Cloud Computing Compliance Criteria Catalogue (C5)

A Type 2 C5 attestation is an independent, third-party audit report that covers not just the design, but the ongoing operational effectiveness of cloud security controls over a defined period (typically 6–12 months). This goes beyond a “Type 1” attestation (which assesses controls at a single point in time) and is considered the gold standard for trust, especially for regulated sectors.

Yes. In Germany, cloud providers must have a valid C5 Type 2 attestation to host sensitive health data or fulfill requirements for many regulated industries. Exoscale’s Type 2 C5 report ensures our platform meets these standards, supporting your compliance with German health data laws and other regulatory requirements.

BSI C5 is an attestation scheme based on an independent audit, aligned with the ISAE 3000 standard for assurance engagements—the same international audit standard underlying SOC 2 reports.

• C5 and SOC 2 are both attestation schemes (not certifications): they result in detailed auditor’s reports describing the controls and their effectiveness, not just a simple “certificate.”
• SOC 2 (by AICPA, using ISAE 3000) is widely recognized in the US and internationally, while C5 was developed for Germany and the EU, aligning closely with ISO/IEC 27001/27002 and the Cloud Controls Matrix.
• Both provide strong evidence for due diligence, vendor risk management, and regulatory compliance, but C5 adds Germany- and EU-specific requirements and reporting transparency.

Unlike ISO or ENISA certifications, which grant a formal certificate, attestation schemes like C5 and SOC 2 offer a report—a comprehensive, independently verified description of security controls and audit results.

The C5 report is used by: - Cloud customers for vendor due diligence and regulatory submissions - Auditors and regulators as evidence of effective controls - Cloud providers to demonstrate trust and support procurement requirements

C5 is not legally required for all use cases, but for many regulated workloads—such as health data in Germany—having a valid Type 2 C5 attestation is now mandatory. It is also widely referenced in public tenders, supply chain security, and EU regulatory frameworks.