Cloud solutions in the public sector
Secure implementation with 5 certifications

The use of cloud solutions in the public sector is growing rapidly. At the same time, requirements for security, transparency, and regulatory compliance are increasing. Institutions subject to the Social Security Code (SGB) in particular are subject to clear legal requirements that must be taken into account when tendering, procuring, and introducing cloud services.

According to Section 393 of the German Social Code, Book V (SGB V), the use of cloud services in healthcare is only permitted if certain security standards are met. Until 30 June 2025, a C5 Type 1 certification is considered valid proof of compliance. From 1 July 2025, however, a C5 Type 2 certification will be mandatory.

The difference is crucial:

• C5 Type 1 checks the adequacy and implementation of security measures on a specific date.
• C5 Type 2 goes much further, as it also verifies the effectiveness of the measures over a longer period of time.

This is the only way to ensure that security processes are not only planned but also implemented on a permanent basis.

The BSI C5 certification (‘Cloud Computing Compliance Criteria Catalogue’) has established itself as the minimum standard for cloud security in Germany – both in the public sector and in critical infrastructures (KRITIS). It is based on ISO 27001, but covers cloud-specific requirements that are only partially included in international standards such as ISO 27017. In some areas, C5 even goes beyond these standards.

For clients, this means:

• Greater transparency through standardised test reports
• Increased security through specific requirements for cloud operations
• Verifiability for supervisory authorities and auditors

We support public sector clients and organizations in the health and social services sector in securely tendering, procuring and implementing cloud solutions. In doing so, we pay particular attention to:

• The correct inclusion of C5 or equivalent certification requirements in tender documents.

• The evaluation of cloud providers with regard to C5 Type 2 and supplementary standards.
• The integration of privacy and security by design into the project and system architecture.
• The provision of evidence during operation to ensure transparency and compliance, even in the event of an ongoing audit.

The transition period until June 2025 is short – public contracting authorities and KRITIS organizations should already be incorporating C5 Type 2 requirements into their planning. It is not only the concept on paper that is crucial but also proof that security measures are being effectively implemented throughout the entire term.

We accompany you every step of the way – from the tender process and supplier selection to the secure introduction and operation of your cloud solutions.