accelerated security certification accreditations Approvals Career career Checking electronic components in payment transactions Compliance in banks Compliance within banks General General

New BMI draft on the C5 equivalence regulation: What you need to know

The Federal Ministry of Health (BMG) has published a draft bill for the so-called “C5 Equivalence Regulation”. This new regulation aims to further strengthen cyber security in the healthcare sector and at the same time to specify the requirements for cloud-based IT systems.

Why a new standard?

The increasing digitalization of the healthcare sector offers immense opportunities for more efficient and centered patient care. However, the growing dependence on IT systems also increases the risks of cyberattacks. The Russian war of aggression against Ukraine in particular has highlighted the danger of targeted attacks on critical infrastructure. Against this backdrop, the Digital Act introduced the C5 Cloud Computing Compliance Criteria Catalogue, developed by the German Federal Office for Information Security (BSI), as a binding security standard for the processing of sensitive healthcare and social data.

Transitional arrangements under the C5 equivalence regulation

While the C5 catalog guarantees a high level of security, the new regulation allows the use of alternative certificates for a transitional period as long as they can demonstrate a comparable or higher level of security. Specifically, the following standards are recognized:

  1. DIN EN ISO/IEC 27001:2022
  2. ISO 27001 on the basis of IT baseline protection (BSI)
  3. Cloud Controls Matrix Version 4.0

 

For providers of cloud-based IT systems, this means that they can continue to offer their solutions in the healthcare sector even without immediate C5 certification. However, a detailed action plan is required to ensure that existing gaps between the alternative standards and the C5 catalog are closed within a specified period of time.

Requirements for suppliers and service providers

The action plan must include the following:

  • Documentation of deviations: Which basic criteria of the C5 catalog are not covered by the selected standard?
  • Individual measures: Technical and organizational precautions to close identified gaps.
  • Timetable: A mitigation plan to ensure that the gaps are closed within 12 months.
  • Plan for obtaining C5 certification: A C5 type 1 certificate should be applied for within 18 months.

 

This approach offers companies the opportunity to gradually prepare for the strict requirements of the C5 catalog without having to interrupt their business activities.

Advantages for our customers

The new regulation creates one thing above all: legal certainty. Companies can continue to use alternative certificates as long as they present a valid plan for C5 testing. For our customers, this means

  1. Flexibility in the choice of security standards: The temporary recognition of alternative certificates reduces the cost of switching completely to the C5 standard in the short term.
  2. Gradual adaptation: Providers can raise their security measures to a higher level over a defined period of time.
  3. Building trust: Using certified standards signals to both regulators and end users that cyber security is taken seriously.

 

Why SRC GmbH is the right partner

As SRC GmbH, we support companies in successfully mastering the path to C5 conformity. Our services include

  • Advice on the creation and implementation of action plans.
  • Carrying out gap analyses to identify existing security gaps.
  • Support in the preparation and implementation of C5 audits.

Our many years of experience in the field of IT security and our in-depth understanding of the regulatory requirements in the healthcare sector make us a reliable partner.

Conclusion

The C5 equivalence regulation offers companies in the healthcare sector the opportunity to gradually adapt their security standards to the strict requirements of the C5 catalog. This not only creates legal certainty, but also strengthens confidence in digital solutions. SRC GmbH is at your side to help you meet the challenges of digital transformation securely and efficiently. Contact us to find out more about how we can support you.

This article was also published on:
Press contact:
Patrick Schulze
WORDFINDER GmbH & CO. KG Lornsenstraße 128-130 22869 Schenefeld