloud and SaaS providers streamline C5 preparation through automated evidence collection, centralized compliance management, and continuous control monitoring across cloud environments. This reduces operational overhead and helps security, engineering, and compliance teams maintain continuous audit readiness.
Combined with dedicated GRC expert guidance and multi-framework compliance support, Scytale enables organizations to manage C5 alongside broader security and compliance requirements more efficiently as programs scale.
FAQs about C5 attestation
What is C5 attestation?
C5 attestation is an independent security assessment that verifies whether a cloud service provider meets the requirements of the BSI Cloud Computing Compliance Criteria Catalogue (C5). Published by Germany’s Federal Office for Information Security (BSI), C5 evaluates cloud security controls across 17 domains and is widely used by enterprise and public sector organizations in the DACH region.
Who needs C5 attestation?
C5 is primarily relevant for cloud providers and SaaS companies operating in Germany, Austria, and Switzerland, especially those serving regulated industries such as finance, healthcare, and the public sector. Organizations working with enterprise customers or government entities in the region often view C5 as a procurement and vendor assurance requirement.
What are the C5 attestation requirements?
C5 requires organizations to implement and document controls across all required C5 security domains, including areas such as access management, incident response, business continuity, and data protection. For Type 2 attestations, auditors must also verify that controls operate effectively over an observation period, which is why many organizations use AI GRC platforms like Scytale to streamline evidence collection and ongoing control monitoring.
How long does C5 attestation take?
A Type 1 C5 attestation typically takes several months, depending on the maturity of the organization’s existing security and compliance program. Type 2 requires an additional observation period, usually between 6 and 12 months, before the audit can be completed.
What is the difference between C5 Type 1 and Type 2?
C5 Type 1 evaluates whether controls are properly designed at a specific point in time, while Type 2 assesses whether those controls operate effectively over an extended period. Most enterprise procurement teams and regulated industries expect Type 2 as the stronger assurance standard.
How does C5 attestation relate to ISO 27001?
C5 shares significant overlap with ISO 27001 across areas such as access control, incident management, cryptography, and business continuity. Organizations already maintaining ISO 27001 can often reuse existing controls, policies, and evidence to simplify C5 preparation, especially when using centralized AI GRC platforms like Scytale that support cross-framework control mapping and continuous compliance management.
