Machine Spirits Logo

C5 CLOUD COMPLIANCE

Your Cloud Provider Has a C5 Attestation.
You Still Need Your Own.

Since July 2025, organizations processing patient data in the cloud must hold their own C5 Type 2 attestation under § 393 SGB V. Your cloud provider’s certificate covers their infrastructure, not your application. We help you close that gap.

Schedule a Readiness AssessmentUnderstand C5 Requirements

"My Cloud Provider Is C5-Certified, So I'm Covered."

This is the most common and most dangerous assumption in C5 compliance. Here is what it actually means:

Your Provider's C5 Attestation Covers Infrastructure Only

AWS, Azure, and GCP hold C5 attestations for their infrastructure layer. But § 393 SGB V requires you, the data processor, to independently demonstrate compliance for your own application.

Application-Level Controls Are Your Responsibility

Access management, encryption configuration, monitoring, and incident response for your application are not covered by your cloud provider’s attestation. Their C5 attestation explicitly excludes how you use their services.

The Shared Responsibility Model Has Legal Consequences

If you cannot independently prove that your application layer meets C5 criteria, you are not compliant, regardless of what certifications your cloud provider holds.

Who is affected:

  • SaMD manufacturers storing patient data in the cloud
  • DiGA providers processing patient data in the cloud
  • Connected medical devices transmitting data to cloud backends
  • Any organization processing health data under § 393 SGB V

What Is C5?

The BSI's Cloud Computing Compliance Criteria Catalogue, explained.

1BSI C5:2020 at a Glance

The Cloud Computing Compliance Criteria Catalogue (C5:2020) defines 121 criteria across 17 security domains. It distinguishes between basis criteria, mandatory for all cloud services, and additional criteria for processing high-sensitivity data such as patient records.

2Type 1 vs. Type 2

A Type 1 attestation confirms that the right controls are designed and in place at a point in time. A Type 2 attestation goes further: it verifies that those controls have actually worked over a continuous 6 to 12 month period. Since July 2025, Type 2 is mandatory under § 393 SGB V.

3The Critical Difference from ISO 27001

In an ISO 27001 audit, if the auditor finds issues, you fix them and get certified. In a C5 Type 2 audit, the auditor reviews the past 6 to 12 months. If controls were not operational during that period, you fail. There is no retroactive fix. This is why preparation before the audit period begins is essential.

C5:2025 is on the horizon, with expected mandatory adoption from January 2027. We are already incorporating its updated requirements into our preparation methodology.

Shared Responsibility: What's Covered, What's Not

We help you identify exactly which of the 121 criteria apply to your product and which are already covered by your provider.

Cloud Provider's C5 Attestation

  • Physical data center security
  • Network infrastructure
  • Hypervisor & host OS
  • Infrastructure monitoring
  • Hardware compliance

Your Responsibility

  • Application-level access controls
  • Data encryption configuration
  • Guest OS patching
  • Application monitoring & logging
  • Identity & access management
  • Incident response procedures
  • Data handling & retention policies
  • Personnel security & training

Your Audit is Led by Senior Experts

Not juniors. Not generalists. Specialists in medical device security.

Dr. Simon Weber Profile

Dr. rer. nat. Simon Weber

Senior Pentester & MedSec Researcher

I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.

  • PhD on Hospital Cybersecurity
  • Critical vulnerabilities found in hospital systems
  • Alumni of THB MedSec Research Group
Volker Schönefeld Profile

Dipl.-Inf. Volker Schönefeld

Senior Application Security Expert

As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.

  • 20+ years as CTO, 50M+ app downloads
  • Architected and secured large-scale IoT fleets
  • Certified Web Exploitation Specialist
View Full Team Profiles

Our Approach

From gap analysis to attestation, a structured path to C5 compliance.

1

Scoping & Gap Analysis

We determine which criteria, both basis and relevant additional, apply to your specific product. We map your cloud provider’s coverage against your responsibilities and identify gaps in processes, documentation, and technical controls.

2

Internal Control System & Documentation

We build your Internal Control System (IKS) following BSI templates. This includes defining controls, measures, and evidence for each applicable criterion, creating your risk control matrix, and documenting everything to auditor expectations.

3

Implementation & Go-Live

We implement the required processes and technical controls, then define the start date from which the auditable period begins. Together we ensure your organization actually lives these processes day-to-day, because paper compliance without practice is the most common reason for failure.

4

Attestation

After 6 to 12 months of operational evidence, we support you through the formal audit process. We work with accredited auditing partners for the attestation itself.

What Makes C5 Expensive

Honest risks you should know about before you start.

Paper Compliance

You document perfect processes but do not actually follow them. The auditor samples real evidence from the past months and finds nothing. This is by far the most common reason for failure.

Starting Too Early

You trigger the audit period before controls are actually running. The clock is ticking on a period you cannot fix later.

Wrong Scope

Over-scoping wastes money. Under-scoping means failing the audit and starting over.

The Leadership Factor

C5 compliance is not just a compliance team project. Leadership commitment, the "Tone at the Top," must be genuine. Auditors can tell.

Preparation costs money. But there is nothing more expensive than failing a C5 attestation, because you pay for the audit and you have to start the entire evidence period over.

Frequently Asked Questions

What you need to know about C5 compliance for medical devices.

What is the difference between C5 Type 1 and Type 2?

Type 1 is a point-in-time design check: are the right controls in place? Type 2 audits a historical period of 6 to 12 months: have those controls actually worked? Since July 2025, Type 2 is mandatory for processing patient data in the cloud under § 393 SGB V.

Do I need my own C5 attestation if I use AWS, Azure, or GCP?

Yes. Your cloud provider’s C5 attestation covers their infrastructure, not how you use it. You must independently demonstrate compliance for your application layer, including access controls, encryption configuration, monitoring, and incident response.

How long does the entire process take from start to Type 2?

Plan for 12 to 18 months minimum. This includes preparation (3 to 6 months), the audit period itself (6 to 12 months), and the formal audit. Starting with a Type 1 attestation as interim proof is possible while building the track record for Type 2.

Can I start with Type 1 and upgrade to Type 2 later?

Yes, and we often recommend this. A Type 1 attestation serves as interim proof of your control design while you accumulate the 6 to 12 months of operational evidence required for Type 2.

What does C5 preparation cost?

It depends on your product scope, the number of applicable criteria, and the maturity of your existing controls. We provide a clear estimate after the initial scoping and gap analysis.

What happens if I fail the attestation?

You pay for the audit and have to start the entire evidence period over. The auditor cannot retroactively accept controls that were not operational. This is why thorough preparation before the audit period is critical.

How does C5 relate to ISO 27001?

They are complementary, not replacements. ISO 27001 certifies your information security management system. C5 specifically addresses cloud computing controls. Having ISO 27001 helps, as there is significant overlap, but it does not replace the need for a C5 attestation.

Is C5 required only in Germany?

C5 is a BSI framework and currently mandated by German law (§ 393 SGB V) for cloud-based processing of patient data. However, it is increasingly recognized as a benchmark across Europe and serves as a key input to the EU-wide EUCS cloud certification scheme.

Not Sure If C5 Applies to Your Product?

Let’s find out together. We will assess your cloud setup, determine which C5 criteria apply, and outline a realistic path to your attestation.

Phone

+49 221 65031192

Email

[email protected]

Response Time

We typically respond to all inquiries within 24 hours during business days.

Average response time: 6-12 hours

Send Us a Message