BSI C5:2026 Audit Readiness: A Practical Guide for Cloud Service Providers
What the new Cloud Computing Compliance Criteria Catalogue means for your next audit, and how to prepare before the June 2027 deadline.
The German Federal Office for Information Security (BSI) has released the C5:2026, the second major revision of its Cloud Computing Compliance Criteria Catalogue. For cloud service providers operating in the European market, and for any organisation relying on cloud infrastructure for regulated workloads, this update reshapes the audit landscape.
This guide breaks down the audit-related requirements of the C5:2026, explains the key differences from its predecessor, and provides a practical roadmap for getting audit-ready.
What is a C5 Audit?
A C5 audit is an independent third-party assessment of a cloud service provider's system of internal control. It evaluates whether the provider's principles, procedures, and measures meet the security criteria defined in the BSI's C5 catalogue.
The BSI itself is not involved in the audit process. The auditor operates independently and is typically engaged by the cloud service provider, not the customer. The resulting report is then shared with existing and prospective customers so they can assess the information security of the cloud service for their own use case.
According to the C5:2026, conformity assessments must be performed in accordance with ISAE 3000 (Revised), the German Audit Standard PS 860, or equivalent national standards.
Type 1 vs. Type 2 Reports: Which One Do You Need?
The C5:2026 distinguishes two types of audit reports, and the choice between them depends on where you are in your compliance journey.
A Type 1 report evaluates whether the cloud service provider's controls are suitably designed as of a specific date. It answers the question: "Are the right controls in place?" This report type is reserved for initial engagements only, for example, when a new cloud service is being launched or when a provider undergoes its first C5 audit. Type 1 reports cannot be used on a recurring basis.
A Type 2 report goes further. It evaluates both the design and the operating effectiveness of controls throughout a specified period. It answers: "Are the controls in place, and did they actually work over time?" All subsequent engagements after the initial audit must be Type 2 reports. The minimum audit period is three months; the maximum should generally not exceed twelve months, though exceptions may be granted to align with other audit cycles.
For organisations undergoing their first C5 engagement, the catalogue explicitly allows starting with a Type 1 report and transitioning to Type 2 in subsequent cycles.
What Changed in the Audit Requirements for C5:2026?
The C5:2026 builds on the foundation of C5:2020 but introduces several structural and substantive changes that directly affect audit preparation.
New criteria structure with subcriteria. C5 criteria now consist of subcriteria that are clearly delineated in terms of content. This enables more precise mapping to the controls within a cloud provider's internal control system. For auditors, this means greater clarity during testing; for providers, it means controls need to be documented at a more granular level.
New classification of additional criteria. Additional criteria are now explicitly classified as either "sharpening" (replacing a basic subcriterion with stricter requirements) or "complementing" (introducing entirely new aspects not covered by basic subcriteria). Providers can select individual additional subcriteria without including the full set, but the rationale for their selection must be stated in the system description.
New domains reflecting current technology. The C5:2026 introduces new criteria addressing container management, post-quantum cryptography, confidential computing, and supply chain management. If your cloud service uses containers or offers confidential computing capabilities, these areas will now be in scope for audits.
Alignment with EUCS and NIS2. The C5:2026 incorporates requirements developed for the European Cybersecurity Certification Scheme for Cloud Services (EUCS) at the "Substantial" level, as well as the implementing regulation for the NIS2 Directive. This means that a C5 audit can serve as a strong foundation for demonstrating compliance with these broader European frameworks.
The Transition Timeline: Key Dates
The C5:2026 catalogue introduces a clear transition schedule that providers and auditors need to plan around.
For Type 1 reports: the C5:2026 criteria must be applied for all engagements with a specified date on or after June 1, 2027.
For Type 2 reports: the C5:2026 criteria must be applied for all engagements where the specified period begins on or after June 1, 2027.
Mixing is not allowed. If a Type 2 engagement's specified period begins before June 1, 2027 and ends after that date, the engagement should use only the C5:2020 criteria. Combining criteria from both versions in the same engagement is explicitly prohibited.
