Fachbücher zu Daten­schutz und IT-Sicher­heit finden Sie hier.
  1. Home
  2. News
  3. C5 Type 2 certification in healthcare: Cloud providers now have a duty
  • Data Protection

C5 Type 2 certification in healthcare: Cloud providers now have a duty

What is C5 certification and why is it relevant?

In the age of digitalisation, cloud services have long been established in healthcare. Strict legal requirements apply, particularly when handling sensitive social and health data, which pose major challenges for both data controllers and service providers. From 1 July 2025, cloud providers processing relevant data in the German healthcare sector must present a C5 Type 2 certificate. Until then, a simple C5 Type 1 certificate was sufficient for approval. The new certificate serves to increase the protection of patient and health data and is mandatory for all those who rely on cloud solutions.

Who is affected by the new regulation?

The legal requirements apply to all healthcare providers in accordance with Sections 69 to 140h of the German Social Code, Book V (SGB V). This includes contract doctors, hospitals, providers of therapeutic services (such as physiotherapists), providers of medical aids (e.g. suppliers of medical devices), pharmacies, pharmaceutical companies and other service providers such as emergency services or home nursing facilities. Anyone working in these areas and using cloud solutions must be able to present a valid C5 Type 2 certificate by July 2025 at the latest.

SaaS as the most common use case – what applies here?

Cloud services are often software-as-a-service (SaaS) offerings. These solutions provide complete software applications that are delivered over the Internet. The providers take care of maintenance, updates and security – making them particularly efficient for practical use.

However, it is precisely these offerings that now require testing in accordance with the C5 Type 2 standard. Until now, an adequacy assessment of the technical and organisational measures (C5 Type 1 certificate) was sufficient. With the switch to the Type 2 attestation, the effectiveness of the measures must now also be demonstrated over a longer period of time.

Challenges, transition periods and recommendations for providers and users

What happens if there is no C5 Type 2 attestation?

If a manufacturer or cloud provider cannot provide a C5 Type 2 attestation by the deadline, they face exclusion from the market. According to the current regulation, alternative certification is also sufficient in certain cases on a temporary basis, for example according to ISO/IEC 27001, ISO 27001 based on BSI IT-Grundschutz or according to the Cloud Controls Matrix (CCM) in its currently valid version. However, detailed documentation of which requirements from the C5 standard are still outstanding and a schedule of measures for full implementation are also required. The C5 Type 2 certificate must be submitted within 24 months at the latest.

What are the requirements for subcontractors?

If manufacturers of SaaS solutions use third-party cloud services, these become subcontractors. In this case, too, the certificate must be provided. Whether the submission of the cloud provider's C5 Type 2 certificate is sufficient or whether a separate certificate is required depends on the specific circumstances. In any case, clear contractual provisions and transparency regarding who is responsible for which area of data security in the processing chain are recommended. Clinics and practices should actively inquire with their service providers and regularly request and document certificates.

Recommendations for healthcare companies and service providers

The implementation of the new requirements is not optional for all healthcare providers, but mandatory. Now is the ideal time to review all existing contracts with SaaS or cloud providers and their certificates. If you do not yet have a C5 Type 2 certificate, ask about the status of the action plan and request a binding schedule. Providers are required to document all evidence provided to their customers, check it regularly for accuracy and make any necessary adjustments to ensure legal compliance.

Conclusion and next steps

The C5 Type 2 certification requirement ensures greater security and transparency, but poses major challenges for smaller providers in particular. Early planning, comprehensive documentation and close dialogue between all parties involved are now crucial. This is the only way to ensure that cloud solutions can continue to be used securely in the healthcare sector without legal or operational risks.

Not sure whether you or your service providers meet the requirements? Or do you need support in implementing the C5 Type 2 certification? Feel free to contact us – we will be happy to provide you with expert and individual assistance!

Zurück
© 2011–2025 GINDAT GmbH

Hinweis zu Cookies

Unsere Website verwendet Cookies. Einige davon sind technisch notwendig für die Funktionalität unserer Website und daher nicht zustimmungspflichtig. Darüber hinaus setzen wir Cookies, mit denen wir Statistiken über die Nutzung unserer Website führen. Hierzu werden anonymisierte Daten von Besuchern gesammelt und ausgewertet. Eine Weitergabe von Daten an Dritte findet ausdrücklich nicht statt.

Ihr Einverständnis in die Verwendung der Cookies können Sie jederzeit widerrufen. In unserer Datenschutzerklärung finden Sie weitere Informationen zu Cookies und Datenverarbeitung auf dieser Website. Beachten Sie auch unser Impressum.

Technisch notwendig

Diese Cookies sind für die einwandfreie Funktion der Website erforderlich und können daher nicht abgewählt werden. Sie zählen nicht zu den zustimmungspflichtigen Cookies nach der DSGVO.

Name Zweck Ablauf Typ Anbieter
CookieConsent Speichert Ihre Einwilligung zur Verwendung von Cookies. 1 Jahr HTML Website
fe_typo_user Dieser Cookie wird gesetzt, wenn Sie sich im Bereich myGINDAT anmelden. Session HTTP Website
PHPSESSID Kurzzeitiger Cookie, der von PHP zum zwischenzeitlichen Speichern von Daten benötigt wird. Session HTTP Website
__cfduid Wir verwenden eine "Content Security Policy", um die Sicherheit unserer Website zu verbessern. Bei potenziellen Verstößen gegen diese Policy wird ein anonymer Bericht an den Webservice report-uri.com gesendet. Dieser Webservice lässt über seinen Anbieter Cloudflare diesen Cookie setzen, um vertrauenswürdigen Web-Traffic zu identifizieren. Der Cookie wird nur kurzzeitig im Falle einer Bericht-Übermittlung auf der aktuellen Webseite gesetzt. 30 Tage/ Session HTTP Cloudflare/ report-uri.com
Statistiken

Mit Hilfe dieser Statistik-Cookies prüfen wir, wie Besucher mit unserer Website interagieren. Die Informationen werden anonymisiert gesammelt.

Name Zweck Ablauf Typ Anbieter
_pk_id Wird verwendet, um ein paar Details über den Benutzer wie die eindeutige Besucher-ID zu speichern. 13 Monate HTML Matomo
_pk_ref Wird verwendet, um die Informationen der Herkunftswebsite des Benutzers zu speichern. 6 Monate HTML Matomo
_pk_ses Kurzzeitiger Cookie, um vorübergehende Daten des Besuchs zu speichern. 30 Minuten HTML Matomo
_pk_cvar Kurzzeitiger Cookie, um vorübergehende Daten des Besuchs zu speichern. 30 Minuten HTML Matomo
MATOMO_SESSID Kurzzeitiger Cookie, der bei Verwendung des Matomo Opt-Out gesetzt wird. Session HTTP Matomo
_pk_testcookie Kurzzeitiger Cookie der prüft, ob der Browser Cookies akzeptiert. Session HTML Matomo