BSI C5
Why important?
Important for the German public sector & regulated industries.
How measured?
Scale 0–5 + N/A:
- 0 = No C5 / no reliable statement
- 1 = Planned/announced, no report
- 2 = Self-assessment or unclear status/scope
- 3 = C5 Type 1 (or comparable) with limited scope/transparency
- 4 = C5 Type 2 OR Type 1 with broad, clearly described scope
- 5 = C5 Type 2 + scope transparent (region/services) + solid evidence
- N/A = no reliable evidence
Sources / Evidence
- https://www.aboutamazon.eu/news/aws/built-operated-controlled-and-secured-in-europe-aws-unveils-new-sovereign-controls-and-governance-structure-for-the-aws-european-sovereign-cloud
- https://www.ionos.de/newsroom/news/ionos-erhaelt-c5-testat-fuer-compute-engine-cloud-cubes-und-s3-object-storage
- https://stackit.com/en/why-stackit/benefits/data-sovereignty
- https://www.open-telekom-cloud.com/en/blog/benefits/open-telekom-cloud-certified-according-to-bsi-c5-2020-and-and-soc-1-soc-2-soc-3
- https://www.plusserver.com/en/company/certificates-and-attestations/
- https://www.ovhcloud.com/en/compliance/c5/
- https://www.exoscale.com/compliance/
- https://docs.hetzner.com/general/company-and-policy/information-security-at-hetzner/
- https://www.scaleway.com/en/security-and-resilience/
- https://community.exoscale.com/platform/compliance/
- https://www.aboutamazon.de/news/politik/mehr-digitale-souveraenitaet-aws-bringt-european-sovereign-cloud-nach-deutschland
- https://aws.amazon.com/blogs/security/announcing-initial-services-available-in-the-aws-european-sovereign-cloud/
- https://aws.eu/de/esca/
- https://news.microsoft.com/de-de/erste-souveraene-cloud-plattform-fuer-die-deutsche-verwaltung-auf-der-zielgeraden/
- https://www.plusserver.com/unternehmen/zertifikate-und-testate/
- https://www.plusserver.com/wp-content/uploads/2023/09/20250430_Bericht_BSI-C5_ISAE3402_Typ2_plusserver-GmbH-2024-3.pdf
- https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-germany-c5
- https://www.noris.de/wp-content/uploads/noris-Sovereign-Cloud-Product-Sheet.pdf
- https://www.syseleven.de/en/press-releases/syseleven-and-secunet-now-with-it-grundschutz-iso-27001-and-c5/
Validation questions (RFP)
- Which services are in scope? Type 1 vs. type 2? Are current reports available?
Scores comparison
| Providers | Score | |
|---|---|---|
| Hetzner Cloud | 5.0 | |
| SysEleven OpenStack Cloud | 5.0 | |
| Cloud Temple Trusted Cloud | 0.0 | No BSI C5 attestation publicly listed. French provider focused on SecNumCloud/ANSSI. |
| Infomaniak Public Cloud | 0.0 | No BSI C5 attestation. Swiss provider. |
| Exoscale | 4.0 | |
| IONOS Cloud | 4.0 | |
| Microsoft Sovereign Cloud | 4.0 | |
| T Cloud Public | 4.0 | |
| noris Sovereign Cloud | 4.0 | |
| pluscloud open | 4.0 | |
| OVHcloud Public Cloud (inkl. SecNumCloud) | 3.0 | |
| STACKIT | 3.0 | |
| AWS European Sovereign Cloud | 2.0 | |
| Delos Cloud | 2.0 | |
| Oracle EU Sovereign Cloud | 2.0 | |
| Scaleway | 0.0 | |
| UpCloud | N/A |