Earlier adoption of the C5:2026 is permitted, giving providers the option to get ahead of the deadline.
Providers that currently hold a C5:2020 attestation need to begin adjusting their controls now. Adjustments might include expanding the scope of existing controls, adding new controls for newly introduced criteria, or restructuring documentation to match the new subcriteria format.
If the specified period ends on or after February 28, 2027, the provider must include information in their system description about planned changes to controls that address the new C5:2026 requirements, including implementation status and expected dates.
Auditor Qualifications: What the BSI Requires
The C5:2026 sets specific requirements for audit team members. Those supervising and reviewing the engagement must have either three years of relevant professional experience with IT audits in a public audit firm, or hold one of the following certifications: CISA, CISM, or CRISC from ISACA; ISO 27001 Lead Auditor or BSI-certified ISO 27001 Auditor for BSI IT-Grundschutz; CCSK from the Cloud Security Alliance; CCSP from (ISC)²; or CISSP from (ISC)².
This means that when selecting an auditor, you should verify that the engagement team meets these qualification requirements and that compliance is confirmed in the "Independence and Quality Management" section of the final audit report.
Subservice Organisations: Don't Let the Carve-Out Become a Blind Spot
If your cloud service relies on third-party infrastructure, data centres, platforms from other cloud providers, or outsourced components, the C5:2026 treats these relationships seriously.
A service organisation qualifies as a "subservice organisation" under the catalogue when two conditions are met: first, the services provided are likely to be relevant to the cloud service customers' understanding of the C5 criteria; and second, complementary subservice organisation controls (CSOC) at that organisation are required, in combination with the provider's own controls, to meet the applicable C5 criteria.
The provider must choose between the inclusive method (where the subservice organisation's controls are included in the scope of the audit) or the carve-out method (where they are excluded). Either way, the system description must disclose the nature of the services performed, the location of data processing and storage, an assessment of the dependency's complexity, and the availability of the subservice organisation's own audit reports.
The C5:2026 explicitly warns against using the carve-out method as a way to avoid demonstrating conformity. The cloud service provider remains ultimately accountable for ensuring that the development and operation of the cloud service meets the applicable C5 criteria.
The 17 Criteria Domains at a Glance
The C5:2026 organises its criteria into 17 domains, each with a defined security objective. Understanding these helps providers map their existing controls to the audit scope:
| # | Domain | Objective |
|---|---|---|
| 1 | Organisation of Information Security (OIS) | Plan, implement, and maintain the information security framework |
| 2 | Security Policies and Procedures (SP) | Provide policies and procedures for security requirements |
| 3 | Personnel (HR) | Ensure personnel understand security responsibilities |
| 4 | Asset Management (AM) | Identify and protect assets throughout their lifecycle |
| 5 | Physical Security (PS) | Prevent unauthorised physical access, theft, and outages |
| 6 | Operations (OPS) | Ensure proper operation, malware protection, backup, logging, and vulnerability management |
| 7 | Identity and Access Management (IAM) | Secure authorisation and authentication to prevent unauthorised access |
| 8 | Cryptography and Key Management (CRY) | Ensure effective use of cryptography for confidentiality, authenticity, and integrity |
| 9 | Communication Security (COS) | Protect information in networks and processing systems |
| 10 | Portability and Interoperability (PI) | Enable data access, portability, and secure deletion |
| 11 | Procurement, Development and Modification (DEV) | Ensure security in the development lifecycle |
| 12 | Control of Service Providers and Suppliers (SSO) | Protect information handled by service organisations |
| 13 | Security Incident Management (SIM) | Ensure consistent incident capture, evaluation, and handling |
| 14 | Business Continuity Management (BCM) | Maintain business continuity and emergency management |
| 15 | Compliance (COM) | Avoid non-compliance with legal and regulatory requirements |
| 16 | Dealing with Investigation Requests (INQ) | Handle government investigation requests appropriately |
| 17 | Product Safety and Security (PSS) | Provide secure configuration guidance and vulnerability information |
Complementary Customer Controls: Shared Responsibility in Action
One aspect that is often overlooked: the C5:2026 makes clear that maintaining the information security of a cloud service is not the sole responsibility of the provider. Customers must also cooperate in their area of responsibility.
