In highly regulated industries such as banking and insurance, the C5 certificate has become the gold standard for compliance and security and represents a trustworthy benchmark.
The digitalization of the healthcare sector in Germany is picking up speed and is increasingly driven by demand from end users. For example, 89% of Germans believe that digitalization in the healthcare sector is fundamentally the right thing to do. At the same time, a higher level of digitalization means a growing number of data protection incidents and security concerns. Protecting personal healthcare data and complying with strict regulations creates a secure digital infrastructure that promotes collaboration and innovation in the healthcare sector, strengthens patient engagement and access to services, and ultimately drives healthcare transformation in Germany.
Uniform safety standards, thanks to the C5 certificate
The Federal Office for Information Security (BSI) introduced the Cloud Computing Compliance Controls Catalog (C5) in Germany in 2016. Security standards for cloud service providers are verified by a certificate based on the catalog, ensuring compliance with German market requirements and proven best practices. It enables companies to assess the security standards of cloud providers in areas such as data protection, transparency, and risk management.
C5 has become the gold standard for compliance and security and is a trusted benchmark in highly regulated industries such as banking and insurance. This is particularly relevant when dealing with highly sensitive health data. This broad acceptance has positioned the BSI as a key authority for shaping cloud security guidelines in Germany and internationally, giving the C5 standard respect and recognition in Europe. As the digital transformation continues to advance across industries, the ability to demonstrate compliance with C5 has become an indispensable tool for secure cloud use.
What does C5 2025 mean for health insurance companies and private health insurers?
From January 2025, health insurance companies, service providers, and their respective data processors may only process such data in cloud applications if a C5 Type 1 certificate is available. Private health insurance companies are also indirectly obliged to adhere to this standard, as they are required by regulation to adhere to “common standards”, which includes the C5 regulation. The new Section 393 of the Fifth Social Security Code (SGB V), “Cloud use in healthcare; authorization to issue regulations”, represents an important step towards protecting sensitive, personal, social and health data, as outlined by the Federal Ministry of Health. The regulation aims to enable the secure use of cloud systems in the healthcare sector and to define minimum technology requirements for service providers.
The C5 framework is not brand new and has numerous overlaps with existing regulations. In particular, it is in line with:
- German law and the General Data Protection Regulation (GDPR), ensuring high standards for data protection and accountability,
- International standards:
- **ISO/IEC 27001:2013**, a leading standard for information security management,
- **ISO/IEC 27017:2015**, a specific security standard for cloud services,
- **ISO/IEC 27002:2016**, guidelines for security controls,
- **BSI IT-Grundschutz**, a cybersecurity framework developed by BSI covering various IT components like networks, servers, and applications,
- **CSA (Cloud Security Alliance) Cloud Controls Matrix 3.0.1 (CSA CCM)**, which aligns cloud security requirements with recognized standards, regulations, and best practices to ensure compliance and effectively manage risks in data protection, governance, and security management,
- **AICPA (American Institute of Certified Public Accountants) Trust Services Criteria 2017 (TSC)**, frequently used to assess system effectiveness in processing data and ensuring they meet trust principles, particularly in SOC 2 reports,
- **ANSSI (Agence nationale de la sécurité des systèmes d’information, National Cybersecurity Agency in France)** – Provider of Cloud Computing Services v. 3.1 SecNumCloud, aimed at strengthening trust in cloud services through a standardized certification process for public clients and organizations handling sensitive data,
- **IDW (Institute of Public Auditors in Germany e.V.) RS FAIT 5** – an accounting framework providing auditors a structure for evaluating and reporting on the effectiveness of internal controls concerning financial reporting processes.
Compliance with the BSI C5 requirements represents a considerable effort for cloud providers that goes beyond common standards such as ISO 27001 and requires comprehensive, annual audits by external auditors. C5 certification comprises two types of audit: Type 1, as a snapshot of security controls, and Type 2, which assesses their effectiveness over six to twelve months – the latter will be required as a market access requirement from July 2025. Even if providers can partially adapt existing measures to the C5 criteria through a gap analysis, implementation remains costly and time-consuming. However, this effort pays off in the long term, as C5 certification ensures the highest data protection and compliance standards, thus creating a sustainable competitive advantage.
Section 393 also sets out restrictions regarding the data processing location. This may only take place in Germany, a member state of the European Union or the European Economic Area, in Switzerland, or in a third country with an adequacy decision in accordance with Article 45 of the GDPR. In addition, the data controller must have a branch in Germany.
What the C5 Certificate Means for Gini
For any organization that works with patient and healthcare data, such as private health insurance, selecting only trusted service providers that meet the C5 audit criteria is important to ensure business continuity and compliance. Gini, as the provider of Gini Pay Connect — an integrated digital payment solution for the private health insurance industry – is committed to meeting all requirements in line with BSI C5 by June 2025. This demonstrates Gini’s commitment to maintaining and continuously improving its data security standards and its existing ISO 27001 certification. Furthermore, its own data center location in Germany is guaranteed so that highly sensitive data does not leave the EU.
At Gini, we want our posts, articles, guides, white papers and press releases to reach everyone. Therefore, we emphasize that both female, male, and other gender identities are explicitly addressed in them. All references to persons refer to all genders, even when the generic masculine is used in content.