C5:2025 Community Draft and Major Changes

If your business does any work in Europe, BSI C5 may have already been a conversation around the boardroom.  This framework, created by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, abbreviated here as BSI), has recently become a requirement for many companies in the healthcare industry who process German data thanks to § 393 of SGB V, referred to as the DigiG legislation.

BSI has recently released a new version of the C5 (referred to here as C5:2025), which is set to be required for assessments starting in 2027.  How does this affect companies who are looking to gain C5 attestation or already have it?

What is C5?

C5 is a criteria catalogue outlining requirements for secure cloud computing environments.  It was established by the BSI in 2016 (referred to as C5:2016) and then updated in 2020 (referred to as C5:2020). The attestation itself is focused on cloud-hosted environments but can be expanded to include physical security for data centers. According to the C5:2020 catalogue, the focus of C5 was to compile requirements from established standards in information security (such as ISO/IEC27001, SecNumCloud, AICPA Trust Service Categories, and BSI IT-Grundschutz), increase requirements where needed, and create additional criteria when necessary.

It's important to understand that this is an attestation, not a certification.  There is no certifying body for C5.  Auditors perform the assessment over a specific cloud service (chosen and scoped by the company) and give an opinion on whether specific criteria in the 17 domains are properly covered by the cloud service’s controls either at a specific point in time (for a C5 Type 1 report) or over a specified review period (for a C5 Type 2 report).  Companies must have their environments reassessed on a yearly cadence in order to stay compliant with DigiG requirements. 

When the first revision of C5 occurred, from C5:2016 to C5:2020, the update introduced several changes, including the Product Security criteria(PSS), which addressed the security of the cloud service itself and incorporated additional requirements from the EU Cybersecurity Act.  There was also an inclusion of a section that addressed guidelines for handling requests from government agencies as well as additional DevOps requirements.  The major changes that occurred can be found in Section 1.1 of the C5:2020 Criteria Catalogue.  These changes were reviewed by users, auditors, regulators, and cloud providers in 2019 prior to the official publishing in January 2020 as part of a public community draft process.

What is the C5:2025 Community Draft?

In July 2025, the 2025 Community Draft was published to the BSI website.  This post served to inform the public that a new update was in progress and requested feedback on these proposed changes.  At a high level, the new version integrated new information security developments such as:

• Additional insights and focuses from the European Cloud Certification Scheme (EUCS).
• Considerations from other frameworks such as the newest version of CSA Star v4.0, the 2022 edition of ISO/IEC 27001, and the NIS2 directive.
• Additional risks that have developed as the industry has expanded, such as container management issues, supply chain management issues, post-quantum cryptography, and confidential computing.

Major Changes from the Draft

As expected, five years of progress since the last update has required substantial updates for C5:2025.  One particularly large update to note is the addition of sub criteria.  In C5:2020, criteria often spanned multiple paragraphs and contained many requirements that would require multiple controls to address.  With the change to numbered sub criteria, each requirement is now listed separately, meaning that, with the prescriptive nature of the C5 criteria, it will likely cause each sub criteria to have only one or two controls attached to it at most.  This may change the actual appearance of the report, depending on the auditing firm, but it may also enhance readability for readers of the report, who will be able to ensure that all aspects of the criteria are being addressed by those specific controls.

When it comes to content, C5:2025 shows its commitment to the modern age by being an early adapter to many of the newest developments in the industry, such as:

• Cloud Hosting and Supply Chain Security: In the previous version, environments that were entirely cloud-hosted were able to carve out the majority of Domain 5 (Physical Security).  With C5:2025, additional sub criteria have been added to address the risk of using a cloud hosting service provider, such as ensuring that companies have documented what responsibilities the cloud service provider is performing and verifying that those are still effective at certain intervals (PS-01.05, 06B). Additionally, the Control and Monitoring of Service Providers and Suppliers (SSO) domain has been strengthened to require additional points of focus and restrictions on accessing customer data for any contracted service provider (SSO-02.01B, 03.01B).
• Artificial Intelligence (AI): The use of AI-based tools is addressed by stating that AI tools may be used, but there must be explicit documentation around them, and they may not replace subject matter experts when it comes to understanding vulnerability criticality or mitigation.  Those being assessed will need to show that subject matter experts are still involved in making decisions around vulnerability management and mitigation.

Additionally, policy and procedure related requirements have become stricter when it comes to what must be in documentation, with a myriad of topics added to documentation sub criteria.  Those intending to perform a C5:2025 assessment should carefully review their respective policies to ensure that they are meeting all bullet point requirements listed in the sub criteria.

It is worth mentioning that the new update seems to have taken several requirements from CSA STAR CCM v4.0. A company that is currently performing a Level 2 Attestation assessment for their cloud service may already be meeting several of the new requirements to the extent they will need to be assessed against.  Companies performing Level 2 Certification should be prepared to show additional evidence, as C5 assesses against the ISAE 3000 or nationally equivalent engagement standards, so additional requirements such as populations and sampling will need to be performed to reach reasonable assurance.  Additional audits may provide some level of coverage; a reference table mapping additional standards is expected to be issued with the final standard.

Important Dates to Know

The community draft comment period ended September 15, 2025, and publication of the finalized C5:2025 is planned for December 2025. Companies wishing to gain C5:2025 compliance should watch the updates coming from BSI, particularly around timing due to the uncertain language around when the final date that C5:2020 reports can be issued. Per subsection 3.5 of the C5:2025 community draft, any assessments beginning on or after January 1st, 2027 should apply the updated criteria, with earlier adoption of the updated criteria permitted if applicable. Assessments with a specified period ending up to three months prior to January 1st, 2027 that issue with the C5:2020 criteria must include details of the roadmap for final implementation of C5:2025 in the system description. 

Final Thoughts

C5 is becoming more prevalent and respected in the industry than ever before, and a major change on the size of the current community draft should be something all companies who wish to gain or keep attestation should consider carefully.  Coalfire can assist with any questions as new information continues to come out, as well as any specific situations there are in mind. Current customers who have C5:2020 reports being issued should ask their Coalfire representative about a delta assessment to address any of the new requirements from C5:2025 after the final version is released.