For infrastructure services (IaaS), customers are typically responsible for security updates to their operating systems. For software services (SaaS), this responsibility generally lies with the provider. The catalogue includes complementary customer criteria (CUEC) for selected C5 criteria where this cooperation is essential.
Cloud service customers should evaluate C5 reports not only for what the provider demonstrates, but also for what they themselves need to implement on their side.
Practical Steps to Get Audit-Ready
Based on the requirements laid out in the C5:2026, here is a structured approach to preparing for your next C5 audit:
1. Assess your current state against C5:2026. If you already hold a C5:2020 attestation, use the BSI's cross-reference table (available at https://www.bsi.bund.de/C5) to identify gaps between your existing controls and the new requirements. Pay special attention to newly introduced criteria around container management, confidential computing, and supply chain monitoring.
2. Restructure your documentation. The new subcriteria format requires more granular control descriptions. Review your system description to ensure each subcriterion is addressed individually, with clear mapping to your internal controls.
3. Evaluate your subservice organisations. Determine whether your third-party relationships qualify as subservice organisations under the C5:2026 definition. Decide on the inclusive vs. carve-out method and ensure the required disclosures are included in your system description.
4. Prepare your General Conditions (GC) disclosures. Section 4 of the C5:2026 requires providers to disclose information on jurisdiction, availability commitments (including SLAs), recovery parameters (RTO, RPO, MTPD, MBCO), certifications held, and how government investigation requests are handled. This information must be transparent and comprehensible.
5. Plan your transition timeline. Work backward from June 1, 2027 to ensure your controls are adjusted, documented, and operational before that date. If your current audit period ends on or after February 28, 2027, begin including information about planned changes in your system description now.
6. Engage your auditor early. Discuss the transition plan with your auditor, verify that the engagement team meets the C5:2026 qualification requirements, and confirm whether an attestation engagement or direct engagement is more appropriate for your situation.
When to Choose an Attestation Engagement vs. a Direct Engagement
The C5:2026 offers two audit approaches.
In an attestation engagement, the cloud service provider prepares a formal Description of its system of internal control, along with a management statement. The auditor then evaluates whether this Description is fairly presented and whether the controls meet the applicable C5 criteria.
In a direct engagement, the provider does not prepare a formal Description. Instead, the auditor identifies the relevant aspects of the system of internal control by interviewing subject matter experts and reviewing documentation directly. This approach is particularly suitable for providers who have not yet sufficiently documented their system of internal control.
Both approaches require reasonable assurance and can result in Type 1 or Type 2 reports.
Looking Ahead
The C5:2026 reflects the BSI's commitment to keeping cloud security standards aligned with the pace of technological change, from containerisation and post-quantum cryptography to the evolving European regulatory landscape around EUCS and NIS2. For cloud service providers, the message is clear: start preparing now, and treat the June 2027 deadline not as a cliff edge, but as a milestone in a continuous compliance journey.
At CertHub, we work with cloud service providers to structure their compliance documentation and streamline audit preparation. If you're planning your C5:2026 transition, our team can help you map existing controls to the new subcriteria format and identify gaps before your auditor does.
The full C5:2026 catalogue is available at https://www.bsi.bund.de/C5.
The further you move from IaaS to SaaS, the more responsibility shifts to the provider. But even in a fully managed SaaS environment, the customer remains accountable for data classification and access control, a point the C5:2026 reinforces through its complementary customer criteria (CUEC).
Source: BSI, "Cloud Computing Compliance Criteria Catalogue (C5:2026)," Federal Office for Information Security, Germany.