1. Home
  2. News
  3. C5 Type 2 certification in healthcare: Cloud providers now have a duty
  • Data Protection

C5 Type 2 certification in healthcare: Cloud providers now have a duty

What is C5 certification and why is it relevant?

In the age of digitalisation, cloud services have long been established in healthcare. Strict legal requirements apply, particularly when handling sensitive social and health data, which pose major challenges for both data controllers and service providers. From 1 July 2025, cloud providers processing relevant data in the German healthcare sector must present a C5 Type 2 certificate. Until then, a simple C5 Type 1 certificate was sufficient for approval. The new certificate serves to increase the protection of patient and health data and is mandatory for all those who rely on cloud solutions.

Who is affected by the new regulation?

The legal requirements apply to all healthcare providers in accordance with Sections 69 to 140h of the German Social Code, Book V (SGB V). This includes contract doctors, hospitals, providers of therapeutic services (such as physiotherapists), providers of medical aids (e.g. suppliers of medical devices), pharmacies, pharmaceutical companies and other service providers such as emergency services or home nursing facilities. Anyone working in these areas and using cloud solutions must be able to present a valid C5 Type 2 certificate by July 2025 at the latest.

SaaS as the most common use case – what applies here?

Cloud services are often software-as-a-service (SaaS) offerings. These solutions provide complete software applications that are delivered over the Internet. The providers take care of maintenance, updates and security – making them particularly efficient for practical use.

However, it is precisely these offerings that now require testing in accordance with the C5 Type 2 standard. Until now, an adequacy assessment of the technical and organisational measures (C5 Type 1 certificate) was sufficient. With the switch to the Type 2 attestation, the effectiveness of the measures must now also be demonstrated over a longer period of time.

Challenges, transition periods and recommendations for providers and users

What happens if there is no C5 Type 2 attestation?

If a manufacturer or cloud provider cannot provide a C5 Type 2 attestation by the deadline, they face exclusion from the market. According to the current regulation, alternative certification is also sufficient in certain cases on a temporary basis, for example according to ISO/IEC 27001, ISO 27001 based on BSI IT-Grundschutz or according to the Cloud Controls Matrix (CCM) in its currently valid version. However, detailed documentation of which requirements from the C5 standard are still outstanding and a schedule of measures for full implementation are also required. The C5 Type 2 certificate must be submitted within 24 months at the latest.

What are the requirements for subcontractors?

If manufacturers of SaaS solutions use third-party cloud services, these become subcontractors. In this case, too, the certificate must be provided. Whether the submission of the cloud provider's C5 Type 2 certificate is sufficient or whether a separate certificate is required depends on the specific circumstances. In any case, clear contractual provisions and transparency regarding who is responsible for which area of data security in the processing chain are recommended. Clinics and practices should actively inquire with their service providers and regularly request and document certificates.

Recommendations for healthcare companies and service providers

The implementation of the new requirements is not optional for all healthcare providers, but mandatory. Now is the ideal time to review all existing contracts with SaaS or cloud providers and their certificates. If you do not yet have a C5 Type 2 certificate, ask about the status of the action plan and request a binding schedule. Providers are required to document all evidence provided to their customers, check it regularly for accuracy and make any necessary adjustments to ensure legal compliance.

Conclusion and next steps

The C5 Type 2 certification requirement ensures greater security and transparency, but poses major challenges for smaller providers in particular. Early planning, comprehensive documentation and close dialogue between all parties involved are now crucial. This is the only way to ensure that cloud solutions can continue to be used securely in the healthcare sector without legal or operational risks.

Not sure whether you or your service providers meet the requirements? Or do you need support in implementing the C5 Type 2 certification? Feel free to contact us – we will be happy to provide you with expert and individual assistance!

About Cookies

This website uses cookies. Those have two functions: On the one hand they are providing basic functionality for this website. On the other hand they allow us to improve our content for you by saving and analyzing anonymized user data. You can redraw your consent to to using these cookies at any time. Find more information regarding cookies on our Data Protection Declaration and regarding us on the Imprint.
Mandatory

These cookies are needed for a smooth operation of our website.

Name Purpose Lifetime Type Provider
CookieConsent Saves your consent to using cookies. 1 year HTML Website
fe_typo_user Assigns your browser to a session on the server. session HTTP Website
PHPSESSID Temporary cookies which is required by PHP to temporarily store data. session HTTP Website
__cfduid missing translation: trackingobject.__cfduid.desc 30 missing translation: duration.days-session HTTP Cloudflare/ report-uri.com
Statistics

With the help of these statistics cookies we check how visitors interact with our website. The information is collected anonymously.

Name Purpose Lifetime Type Provider
_pk_id Used to store a few details about the user such as the unique visitor ID. 13 months HTML Matomo
_pk_ref Used to store the attribution information, the referrer initially used to visit the website. 6 months HTML Matomo
_pk_ses Short lived cookie used to temporarily store data for the visit. 30 minutes HTML Matomo
_pk_cvar Short lived cookie used to temporarily store data for the visit. 30 minutes HTML Matomo
MATOMO_SESSID Temporary cookies which is set when the Matomo Out-out is used. session HTTP Matomo
_pk_testcookie missing translation: trackingobject._pk_testcookie.desc session HTML Matomo