HomeCompliance › BSI C5

BSI C5 compliance software for cloud-service providers.

Pre-loaded basic and additional criteria, a BSI TR-02102-aligned crypto policy, JIT privileged access, baseline-as-code drift checks, data-residency transparency and the sub-service register German public-sector procurement teams want to see. Built for SaaS providers selling into the DE public sector.

Open the portal See pricing

What is BSI C5?

The Cloud Computing Compliance Criteria Catalogue, published by the German Federal Office for Information Security (BSI). C5 sets the minimum criteria a cloud service must meet to be considered acceptable to German public-sector and regulated-industry buyers. It is the German equivalent of the procurement-bar most other EU member states use SecNumCloud, ENS or BIO for.

Who needs to comply

  • SaaS providers selling into German federal, state and municipal customers
  • Cloud providers serving German healthcare, energy and financial customers
  • Managed-service providers operating customer workloads on hyperscaler infrastructure
  • EU SaaS providers wanting a procurement-ready cloud-security baseline

Key BSI C5 controls covered by Dazr

ISMS aligned with ISO 27001Pre-loaded ISMS with C5-specific extensions in the SoA.
BSI TR-02102 crypto policyCrypto policy referencing the latest TR-02102 revision. Annual review scheduled.
JIT privileged accessTime-bound elevation via the IdP. Quarterly review of standing privilege.
Hardening baselinesCIS / BSI Grundschutz baselines in CI; drift remediated within 14 days.
Data-residency transparencyPublic data-residency page kept in sync with the deployment topology.
Sub-service registerAnnual review of each sub-service controls report; flow-down clauses tracked.

What auditors look for

A C5 attestation engagement walks the catalogue control-by-control and is unusually prescriptive about cryptography, sub-service handling, customer audit rights, and the ability of the customer to determine where their data is. Dazr covers each of those as a first-class object in the workspace.

How Dazr helps with BSI C5

  • Hold the C5 basic and additional criteria with overlays per service offering
  • Run C5 alongside ISO 27001 and SOC 2 in one workspace
  • Track BSI TR-02102 alignment for the crypto policy
  • Maintain the data-residency and sub-service registers customers will ask about
  • Hand the attestation team a read-only view or a single-PDF audit trail

Back to the full Dazr Compliance overview › | Sign up free ›

BSI C5 questions, answered.

What is BSI C5?

C5 (Cloud Computing Compliance Criteria Catalogue) is the German federal cloud-security catalogue published by the BSI. It defines basic and additional criteria for cloud-service providers and is the de-facto baseline for German public-sector cloud procurement.

Do I have to be a German entity?

No. C5 is a procurement requirement applied to the cloud service, not to the legal entity. EU-based providers regularly hold C5 attestation - and Dazr's EU-only hosting and Italian legal entity work well alongside it.

How does C5 differ from ISO 27001?

C5 is cloud-specific and prescriptive - it covers areas like data-residency transparency, sub-service handling, BSI TR-02102 crypto, and customer audit rights that ISO 27001 leaves to the SoA. Enable both frameworks together; the evidence overlap is significant.

Where is data hosted?

European Union only. AES-256-GCM at rest.

Ready to start your BSI C5 program?

Free for one user. Pro €29/mo and Enterprise €299/mo are self-serve via Mollie. Custom (from €800/mo) is the only tier on a contract.

Open the portal All frameworks