6 min read<\/p>\n
The new BSI criteria catalog C5:2026 includes 168 criteria-47 more than its predecessor. One change stands out: for the first time, the BSI demands verifiable handling of quantum threats. Initially, a demonstrable roadmap is required, not an immediate full transition. For those holding or pursuing C5 certification, this sets a clear deadline.<\/strong><\/p>\n Key Takeaways<\/p>\n Related:<\/span>Confidential Computing: Why encrypted data must stay protected during processing<\/a> \/<\/span> Cloud misconfigurations: The most common breach cause no one fixes<\/a><\/p>\n In the DACH cloud landscape, C5 isn\u2019t just a nice-to-have-it\u2019s a must. Many tenders require certification. For cloud providers serving the public sector or financial industry, it\u2019s non-negotiable. The version published in April 2026 marks the first major update since 2020, expanding from 121 to 168 criteria and reorganizing them into 17 thematic areas.<\/p>\n The growth isn\u2019t bureaucracy for bureaucracy\u2019s sake. It reflects shifts in the threat landscape and technology. Containers now run in nearly every stack, confidential computing has moved out of niche applications, and the quantum question has leapt from research to compliance. For the first time, the catalog is also available as a machine-readable YAML file, making gap analysis against your own control system significantly easier.<\/p>\n The Cloud Computing Compliance Criteria Catalogue, or C5, is a BSI audit framework for cloud service security. An auditor certifies whether a provider meets the defined controls. In the DACH region, this certification is a well-established requirement for cloud procurement.<\/p>\n<\/div>\n The most common misconception about post-quantum cryptography is the timeline. A sufficiently powerful quantum computer capable of breaking today\u2019s encryption methods doesn\u2019t exist yet-but the risk is already here. The culprit is an attack strategy with an unassuming name: harvest now, decrypt later. An attacker collects encrypted data traffic today and waits until the necessary computing power becomes available.<\/p>\n In concrete terms, post-quantum cryptography means supplementing classical methods like RSA and elliptic curve cryptography with quantum-resistant algorithms. In 2024, NIST finalized the first standards, including ML-KEM for key exchange and ML-DSA for digital signatures. The algorithms are ready-the challenge lies in integrating them into existing systems, not in their availability.<\/p>\n For data requiring long-term protection, this is a real problem. Medical records, contracts, or engineering designs must remain confidential even a decade from now. Those relying solely on classical public-key cryptography today are betting that quantum computing development will progress slowly enough. C5:2026 turns this implicit assumption into a verifiable requirement. How far protection must extend depends on the processing model, as outlined in this article on Confidential Computing<\/a>.<\/p>\n A cryptographic overhaul isn\u2019t a patch you can deploy overnight. It requires lead time-and that starts with a seemingly mundane inventory. Four steps will determine whether your 2027 certification process runs smoothly.<\/p>\n No one overhauls their cryptography over a weekend. In large environments, an inventory can take months because encryption lurks in places no one has checked in years. That\u2019s precisely why an early start pays off. Those who wait until 2027 will certify under pressure-and risk overlooking that one legacy system that ultimately fails the audit. C5:2026 sets a deadline, and experience shows that\u2019s when such overhauls actually get underway.<\/p>\n The catalog expands from 121 to 168 criteria and introduces first-time requirements for post-quantum cryptography, confidential computing, and container security. It\u2019s also now available in a machine-readable YAML format.<\/p>\n Type 2 certifications starting on or after 1 June 2027 must comply with the new catalog. Ongoing certifications remain unaffected for now.<\/p>\n Because of the “harvest now, decrypt later” pattern. Attackers are already storing encrypted data today to decrypt it later. Data requiring long-term protection is therefore at risk now.<\/p>\n A complete crypto inventory. Without a clear overview of the algorithms, certificates, and libraries in use, no migration can be planned or effort estimated.<\/p>\n Both. Providers must meet the criteria, while customers should demand their providers\u2019 post-quantum roadmap and align their own data prioritization accordingly.<\/p>\n\n
What C5:2026 changes in the audit catalog<\/h2>\n
Why Post-Quantum Needs to Be on Your Roadmap Now<\/h2>\n
What Needs to Be on Your Checklist Before the Deadline<\/h2>\n
\n
An Honest Look at the Effort Involved<\/h2>\n
Frequently Asked Questions<\/h2>\n
What\u2019s new in BSI C5:2026 compared to the previous version?<\/h3>\n
When does C5:2026 become mandatory?<\/h3>\n
Why is post-quantum cryptography relevant now, even though quantum computers don\u2019t exist yet?<\/h3>\n
What\u2019s the first practical step in preparing?<\/h3>\n
Does C5:2026 affect only cloud providers, or customers too?<\/h3>\n
Editor\u2019s Reading Recommendations<\/h3>\n