Germany: Cloud Computing Compliance Criteria Catalogue and cybersecurity requirements for cloud service providers
Cloud computing is regarded as one of the most important fields of digitisation. With Cloud Computing Compliance Criteria Catalogue ('C5'), the Federal Office for Information Security ('BSI') therefore wants to promote and support cybersecurity in this area with baseline requirements. However, from the BSI's point of view, the document is not only relevant for professional cloud service providers and auditors, but also for their customers. Dr. Carlo Piltz and Stefan Hessel, from reuschlaw Legal Consultants, give a short introduction to the C5 and answer practical questions concerning its requirements for cloud service providers.
The C5 contains over 120 criteria, which are divided into 17 subject areas and cover all central aspects of the cybersecurity of cloud services. In addition to classic requirements, such as the existence of an ISO/IEC 27001 compliant Information Security Management System ('ISMS') or physical security measures, the criteria also address newer security requirements, such as the handling of investigation requests from the Government. The C5 also contains requirements for the legal examination of government requests. For example, how comprehensive the C5 is can also be seen in the area of asset management, where, among other things, the cloud service provider is required to have an approval process for the use of hardware to be commissioned. Against this background, the C5 offers a good opportunity for a future-oriented analysis of the cybersecurity of cloud computing, even beyond its concrete application area.
Changes compared to the previous version (C5:2016)
Compared to the previous version of the C5 from 2016 ('C5:2016'), two new sections have been introduced in the update. On the one hand, this concerns the already mentioned requirement for dealing with investigation requests from government agencies to increase transparency. On the other hand, the section 'Product Safety and Security' was created. This is partly based on the Regulation (EU) 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on Information and Communications Technology Cybersecurity Certification and Repealing Regulation (EU) No. 526/2013) ('the Cybersecurity Act') and obliges the cloud service provider, for example, to operate or refer to a daily updated online register of known vulnerabilities. In addition, the cloud service provider must create a possibility for the cloud user to determine the locations of data processing and storage. In addition, the 'Security Criteria' were revised and updated and the possibility of a direct engagement, where the auditor creates the service description during the audit, was created.
The C5 is not a purely technical document, but also imposes legal requirements in many areas. One example is the requirements for 'Security Policies and Instructions.' Among other things, these must contain explanations of the applicable legal, regulatory requirements and consequences of non-compliance. In the area of compliance, the C5 also expressly stipulates that the cloud service provider must identify all applicable legal, regulatory, self-imposed, or contractual requirements and document processes for their compliance. The C5 requires that these aspects are reviewed by subject matter experts, i.e. lawyers. Strong legal requirements exist, unsurprisingly, also in the area of dealing with investigation requests from government agencies. Here the C5 demands a legal assessment of investigative inquiries.
Legal significance of the C5 under the GDPR
In addition to the legal requirements imposed by the C5, a legal consideration also raises the question of the significance of the C5 in relation to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In this respect, it should first be noted that the C5 is not a certification according to the GDPR. Rather, it is expressly limited to the area of IT security (and some related areas). However, this does not make the C5 worthless from a data protection perspective. Especially in the area of Article 32 of the GDPR, certification according to the C5 can provide proof of sufficient guarantees. This makes the C5 interesting for both controllers and processors. In addition, the criteria for dealing with investigation requests from government agencies are of particular interest in the context of the Court Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). Thus, the procedure for dealing with requests proposed by the C5 could serve as a blueprint for a process that provides additional guarantees for compliance with the GDPR in case of data transfers based on Standard Contractual Clauses ('SCC').
Possibility of attestation and international standards
The C5 can be attested via an ISAE 3000-like audit which ends in a SOC 2 report in order to demonstrate proof of compliance with the controls. The attestation is issued by a certified public auditor, not by the BSI itself. There is no control over selected auditors or audit reports by the BSI. The C5 can also be compared with other international standards via a cross-reference table references and therefore allows a quick comparison in an international context.
In summary, it can be said that the C5 is a comprehensive and modern catalogue of criteria for cybersecurity in cloud computing. The C5 is therefore of interest to both providers and customers. This is especially true in the context of data protection and guaranties for appropriate technical and organisational cybersecurity measures. Anyone who orients themselves to the C5 criteria or is looking for an audit should remember in good time to also consider the legal criteria included in the C5.