A Look Ahead: Updates Coming to Germany’s BSI C5 Standard

Organizations that rely on Germany’s Cloud Computing Compliance Criteria Catalogue (C5) can expect meaningful changes on the horizon. The public comment period for C5:2025 formally closed in September 2025, and we anticipate that the finalized version of the refreshed framework will be released sometime in 2026. 

While updates to a major cloud assurance standard can create uncertainty, there’s no need for concern. We fully expect the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) to provide a grace period for organizations transitioning to the new version—giving cloud providers and auditors the time they need to prepare. 

In this article, we’ll break down what C5 is, highlighting the key changes expected in C5:2025 and what those updates mean for cloud service providers (CSPs) and their customers. We’ll also outline how Schellman can help support your transition for a smoother path to compliance with the updated standard. 

What is C5? 

First introduced in 2016, C5 is a cloud security attestation framework developed in response to the growing need for stronger and more transparent security expectations in cloud environments. C5 now serves as a unified, trusted foundation that helps CSPs and customers consistently evaluate the security of cloud service offerings. 

The BSI built C5 by drawing from several well-established frameworks, integrating controls from major standards such as ISO 27001, ISO 27002, ISO 27017, and Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM). With so many contributing sources, C5 can seem complex at first glance, but this intentional layering offers several key benefits:  

• High security standards: C5’s controls are designed to be comprehensive and challenging to meet, ensuring that organizations demonstrate robust security practices and can be confident in the strength of their cloud security.  

• Increased trust, transparency and confidence: Achieving a C5 attestation signals to customers that your services meet rigorous security requirements, offering differentiation in a competitive cloud market. The attestation report also provides detailed insight into how services are secured, enabling customers to make informed comparisons across cloud providers. 

• Flexible implementation: Organizations can choose the scope of their audit, helping CSPs ease into compliance by applying C5 controls to select services or regions rather than needing to cover their entire environment immediately. 

• International recognition: C5 compliance is globally recognized and respected, enabling organizations operating across borders to benefit from the attestation’s credibility. 

As cloud technology and regulatory expectations continue to evolve, so does C5. The upcoming C5:2025 update reflects BSI’s effort to modernize the framework, close gaps, and strengthen assurance requirements for today’s cloud landscape. 

What’s Changing in C5:2025? 

According to BSI, this revision is significant both structurally and substantively. BSI explains: 

“The C5 has been revised not only in terms of content, but also structurally in line with the EUCS: C5 criteria now themselves consist of subcriteria that are distinct from each other in terms of content. This structure makes it easier to assign C5 criteria to controls in the internal control system of cloud providers and to audit C5 criteria, as well as creating greater clarity and transparency for the evaluation of C5 reports. Furthermore, the additional criteria in C5:2025 are classified according to whether they sharpen the existing basic criteria with stricter requirements (‘additional sharpen’) or complement them with new requirements (‘additional complement’). This means that the already implicitly present distinction is now made explicit.” 

In short, cloud providers can expect: 

• A more granular, transparent structure for requirements 
• Better alignment with EUCS 
• Clear categorization of new or strengthened requirements 
• Increased clarity for both implementers and auditors 

These adjustments should ultimately improve the usability of the standard and the consistency of resulting reports. 

How Schellman Can Help You Navigate Your C5 Journey 

At Schellman, we are preparing to guide our clients through the transition as soon as the updated framework is released. Whether you already undergo a C5 examination or are considering one for the first time, our team is ready to help you understand what’s new, assess gaps, and position your organization for continued—or initial—compliance with C5:2025. 

We look forward to supporting both current and future clients in navigating this evolving assurance landscape. Contact us today to learn more about the attestation process and requirements. 

In the meantime, discover additional insights in these helpful resources:  

• C5 Examination: The Pros And Cons 
• What is Germany’s DigiG? 
• Bridging Compliance: Where SOC 2 and C5 Overlap and How to Leverage Both