Cloud Computing Criteria Catalogue – updated, also for customers

January 2020. The Federal Office for Information Security in Germany (Bundesamt für Sicherheit in der Informationstechnik, BSI has thoroughly revised and updated its Criteria Catalogue for Cloud Computing which is available for free   BSI 2020). Since its introduction in 2016, this practical guide for customers of cloud services as well as operators has achieved a broad market penetration: We know of more than a dozen C5 attestations at national, European and worldwide cloud service providers covering a broad set of cloud services. Besides large cloud service providers, by now, also medium- and small-sized providers apply the catalogue. The criteria catalogue supports customers in selecting, controlling and monitoring their cloud service providers. The corresponding reports build the foundation for a solid risk assessment.

The new C5 implements the general requirements of the EU Cybersecurity Act (EUCA). This European regulation describes requirements for IT products and services that are certified according to an EUCA-compliant procedure. These requirements have been incorporated into the C5:2020 and are summarised in the new domain of product security.

The interfaces between Cloud Service Providers and cloud users plays an important role in the secure use of cloud services. The C5:2020 introduces "corresponding criteria" that the cloud customer must meet at the interfaces to the cloud service in order to play its part in the shared responsibility for security.

This further extends the role of C5 as a foundation for cloud security for providers, customers and auditors. As such, it will continue to serve as a good example of how information security can be shaped in the digital age.


Federal Office for Information Security  BSI (2020): Cloud Computing Compliance Criteria Catalogue (C5). C5:2020. Bonn, January. Including Annexes.

European Union (2019): REGULATION (EU) 2019/881 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).

Source: Bundesamt für Sicherheit in der Informationstechnik, Deutschland

Disclaimer: You agree that B2Bioworld is not responsible and will not be held liable for any third party content on its sites or any third-party content, products or services available on other web sites accessed through links from B2Bioworld sites. Links to third-party sites are for your convenience only, and their inclusion on B2Bioworld\'s sites does not imply any endorsement, guarantee, warranty or representation by B2Bioworld.

Back to section