The Cloud Computing Compliance Criteria Catalogue (C5) was developed by Germany's Federal Office for Information Security (BSI — Bundesamt für Sicherheit in der Informationstechnik) as a comprehensive cloud security baseline for cloud service providers operating in Germany and the EU. C5 covers 17 domains and 114 criteria — going beyond ISO 27001 with specific requirements for cloud transparency, supply chain security, and German/EU regulatory context, including alignment with GDPR, NIS2 Directive, and German IT Security Act 2.0.
C5 is rapidly becoming a de facto standard for EU public sector cloud procurement — Germany's BSI, state governments, healthcare providers, and financial institutions increasingly require C5 Type 2 attestation from cloud providers. Major hyperscalers (AWS, Azure, Google Cloud) maintain C5 Type 2 attestations. For Indian cloud firms targeting European expansion or serving German/EU enterprise clients, C5 certification signals serious cloud governance commitment that differentiates from ISO 27001-only providers.