Skip to content

BSI C5 Typ 2 (Cloud Computing Compliance Criteria Catalogue)

The BSI Cloud Computing Compliance Criteria Catalogue (short: BSI C5) is a catalogue of criteria that describes minimum requirements for information security for cloud services. The publisher is the German Federal Center for Information Security (BSI). The aim is to transparently present the information security of cloud services on the basis of a standardized audit. This should be able to be used by customers as part of their own risk analysis.

Section 393 of the German Social Security Code (SGB V) defines requirements for cloud services in the healthcare industry. Among other things, it also regulates that a C5 attestation is required for cloud services in the healthcare sector. Since July 2025, a C5 Type 2 certificate has been required.

C5 Typ 2 Attestation

The C5 attestation is available in two forms: Type 1 and Type 2. A Type 1 certificate assesses whether the necessary security controls have been adequately designed at a given time. In contrast, a Type 2 certificate goes a step further by assessing whether these controls are effectively implemented and operated over a given audit period.

Type 2 therefore provides a higher level of assurance regarding the ongoing effectiveness of the cloud provider's security practices.

roclubs C5 Type 2 Attestation

roclub has been certified according to BSI C5 Type 2 since June 2025 and thus meets the requirements for the processing of health data in the cloud.

Regular external audits

The C5 attestation is re-certified annually by external auditors for the audit period of the previous year.

C5 Report

roclub will provide the C5 report on request. This contains the following components:

  • Name, type, and scope of cloud services provided
  • Description of the system components for the provision of the cloud service.
  • Information on the framework conditions of the cloud service
  • Applicable C5 criteria
  • Principles, procedures and measures, including the controls put in place for this purpose
  • Dealing with significant incidents
  • Corresponding controls of the customer of the cloud service
  • Functions subcontracted or outsourced
  • Occurrence of and handling of significant incidents in the period to be audited

Please contact your Customer Success Manager or informationsecurity@roclub.com.