InfoSec

A Practical Guide to C5 Attestation for Cloud Providers

What C5 attestation is, how the process works, and how to reach it without the manual grind.

Author
Andy Mura
Date
8.7.2026
Updated on
8.7.2026
A Practical Guide to C5 Attestation for Cloud Providers

C5 attestation has become the entry ticket for cloud providers that want to sell into Germany's public sector, financial services, and other regulated industries. If you run a cloud service and you want to win larger German customers, the attestation against the Cloud Computing Compliance Criteria Catalogue is hard to avoid. In this guide we walk you through what C5 attestation actually is, how the audit works, and how you can cut the effort dramatically.

The criteria catalogue comes from the German Federal Office for Information Security and has become the de facto standard for cloud security in the German-speaking market since its introduction in 2016. Unlike a marketing claim, the attestation gives your customers an independently examined report that your security controls genuinely work.

What is C5 attestation?

C5 attestation is a report issued by an independent auditor confirming that a cloud provider meets the security requirements of the BSI criteria catalogue. "C5" stands for Cloud Computing Compliance Criteria Catalogue, and the attestation is the formal opinion delivered by the audit firm.

The wording matters here. This is not a classic certification like ISO 27001 certification, where a certification body issues a certificate. C5 is an attestation performed under the ISAE 3000 or IDW PS 951 assurance standards. The auditor gives a professional opinion on whether your controls are suitably designed and operating effectively.

The current catalogue, published as C5:2020, covers 17 thematic areas with roughly 121 individual criteria. These range from organisation of information security and physical security through to operations, identity management, and incident handling. The full structure is set out in the official BSI documentation on the criteria catalogue.

A defining feature of C5 attestation is the system description. The provider describes in detail how its cloud service is built and which measures are in place. The auditor then assesses whether that description is accurate and whether the controls are effective. This transparency is exactly what regulated customers need for their own risk assessment.

Why C5 attestation matters for cloud providers

The biggest reason is market access. Without a C5 attestation, many public-sector tenders and contracts in regulated industries are effectively closed to you. Authorities and large enterprises increasingly treat the report as a minimum requirement.

The attestation also buys you a measurable trust advantage. Instead of answering security questionnaires for every prospect one by one, you hand over an independently examined report. That shortens sales cycles and reduces audit fatigue on both sides. Our compliance automation platform is built to take that recurring work off your plate.

Then there is regulatory overlap. A C5 attestation pairs well with other assurance obligations, such as the requirements arising from NIS2, DORA, or sector-specific supervisory rules. Many organisations therefore run an integrated programme across several compliance frameworks rather than treating each standard in isolation.

Finally, C5 is an internationally legible signal. The catalogue draws on established standards such as ISO/IEC 27001, the Cloud Controls Matrix from the Cloud Security Alliance, and the Trust Services Criteria that underpin SOC 2. Meeting C5 means you have already done most of the work for adjacent reports.

C5 Type 1 vs Type 2: the difference that matters

C5 attestation comes in two forms. Type 1 confirms the suitability of your controls at a single point in time, while Type 2 also confirms their operating effectiveness over a defined period. The distinction matters enormously to customers, because only Type 2 proves your controls actually function day to day.

A Type 1 report works as an entry point. It shows that on a given date you had a suitably designed control system. The auditor looks at design, not evidence over time. It is faster to reach and is often the first step for providers just entering the market.

A Type 2 report is the gold standard. Here the auditor examines a period of typically six to twelve months to confirm the controls were continuously effective. This is exactly the assurance demanding customers expect. The table below sums up the differences.

Aspect C5 Type 1 C5 Type 2
Subject of the audit Suitability of controls (design) Suitability and operating effectiveness over time
Reference point A single date Period of 6 to 12 months
Value to customers Foundational High
Typical use case Market entry, first proof Established providers, regulated customers
Effort Lower Higher, and considerably more valuable

Our advice: plan for Type 2 from the start. A Type 1 report as an interim milestone makes sense, but it should not be the finish line if you are serious about regulated markets.

How the C5 attestation process works

The path to C5 attestation follows a clear sequence, from initial assessment to the auditor's examination. Knowing the steps helps you avoid the most common delays.

  1. Scoping and gap analysis. First you define which cloud service is in scope and compare your current state against the C5 criteria. This is where gaps surface.
  2. Implementing controls. You close the identified gaps, document processes, and put the necessary technical and organisational controls in place.
  3. Writing the system description. You describe your system and controls so an outside auditor can follow them.
  4. Examination by the auditor. The independent auditor assesses design and, for Type 2, operating effectiveness across the audit period.
  5. Attestation and report. At the end you receive the report with the professional opinion, ready to share with customers.

