Germany: Federal Office for Information Security published Cloud Computing Compliance Criteria Catalogue (C5):2026

On 7 April 2026, the German Federal Office for Information Security (BSI) published the Cloud Computing Compliance Criteria Catalogue (C5):2026, a non-binding criteria catalogue setting out security requirements for cloud computing services. The C5:2026 is directed at cloud service providers offering Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) products, as well as at cloud service customers procuring or assessing cloud services. The C5:2026 builds on the Cloud Computing Compliance Criteria Catalogue (C5):2020 and incorporates security requirements from the European Union Agency for Cybersecurity (ENISA) European Cybersecurity Certification Scheme for Cloud Services (EUCS) Substantial level, itself derived from the C5:2020, aligning the C5:2026 with the security requirements of EUCS Substantial. The C5:2026 comprises 168 criteria across 17 domains and introduces new criteria addressing container management, supply chain transparency including Software Bills of Materials (SBOMs), post-quantum cryptography, confidential computing and client separation. Cloud service providers may have their compliance attested by independent auditors, with the C5:2026 criteria applying to all C5 audit engagements commencing on or after 1 June 2027. The catalogue serves as the baseline security prerequisite for the Criteria enabling Cloud Computing Autonomy (C3A) framework, published separately by the BSI. A cross-reference table to international standards is scheduled for publication by end of Q2 2026.