TR-03161 and C5: The Security Foundation for Your Digital Health Applications (DiGA)

Cloud services are essential to healthcare digitalisation – especially when processing patient data. With the increasing use of cloud services, the requirements for information security, transparency and regulatory compliance are also growing.

To address these challenges, the Federal Office for Information Security (BSI) has published two key requirement catalogues: 

1. Technical Guideline TR-03161, which defines security and data protection requirements for digital health applications (DiGA) and their backend systems. 
2. Cloud Computing Compliance Criteria Catalogue (C5), which defines a level of security for cloud services that is verifiable in audits.

Together, C5 and TR-03161 form the security foundation for managing healthcare data via cloud services.

TR-03161: Secure digitalisation in healthcare

Digital health applications (DiGA) – known as “apps on prescription” – are increasingly used to support diagnosis, treatment, and patient autonomy for conditions like mental illness, diabetes, and chronic pain.

Regulated by the Federal Institute for Drugs and Medical Devices (BfArM) and reimbursable by health insurers, DiGA process highly sensitive health data and directly influence treatment. Therefore, they must comply with strict security standards.

From January 1, 2025, manufacturers of DiGA must follow the legally mandated TR-03161 technical guideline. DiGA manufacturers are required to demonstrate compliance with the security requirements set out in TR-03161 by means of a certificate (§ 139e Abs. 10 SGB V). This sets out clear requirements for the secure development and operation of mobile and web applications, focusing on:

• Data security
• Data integrity
• Data protection

Manufacturers are also required to undergo audits to verify compliance.

BSI C5: Security and transparency for cloud services

The Cloud Computing Compliance Criteria Catalogue (C5), developed by the German Federal Office for Information Security (BSI), defines the security criteria that cloud service providers must meet to operate securely and transparently. Serving as a checklist for audits, C5 helps organisations choose trustworthy cloud providers.

The catalogue was first published in 2016 and updated in 2020. The most recent version, C5:2026, introduces further refinements while maintaining the core requirement that cloud providers establish an internal control system. There are two types of C5 audit reports that can be issued, namely, Type 1 audits, used to assess whether the cloud provider’s controls are suitably designed and implemented as of a specific date, and Type 2 audits, used to evaluate the operating effectiveness of those controls over a defined period. 

Since 2024, Germany’s “Act to Accelerate the Digitalisation of the Healthcare System” (commonly called the Digital Healthcare Act or Digital-Gesetz) permits processing sensitive health data via cloud services under Section 393 of the Social Code Book V (SGB V). This is allowed only if the cloud provider holds a valid BSI C5 Type 2 audit report after 1 July 2025 or complies with the C5 Equivalence Ordinance (C5-Gleichwertigkeitsverordnung).

For entirely new cloud services launched after 1 July 2025, the “Act on the Extension of Competencies and Reduction of Bureaucracy in Care” (BEEP Act, or BEEP-Gesetz) allows a BSI C5 Type 1 audit report in the first 18 months of operation.

These regulations aim to enable healthcare organisations to safely process sensitive social and health data using modern cloud services, while ensuring a uniform and high level of security verified by independent third-party audits. The German Federal Ministry of Health (BMG) oversees this framework to foster trust and digital innovation in healthcare.

Connection between TR-03161 and BSI C5

In Part 3 of TR-03161, the BSI formulates specific requirements for the backend systems of DiGA. These requirements relate to resources used by DiGA, such as application logic and databases or infrastructure services such as compute, network, firewall, user management and Internet connection.

These background systems increasingly consist of cloud services, in particular Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). To meet the protection requirements of the health data processed in these backend systems, TR-03161 requires that a BSI C5 report be available for these systems: The DiGA provider must, therefore, ensure that it only operates its DiGA on cloud services for which the cloud provider has obtained a BSI C5 report. TR-03161 and BSI C5 thus form two essential pillars of information security for DiGA.

It may also be useful or even necessary for DiGA providers to obtain a BSI C5 report themselves, especially if they provide the DiGA as a cloud service (often SaaS) and other organisations can access it. This is to be assessed on a case-by-case basis and, depending on the specific application, against the Digital Act.

What does this mean for providers of digital health services?

DiGA providers are legally required to obtain a product certification according to TR-03161. It is crucial to carefully determine which parts of the TR are applicable to narrow down which requirements must be implemented and which can be excluded. This can have a significant impact on the DiGA provider’s effort to implement the requirements and then have them audited, and as a result, on the necessary investment.

Once it has been determined which parts of the TR are applicable, the respective requirements should be implemented and, in accordance with the guidelines, audited by an independent and accredited auditing body.

The requirements specified by TR-03161 cover aspects such as secure authentication, encryption in accordance with state-of-the-art cryptographic procedures, secure network communication and other IT security measures.

DiGA providers should only use cloud-based systems, such as IaaS or PaaS, if their providers hold a BSI C5 report Type 2. This should be determined in the provider selection and provider management processes by making appropriate enquiries with the cloud provider. When reviewing the report, attention should be paid to the scope, the type of report (Type 1 “suitability” or Type 2 “operating effectiveness”) and any findings. For DiGA providers, it may also be important to assess the extent to which they themselves are considered cloud providers in accordance with Section 384 of the German Social Code, Book V (SGB V) and require a BSI C5 report. If  customers (such as hospitals or health insurance companies) process health data using the service, it is to be expected that they will require a BSI C5 report type 2 in order to enter into or continue a contractual relationship.

Upon completion of the TR-03161 audit, the audit body prepares a report, submits it together with all relevant documents (e.g., BSI C5 reports) to the BSI for conformity assessment, and provides support in the event of any queries. After successful conformity assessment, the BSI issues the corresponding data security certificate.

The path to conformity: a strategic roadmap

The requirements of TR-03161 and BSI C5 are demanding – but the path to certification can be planned.