The most time-consuming part is rarely the audit itself. It is continuous evidence collection: gathering proof, documenting controls, and keeping your posture consistent over months. This is exactly where many projects stall on manual effort. A structured approach to automated evidence collection, like the GRC software from Kertos, is the difference between a painful project and a predictable one. Our certified compliance experts guide you through each stage so nothing is left to chance.

Set realistic expectations on timing, too. For a Type 2 report you should plan for several months, simply because of the required observation period. Building that horizon into your roadmap early lets you time your sales motion accordingly.

C5 attestation vs ISO 27001 and SOC 2

C5, ISO 27001, and SOC 2 pursue a similar goal but differ in origin, audit logic, and market recognition. In short: ISO 27001 is the global management standard, SOC 2 is the US-shaped attestation report, and C5 is the German cloud-specific criteria catalogue.

The good news for you is that these standards overlap heavily. The C5 catalogue was deliberately designed to build on existing frameworks. If you already run an information security management system to ISO 27001, you have many C5 criteria covered at the core. We explain the foundations in our guide to ISO 27001 requirements.

This kinship is why a multi-standard programme is more efficient than isolated one-off projects. A control you implement and document cleanly once often satisfies C5, ISO 27001, SOC 2, and further reports at the same time.

Which standard makes sense when

It comes down to where your customers are. For the German public sector and regulated German enterprises, C5 attestation is often the clearest expectation. If you sell internationally, ISO 27001 is the universal language. If you serve mostly US customers, SOC 2 is rarely optional. In practice, growing cloud providers usually need a combination, which is exactly where an integrated approach pays off.

Frequently asked questions about C5 attestation

Is C5 attestation legally mandatory?
No, there is no general legal obligation. In practice, tenders, contracts, and supervisory expectations often require it de facto, particularly in the public sector and regulated industries.

How long is a C5 attestation valid?
A C5 attestation relates to a specific period or date and is usually renewed annually. Customers generally expect a current report covering the most recent audit period.

Who can issue a C5 attestation?
The report is issued by independent auditors or audit firms under the ISAE 3000 or IDW PS 951 standards, not by the BSI itself. The BSI provides the criteria catalogue but does not perform audits.

Is ISO 27001 a substitute for C5?
Not entirely. ISO 27001 covers many C5 criteria, but C5 adds cloud-specific requirements and the characteristic system description. An existing ISO certification does, however, shorten the path considerably.

Reaching C5 attestation the smart way

C5 attestation is not a one-off project. It is continuous proof that your cloud security does what it promises. The effort rarely comes from the criteria themselves; it comes from the sustained, consistent evidence collection over months. Automate that part, and a grinding obligation turns into a predictable, repeatable process.

Kertos brings this work together on one platform: implement controls once, collect evidence automatically, and serve several standards in parallel, with certified experts alongside you. If you want to see how your route to C5 attestation could be accelerated, book a Kertos demo and walk through your use case with our team.

The Founder's Guide about NIS2: Prepare your company Now before

Protect your startup: Discover how NIS2 can impact your business and what you need to consider now. Read the free white paper now!

The Founder's Guide about NIS2: Prepare your company Now before

Protect your startup: Discover how NIS2 can impact your business and what you need to consider now. Read the free white paper now!

A Practical Guide to C5 Attestation for Cloud Providers
Ready, your compliance to put on autopilot?
Dr. Kilian Schmidt

Dr. Kilian Schmidt

CEO & Co-Founder, Kertos GmbH

Dr. Kilian Schmidt developed a strong interest in legal processes early on. After studying law, he began his career as Senior Legal Counsel and Data Protection Officer at the Home24 Group. After working at Freshfields Bruckhaus Deringer, he moved to TIER Mobility, where, as General Counsel, he was significantly involved in expanding the legal and public policy department - and grew the company from one to 65 cities and from 50 to 800 employees. Motivated by limited technological advances in the legal sector and inspired by his consulting work at Gorillas Technologies, he co-founded Kertos to develop the next generation of European data protection technology.

About Kertos

Kertos is the modern backbone of the data protection and compliance activities of scaling companies. We enable our customers to implement integrated data protection and information security processes in accordance with GDPR, ISO 27001, TISAX®, SOC2 and many other standards quickly and cheaply through automation.

Ready to simplify GDPR compliance?

CTA Image

📅 Schedule Your 5min Compliance Check

Please enter your business email to continue. We require a company email address to ensure we can best serve your organization.

📞 5min Compliance Check