BSI Updates Cloud Security Standard C5:2026: New Requirements for Encryption and Container Management

Executive Summary

The Federal Office for Information Security (BSI) has published its updated criteria catalog C5 for secure cloud computing in the revised version C5:2026. The standard replaces the 2020 version and defines minimum requirements for cloud services in Germany. C5 is legally mandatory in the healthcare sector, financial sector, and for government agencies. The new version tightens requirements for container management and post-quantum cryptography. The BSI will provide the catalog in machine-readable format for the first time.

Persons

• Claudia Plattner (BSI President)
• Thomas Caspers (BSI Vice President)

Topics

• Cloud security and data protection
• Post-quantum cryptography
• IT regulation and compliance
• Automation of security audits

Clarus Lead

C5:2026 responds to changing threat scenarios in cloud computing, particularly due to the growing relevance of post-quantum cryptography. For companies and public institutions, the compliance burden is increasing: the detailed new requirements for container management and encryption require significant technical adjustments. The introduction of machine-readable formats signals a shift toward automated compliance processes – but remains expensive for smaller providers.

Detailed Summary

The updated catalog clarifies central concepts such as "zone," "partition," and "location" in cloud operations, thereby creating a reliable definitional foundation for all stakeholders. BSI President Claudia Plattner describes C5:2026 as a "contemporary and practice-oriented standard" – an assessment supported by the fact that many of the new requirements have already been tested in bilateral cloud cooperation agreements between the BSI and European and US providers.

Chapter 5.8 explicitly addresses post-quantum cryptography and defines hybrid procedures to strengthen foreseeable weak encryption standards. In parallel to organizational and legal requirements (information on applicable law, data locality, disclosure obligations), the new version contains comprehensive security criteria ranging from customer data protection to incident management. Requirements for container management have been particularly tightened.

BSI Vice President Thomas Caspers emphasizes that the revised structure with sub-criteria and additional criteria creates "greater clarity in auditing, assignment, and evaluation." Provision in machine-readable format is a novelty and is intended to simplify automation processes. The BSI also announces that it will publish supplementary general sovereignty criteria for cloud computing solutions.

A structural problem persists: official certification according to C5 is time-consuming and costly – an obstacle particularly for smaller providers.

Key Findings

• C5:2026 replaces the 2020 version and becomes the standard for German cloud security regulation
• Post-quantum cryptography and hybrid encryption are now explicitly integrated into the catalog
• Container management undergoes significant tightening; machine-readable formats enable automation
• Certification costs remain a market entry barrier for smaller providers

Critical Questions

1. Evidence/Data Quality: On what basis did the BSI define the specific technical thresholds for post-quantum hybrid procedures? Which expert opinions or standards were considered?

2. Conflicts of Interest: To what extent do the bilateral cooperation agreements already conducted with individual cloud providers influence the neutrality of the C5 criteria?

3. Causality/Alternatives: Why was the machine-readable version not introduced with C5:2020? What technical or organizational obstacles existed at that time?

4. Feasibility/Risks: What transition period do existing certification holders receive to migrate from C5:2020 to C5:2026? Are operational disruptions likely?

5. Conflicts of Interest: Do certification auditors and consulting firms benefit disproportionately from the increased complexity of the new standard?

6. Evidence: Are metrics available showing how many cloud providers failed to meet the 2020 version? How will the success of C5:2026 be measured?

Source Directory

Primary Source: BSI Criteria Catalog for Cloud Computing: C5 Demands More – heise online

Verification Status: ✓ 2024

This text was created with the support of an AI model. Editorial Responsibility: clarus.news | Fact-Check: 2024