Cloud usage in healthcare with BSI C5

The key points in 30 seconds

• Healthcare organisations may use cloud services to process patient data, provided that a BSI C5 type 2 report is available for these services.
• The C5 is a catalogue published by the German Federal Office for Information Security (BSI) that defines security criteria for the operation of cloud services.
• A BSI C5 audit takes place at the cloud service provider – the provider must meet the C5 criteria with appropriate security measures (controls).
• The absence of a BSI C5 report may result in providers of cloud-based IT services no longer being able to participate in tenders run by healthcare organisations.
• Cloud service providers working with healthcare organisations should pursue BSI C5 compliance, especially when serving:
  • Health insurance companies
  • Social security providers
  • Social welfare offices and authorities
  • Service providers such as medical practices, healthcare centres or hospitals

Your expert for enquiries

Markus Vehlow
Partner | Cloud Provider Risk, Regulatory & Compliance Assurance at PwC Germany
Email

The transitional regulation “C5 Equivalence Ordinance”

In 2025, the Federal Ministry of Health (BMG) issued the C5 Equivalence Ordinance. This transitional mechanism allows healthcare organisations to process patient data using a cloud service, even if a BSI C5 Type 2 audit report is not yet available for that service.

The prerequisite for this is that the cloud service provider:

• obtained an ISO 27001 certificate or an ISO 27001 certificate based on IT-Grundschutz, or a certificate / report for the Cloud Controls Matrix Version 4.0, and
• identified any gaps between existing security measures and the BSI C5 criteria (for example, through a gap assessment conducted by PwC) and
• developed an action and milestone plan with which BSI C5 compliance will be achieved within 12 months from a self-selected start date and a BSI C5 Type 2 report will be obtained within a further 12 months.

Since 1 July 2025, the Digital Act requires that cloud providers hold a BSI C5 Type 2 audit report. This audit evaluates whether the controls established by the cloud provider were both suitably designed and effectively operated over a specific period, typically between six and twelve months.

The path to C5 compliance: A strategic roadmap

Assessment and planning

The first question is: To what extent is the organisation prepared for a BSI C5 audit? A gap assessment can determine the extent to which existing technical and organisational measures already meet the applicable C5 criteria. The aim is to identify which criteria may require action, to establish a starting point for defining measures, and to develop a timeline for audit preparation and the audit itself.

Important to note: The BSI will soon be publishing a new version of C5, and competitors may also be aiming for a BSI C5 report.

Conducting the BSI C5 audit

Once a cloud provider has completed its preparations, the audit process can begin. As an audit firm, we can conduct audits in accordance with BSI C5 (Type 1 and Type 2). To this end, we closely align on the timeline as well as the scope of the audit (in particular the cloud services to be included) and develop a tailored audit plan to ensure the audit runs smoothly.

Implementing necessary controls

If there are still gaps to be closed prior to an audit, cloud providers need to thoroughly prepare. If PwC is not commissioned to carry out the BSI C5 audit, we can provide support through individually tailored activities. These may include, for example, developing, aligning and implementing required controls, as well as integrating these into existing, comprehensive control or information security management systems.

Navigating this process requires in-depth specialist knowledge of the technical criteria and formal framework. An experienced partner can significantly accelerate and safeguard the path to a successful BSI C5 audit.