TR-03161 and C5: The Security Foundation for Your Digital Health Applications (DiGA)

Cloud services are essential to healthcare digitalisation – especially when processing patient data. With the increasing use of cloud services, the requirements for information security, transparency and regulatory compliance are also growing.

To address these challenges, the Federal Office for Information Security (BSI) has published two key requirement catalogues: 

1. Technical Guideline TR-03161, which defines security and data protection requirements for digital health applications (DiGA) and their backend systems. 
2. Cloud Computing Compliance Criteria Catalogue (C5), which defines a level of security for cloud services that is verifiable in audits.

Together, C5 and TR-03161 form the security foundation for managing healthcare data via cloud services.

TR-03161: Secure digitalisation in healthcare

Digital health applications (DiGA) – known as “apps on prescription” – are increasingly used to support diagnosis, treatment, and patient autonomy for conditions like mental illness, diabetes, and chronic pain.

Regulated by the Federal Institute for Drugs and Medical Devices (BfArM) and reimbursable by health insurers, DiGA process highly sensitive health data and directly influence treatment. Therefore, they must comply with strict security standards.

From January 1, 2025, manufacturers of DiGA must follow the legally mandated TR-03161 technical guideline. This sets out clear requirements for the secure development and operation of mobile and web applications, focusing on:

• Data security
• Data integrity
• Data protection

Manufacturers are also required to undergo audits to verify compliance.

BSI C5: Security and transparency for cloud services

The Cloud Computing Compliance Criteria Catalogue (C5), developed by the Federal Office for Information Security (BSI), sets out the security criteria cloud service providers must meet to operate securely and transparently. Serving as an audit checklist, C5 supports organisations in selecting trustworthy cloud services.

First published in 2015, C5 was last updated in 2019 (version C5:2020). The BSI is currently preparing the next update, expected in early 2026. C5 requires cloud providers to implement an internal control system. Public audit firms issue C5 reports, which assess the effectiveness of controls over a specified period.

In 2024, the “Act to Accelerate the Digitisation of the Healthcare System” (Digital Act for short) in Section 393 of the German Social Code, Book V (SGB V) permitted the processing of health data using cloud services – provided that their providers have obtained a BSI C5 report (type 2) or comply with the C5 Equivalence Ordinance. The Federal Ministry of Health (BMG) wants to permit that healthcare organisations can process sensitive social and health data using modern cloud services, while ensuring a uniformly high level of security confirmed by an independent third party.

Connection between TR-03161 and BSI C5

In Part 3 of TR-03161, the BSI formulates specific requirements for the backend systems of DiGA. These requirements relate to resources used by DiGA, such as application logic and databases or infrastructure services such as compute, network, firewall, user management and Internet connection.

These background systems increasingly consist of cloud services, in particular Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). To meet the protection requirements of the health data processed in these backend systems, TR-03161 requires that a BSI C5 report be available for these systems: The DiGA provider must, therefore, ensure that it only operates its DiGA on cloud services for which the cloud provider has obtained a BSI C5 report. TR-03161 and BSI C5 thus form two essential pillars of information security for DiGA.

It may also be useful or even necessary for DiGA providers to obtain a BSI C5 report themselves, especially if they provide the DiGA as a cloud service (often SaaS) and other organisations can access it. This is to be assessed on a case-by-case basis and, depending on the specific application, against the Digital Act.

What does this mean for providers of digital health services?

DiGA providers are legally required to obtain a product certification according to TR-03161. It is crucial to carefully determine which parts of the TR are applicable to narrow down which requirements must be implemented and which can be excluded. This can have a significant impact on the DiGA provider’s effort to implement the requirements and then have them audited, and as a result, on the necessary investment.

Once it has been determined which parts of the TR are applicable, the respective requirements should be implemented and, in accordance with the guidelines, audited by an independent and accredited auditing body.

The requirements specified by TR-03161 cover aspects such as secure authentication, encryption in accordance with state-of-the-art cryptographic procedures, secure network communication and other IT security measures.

DiGA providers should only use cloud-based systems, such as IaaS or PaaS, if their providers hold a BSI C5 report Type 2. This should be determined in the provider selection and provider management processes by making appropriate enquiries with the cloud provider. When reviewing the report, attention should be paid to the scope, the type of report (Type 1 “suitability” or Type 2 “operating effectiveness”) and any findings. For DiGA providers, it may also be important to assess the extent to which they themselves are considered cloud providers in accordance with Section 384 of the German Social Code, Book V (SGB V) and require a BSI C5 report. If  customers (such as hospitals or health insurance companies) process health data using the service, it is to be expected that they will require a BSI C5 report type 2 in order to enter into or continue a contractual relationship.

Upon completion of the TR-03161 audit, the audit body prepares a report, submits it together with all relevant documents (e.g., BSI C5 reports) to the BSI for conformity assessment, and provides support in the event of any queries. After successful conformity assessment, the BSI issues the corresponding data security certificate.

The path to conformity: a strategic roadmap

The requirements of TR-03161 and BSI C5 are demanding – but the path to certification can be planned.