AUDIT & COMPLIANCE SOLUTIONS - C5

Cloud Computing Compliance Controls Catalog (C5) Solutions

The German Government-backed attestation scheme introduced in Germany by the Federal Office for Information Security (BSI) to help organizations demonstrate operational security against common cyber-attacks within the context of the German Government's "Security Recommendations for Cloud Providers".

What's Coming in 2026 & How Continuum GRC Prepares You

Modules include:

  • Cloud Computing Compliance Controls Catalog (C5):2025
  • Cloud Computing Compliance Controls Catalog (C5):2025  Preamble

    Key Concepts of Cloud Compliance

    Cloud security compliance is all about using robust measures to protect sensitive data. This begins with implementing strong governance practices throughout the organization. Internal security controls, like data encryption, are essential, as is ensuring that the organization is always complying with evolving laws and regulations around general data protection.

    Cloud services must actively practice IT risk management solutions to identify and address threats; regular audits assure that cloud environments are aligned with the security standards to prevent data breaches, legal or financial exposure, and reputational damage.

    Importance of Cloud Compliance

    Cloud compliance means an organization is fully aligned with the laws and regulations that ensure that sensitive information is fully protected. Besides keeping data, like that around health insurance portability, secure, being in compliance mitigates any risks associated with data security, such as financial or legal exposure. It’s also important for building confidence among clients and other stakeholders that your organization is ethical and trustworthy in its data protection practices.

    Without compliance, an organization may open itself to hefty fines and penalties, as well as serious reputational damage. Maintaining compliance, on the other hand, can be a huge competitive advantage in the marketplace.

    Common Types of Cloud Compliance

    Cloud compliance refers to several regulatory guidelines that protect different types of sensitive information. Some of the most common types of compliance include:

    • HIPAA (Health Insurance Portability and Accountability Act): for securing health and patient information.
    • GDPR (General Data Protection Regulation): protects the personal data of EU residents.
    • SOX (Sarbanes-Oxley Act): requires financial institutions to implement measures to prevent fraud and ensure accuracy.
    • PCI DSS (Payment Card Industry Data Security Standard): ensures security around credit cards and cardholder data.
    • FedRAMP: required for federal institutions.

    There are various frameworks designed to make implementing the needed security measures within your organization easier. 

    FAQ

    • Type 1 Report: Assesses the design and suitability of controls at a specific point in time (snapshot).
    • Type 2 Report: Evaluates both design and operating effectiveness over a period (typically 6–12 months), providing stronger assurance. Since July 1, 2025, many contexts (e.g., healthcare, government procurement) require Type 2 for full recognition. Continuum GRC's platform helps CSPs prepare evidence and track controls for successful Type 2 audits

    As of January 2026, the C5:2025 Community Draft (released July 2025) has completed its public comment period (ended September 15, 2025), but the final version has not yet been published by the BSI. Release is widely anticipated sometime in 2026. Assessments starting on or after January 1, 2027, must apply the updated criteria (with voluntary earlier adoption allowed). Late-2026 C5:2020 reports may require a transition roadmap in the system description. Continuum GRC will update its modules to support new controls like container management, supply chain risks, and post-quantum cryptography once the final version is released.

    C5:2020 builds on and maps closely to ISO/IEC 27001, CSA Cloud Controls Matrix, and BSI IT-Grundschutz, allowing CSPs to leverage existing certifications and avoid duplicate audits. The upcoming C5:2025 will further strengthen alignment with the European Cloud Certification Scheme (EUCS Substantial level), NIS2 Directive, and CSA CCM v4.0 for better EU-wide interoperability. This makes C5 a key bridge for cross-compliance in Europe.

    C5 attestation is primarily for cloud service providers (CSPs) serving German government agencies, regulated industries (e.g., healthcare under DigiG), or private sector clients requiring high transparency. It's voluntary but increasingly expected for market access. Type 2 reports typically cover a 6–12 month period and require annual surveillance or re-audits for ongoing validity (reports are often restricted under NDAs). Continuum GRC streamlines evidence collection, risk mapping, and audit readiness to maintain current compliance.

