BSI Updates Cloud Security Standard C5:2026: Stricter Requirements and Post-Quantum Cryptography

Executive Summary

The Federal Office for Information Security (BSI) has published the updated version of the C5:2026 criteria catalog. The standard defines minimum requirements for secure cloud computing and replaces the 2020 version. C5 is considered the authoritative standard for German authorities, financial service providers, banks, and the healthcare sector. The new version contains more precise specifications for container management and comprehensive regulations on post-quantum cryptography. The catalog will be available in machine-readable format for the first time.

People

• Claudia Plattner (BSI President)
• Thomas Caspers (BSI Vice President)

Topics

• Cloud Security
• Cryptography
• Compliance Standards
• Digital Sovereignty

Clarus Lead

The update addresses central industry challenges: post-quantum cryptography becomes the norm, while container management is regulated significantly more strictly. For organizations in regulated sectors (healthcare, finance, public administration), new compliance requirements arise. The BSI additionally plans an independent sovereignty criteria framework, which signals a double audit burden – a response to growing data protection and geopolitical debates.

Detailed Summary

Structural Improvements and Machine Readability

The revised structure with sub- and additional criteria creates clarity in audit and evaluation. For the first time, the catalog will be provided in machine-readable format, which is intended to facilitate automation processes for cloud providers and audit bodies. However, the fundamental problem remains: official certification is cost-intensive and therefore realistic to implement primarily for larger, established companies.

Post-Quantum Cryptography and Technical Requirements

Chapter 5.8 of the new standard comprehensively regulates post-quantum cryptography. Cloud providers must implement hybrid procedures to strengthen foreseeable weak procedures. The BSI incorporated community feedback from the past five years, particularly requirements already defined in bilateral cloud cooperations with European and US providers. Beyond encryption, C5:2026 also regulates container management significantly more precisely than the previous version – a critical area for modern cloud infrastructures.

Legal and Organizational Requirements

The catalog requires cloud providers to transparently disclose which legal jurisdiction they and their parent companies are subject to. Data requests from authorities must be fully documented. Central definitions (zones, partitions, locations) are bindingly established to eliminate interpretation uncertainties. The BSI plans to soon publish additional sovereignty criteria that will tie cloud solutions to political independence.

Key Statements

• C5:2026 raises security standards for cloud computing in Germany with specific requirements for post-quantum cryptography and container management
• Machine-readable formats enable automation but do not reduce the overall complexity of certification
• Sovereignty criteria in preparation indicate political prioritization of data protection and European independence in cloud infrastructures

Critical Questions

1. Evidence Quality: On which studies or incidents is the prioritization of post-quantum cryptography in C5:2026 based? Was a concrete timeline horizon for quantum computer threats used as the basis?

2. Implementation Costs: How will the BSI address the acknowledged problem that certification costs exclude smaller providers and thus reinforce market concentration?

3. Causality: To what extent are the new sovereignty criteria a technical security measure and to what extent a political response to geopolitical tensions – where is the line drawn?

4. Interoperability: How will C5:2026 be harmonized with international standards (ISO 27001, AWS/Azure compliance), especially in hybrid cloud and multi-provider setups?

5. Monitoring: What mechanisms does C5:2026 provide to prevent providers from fulfilling compliance requirements only on paper?

6. Limits of Machine Readability: Does the machine-readable format really reduce audit burden, or does it shift complexity to the interpretation of machine output?

Sources

Primary Source: BSI Updates Cloud Security Standard C5:2026 – https://www.heise.de/news/BSI-Kriterienkatalog-fuer-Cloud-Computing-C5-verlangt-mehr-11247015.html

Verification Status: ✓ 2025

This text was created with the support of an AI model. Editorial Responsibility: clarus.news | Fact-Check: 2025