- AWS Cloud Security›
- Compliance Programs
Cloud Computing Compliance Criteria Catalogue
(C5)
Overview
Cloud Computing Compliance Criteria Catalogue (C5) is a German Government-backed attestation scheme introduced in Germany by the Federal Office for Information Security (BSI). C5 helps organizations demonstrate operational security against common cyber-attacks when using cloud services within the context of the German Government's "Security Recommendations for Cloud Providers".
The C5 attestation can be used by AWS customers and their compliance advisors to understand security controls implemented by AWS to meet the C5 requirements as they move their workloads to the cloud. C5 adds the regulatory defined IT-Security level equivalent to the IT-Grundschutz with the addition of cloud specific controls.
C5 includes additional control requirements relating to data location, service provisioning, place of jurisdiction, existing certifications, information disclosure obligations, and a full-service description. Using this information, customers can evaluate how legal regulations (i.e. data privacy), their own policies, or the threat environment relate to their use of cloud computing services.
FAQs
Open all- ISO/IEC 27001:2013 – Information security management systems – Requirements
- ISO/IEC-27002:2016 – IT security procedures – Guidelines for information security measures
- ISO/IEC 27017:2015 – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services
- BSI – IT-Grundschutz-Kompendium, 2nd Edition 2019
- CSA – Cloud Controls Matrix 3.0.1 (CSA - Cloud Security Alliance)
- AICPA Trust Service Principles Criteria 2017 (AICPA - American Institute of Certified Public Accountants)
- ANSSI (Agence nationale de la sécurité des systèmes d’information, National Cybersecurity Agency of France) – Providers of cloud computing services v. 3.1 (SecNumCloud)
- IDW (Institut der Wirtschaftsprüfer, the German Institute of Certified Public Accountants) RS FAIT 5 – Statement on Financial Reporting: “Principles of Orderly Accounting for the Outsourcing of Financial Reporting-Related Services including Cloud Computing”, as at November 4, 2015
C5 (Cloud Computing Compliance Criteria Catalogue) is the “cloud computing IT-Security” standard in Germany. Designed and first released by the BSI in 2016, the C5 control set offers additional assurance to customers in Germany as they move their complex and regulated workloads to Cloud Computing Service providers such as AWS.
The current C5 was released in 2020 and includes requirements from the following standards and publications:
Germany’s national cybersecurity authority Bundesamt für Sicherheit in der Informationstechnik (BSI) developed the C5 standard in 2016. The BSI defines the IT-Security requirements for all governmental systems, and most German companies align their IT-Security strategy with BSI standards. The current version (C5:2020) was finalised in January 2020.
The C5 report provides our European customers with an independent third-party attestation on the suitability of the design and operational effectiveness of our controls to meet the C5 basic and additional criteria. Specifically in Germany, customers are used to looking for cloud services which are assessed against the C5 criteria. C5 provides customers with a framework documenting an IT-Security level equivalent to the IT-Grundschutz covering all IT-Security aspects for Cloud Computing. For federal authorities, a C5 attestation is a basic requirement in the procurement process.
Current information on C5 at AWS can be reviewed on the respective AWS Security Blog C5 posts.
AWS Regions in scope for C5 include Frankfurt, Ireland, London, Paris, Milan, Stockholm, Singapore, Zurich and Spain, as well as Edge locations in Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Netherlands, Norway, Poland, Portugal, Romania, Singapore, Spain, Sweden, Switzerland and The United Kingdom.
The covered AWS services that are already in scope for C5 can be found within AWS Services in Scope by Compliance Program. If you would like to learn more about using these services and/or have interest in other services please contact us.
IT-Grundschutz is a standard for establishing and maintaining appropriate protection of the information of an institution. The IT-Grundschutz Catalogues describe safeguards for typical business processes, IT systems, and applications and addresses the protection of an enterprise’s own information. C5 provides guidance on cloud service provider (CSP) offerings.
The AWS C5 report is available to customers by using AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.
In January 2026, we announced the general availability of the AWS European Sovereign Cloud, a new, independent cloud for Europe entirely located within the European Union (EU), and physically and logically separate from all other AWS Regions. The dedicated AWS European Sovereign Cloud C5 report provides our customers with an independent third-party attestation on the suitability of the design of the AWS controls to meet the C5 basic and additional criteria.
To learn more about AWS European Sovereign Cloud C5 report, and its scope, visit https://aws.eu/compliance/.