    C5:2025 introduces structural improvements (more granular sub-criteria, explicit "additional" vs. "basic" controls, machine-readable formats like XLSX), better EUCS alignment, and new/strengthened focus areas including container orchestration, supply chain risk management, post-quantum cryptography readiness, confidential computing, data sovereignty, and AI-related security. It builds on C5:2020's foundation while addressing emerging cloud technologies and threats.

    What are you waiting for?

    You are just a conversation away from putting the power of Continuum GRC to work for you. 

    Contact us using the form below or calling us at 1-888-896-6207 for immediate assistance.

    If you are seeing this message and not the intake form, you still need to validate your email address.

    If you have received this message in error, please contact us using the telephone number listed on our website for assistance.

    Key Concepts of Cloud Compliance

    About this standard

    Recent Developments (C5:2020 and Transition to C5:2025): The 2020 revision (C5:2020) significantly expanded the framework by incorporating product safety and security considerations, updating criteria to address evolving cybersecurity threats, and strengthening transparency requirements. This version has seen widespread adoption, with major global CSPs—including Microsoft Azure, Google Cloud, AWS, SAP, Snowflake, Kiteworks (achieving Type 2 attestation in December 2025), and others—obtaining Type 2 attestations. Over a dozen national, European, and international providers have secured C5:2020 compliance, with growing uptake among smaller and mid-sized CSPs.

    Since July 1, 2025, the BSI has required Type 2 reports (evaluating both design and operating effectiveness over a period) for full compliance recognition in many contexts, such as healthcare and government procurement, marking a shift from Type 1 sufficiency in prior periods.

    The C5 framework continues to evolve rapidly in response to advancements in cloud technology, regulatory changes, and emerging risks. In July 2025, the BSI released the C5:2025 Community Draft (provisional title) for public stakeholder feedback, with the comment period closing on September 15, 2025. This draft builds directly on the strong foundation of C5:2020, preserving many proven criteria while introducing targeted enhancements.

    Key Anticipated Changes in C5:2025 The upcoming revision represents a significant structural and substantive update, designed to modernize the catalog and improve interoperability:

    • Enhanced alignment with European and international standards — Better integration with the European Cloud Certification Scheme (EUCS, particularly the "Substantial" assurance level), ISO/IEC 27001:2022, the NIS2 Directive, and the latest CSA Cloud Controls Matrix (v4.0) to reduce redundant audits and support broader EU-wide acceptance.
    • Structural improvements — More granular requirements with sub-criteria, explicit classification of "additional" controls (e.g., those that "sharpen" existing basic criteria with stricter demands or "complement" them with entirely new ones), and availability in machine-readable formats (e.g., XLSX alongside PDF) for easier implementation and auditing.
    • Focus on emerging technologies and risks — New or strengthened criteria addressing:
      • Container management and orchestration.
      • Supply chain risk management (including subcontractor controls).
      • Post-quantum cryptography readiness.
      • Confidential computing.
      • Data sovereignty and AI-related security considerations.
    • Transition guidance — The draft indicates that assessments beginning on or after January 1, 2027, must apply the updated criteria (with earlier voluntary adoption allowed). C5:2020 reports issued in late 2026 may require inclusion of a transition roadmap in the system description.

    As of January 2026, the finalized C5:2025 catalog has not yet been published by the BSI, though release is widely anticipated soon in 2026. The BSI is expected to provide a grace period for CSPs, auditors, and customers to prepare and transition smoothly.

    Preparing for C5:2025 with Continuum GRC: Continuum GRC's cloud compliance platform and dedicated C5 modules already support robust risk management, control mapping, audit preparation, and transparency reporting aligned with C5:2020. As the final C5:2025 details emerge, Continuum GRC will update mappings, automate compliance tracking for new controls (e.g., supply chain and container security), and provide transition guidance to help CSPs achieve timely attestation.

    This forward-looking approach ensures organizations stay ahead of evolving requirements while leveraging C5's proven benefits for secure, transparent cloud adoption.

    YouTube thumbnailYouTube icon