Skip to content 
New standards for cloud security in the healthcare sector
As digitalization progresses in the healthcare sector, the requirements for data protection and IT security are increasing rapidly. From July 1, 2025, a decisive change will come into force: a C5 type 2 certificate will then be required for the processing of social and health data in the cloud. This new regulation, anchored in the Digital Health Act (DigiG) and the newly introduced Section 393 of the German Social Code, Book V, will affect health insurance companies, service providers and IT service providers in the healthcare sector in particular.
What is the C5 type 2 certificate and why is it important?
In contrast to the previously accepted C5 Type 1 certificate, which only confirms the suitability of safety measures, the Type 2 certificate requires proof that these measures are also effective over a longer period of time – at least six months. The effectiveness test makes all the difference and significantly increases the level of security. This measure is intended to strengthen trust in cloud-based healthcare solutions and ensure the integrity of sensitive healthcare data.
Transition phase until June 2025: What evidence is valid until then?
C5 type 1 certificates may continue to be used up to and including June 30, 2025. Alternative certificates are also permitted during the transition period – provided they guarantee a comparable level of security.
These include:
- DIN EN ISO/IEC 27001:2022
- BSI IT baseline protection based on ISO 27001
- Cloud Controls Matrix Version 4.0 (CSA)
But be careful: these alternatives only apply in combination with a detailed action plan that takes into account the outstanding C5 criteria addressed.
Content of the action plan: What cloud providers must document
In order for an alternative certificate to be recognized, providers must also submit a clearly structured action plan.
This must contain, among other things
- A list of the C5 basic criteria not covered
- Technical and organizational measures to close existing gaps
- A milestone plan with a maximum implementation horizon of twelve months
- A strategy for obtaining a C5 type 1 certificate within 18 months
Only those who meet these requirements transparently can rely on an alternative certificate during the transition phase.
From July 2025: Why the C5 type 2 certificate will have no alternative
While the current draft of the C5 equivalence regulation only regulates equivalence with type 1 certificates, from July 2025 only proof of the continuous effectiveness of the safety measures will be permitted.
Companies that have not prepared for a type 2 certificate by then are at risk:
- the loss of authorization to process data in the cloud
- Compliance violations according to SGB V
- Contractual risks with health insurance companies or service providers
Preparation is key: recommendations for cloud providers
Anyone providing cloud services in the healthcare sector should start implementing the C5 criteria immediately – including documentation and setting up a structured audit process. As Type 2 testing requires a six-month review, now is the right time to analyze and adapt internal processes and prepare them for the audit.
Outlook: What remains unclear
Whether and which equivalent alternatives to the C5 type 2 certificate will be recognized in the future is not yet definitively regulated. Until the regulation is amended, there is uncertainty for many providers. To be on the safe side, it is advisable to orientate yourself towards the C5 Type 2 requirements at an early stage.
Contact us for your security strategy!
Do you want to future-proof your cloud services in the healthcare sector? We support you in preparing for the C5 Type 2 certificate and other security certifications such as ISO 27001, SOC 2 or IT-Grundschutz.
E-mail: hello@secaas.it
Phone: +49 69 5060 75080
https://security-as-a-service.io
Secure your company – before it’s too late!
