On January 6, 2025, the Federal Ministry of Health (BMG) published a draft bill for the so-called "C5 Equivalence Regulation". This is intended to make three further standards equivalent to the C5 certificate required in accordance with Section 393 para. 3 no. 2 SGB V, at least on a transitional basis, subject to additional requirements.
Last year, Section 393 SGB V was amended as part of the Act to Accelerate the Digitization of the Healthcare System (DigiG). One of the main changes is the requirement of a C5 certificate for SaaS providers in the healthcare sector with regard to their cloud systems. The law stipulates that cloud services currently require a C5 type 1 certificate until 30.06.2025 and that a C5 type 2 certificate will be required from 01.07.2025.
In addition, Section 393 para. 4 sentence 3 SGB V allows that instead of a C5 test certificate, a test certificate or certificate according to a standard that ensures an equivalent or higher level of safety compared to the C5 standard can also be recognized:
Processing in accordance with paragraph 3 number 2 is also permitted if, instead of a current C5 certificate, the cloud systems and cloud technology used as part of the cloud computing service have a certificate or certificate in accordance with a standard whose compliance ensures a comparable or higher level of security compared to the C5 standard.
Section 393 para. 4 sentence 4 SGB V authorizes the BMG to regulate by ordinance which standards meet these requirements. The BMG now intends to make use of this authority, as it published a draft bill for the so-called "C5 Equivalence Regulation" (link) on January 6, 2025.
Content of the C5 Equivalence Regulation
The draft provides for the C5 Type 1 certificate to be equated with certification of compliance with three other standards, which should give affected companies the option of not necessarily requiring a C5 Type 1 certificate for a transitional period. Rather, it should be sufficient, at least for a transitional period, to be able to present an equivalent certificate under further conditions in order to comply with the testing obligation pursuant to Section 393 para. 3 no. 2 SGB V. The following three standards are equated with the C5 type 1 certificate:
- DIN EN ISO/IEC 27001:2022
- ISO 27001 on the basis of IT baseline protection by the German Federal Office for Information Security (BSI)
- Cloud Controls MatrixVersion 4.0
In addition to an attestation of compliance with one of the standards, it is necessary to submit an action plan that serves to prepare and document the implementation of the C5 criteria. Among other things, gaps in the existing testing of the cloud service in comparison to the C5 criteria must be identified and measures must be determined within a schedule that should lead to the fulfillment of the C5 criteria. The plan must be aimed at obtaining a C5 type 1 certificate within 18 months of the "milestone plan" being drawn up. Only if this action plan is submitted at the same time will the existing certificate be considered equivalent to the C5 type 1 certificate.
It is not yet clear when the regulation will be adopted. In any case, it should come into force retroactively on 01.07.2024.
Follow-up problems
The BMG is thus setting the course that Section 393 SGB V will require a C5 certificate in any case in the long term. Other standards are only equated with C5 on a transitional basis – permanent equation is not planned for the time being. Section 393 para. 4 sentences 3, 4 SGB V, on the other hand, (continues to) allow other certificates to be declared equivalent even after the transitional period.
The draft has left the cut-off date from which a C5 type 2 test certificate should be required unclear. According to the wording, this should still be July 1, 2025 in accordance with Section 393 para. 4 sentence 2 SGB V. This is because the C5 equivalence regulation equates the three standards (plus action plan) alone with the C5 type 1 test certificate, which is only sufficient until June 30, 2025 in accordance with Section 393 para. 4 sentence 1 SGB V. The regulation does not affect Section 393 para. 4 sentence 2 SGB V, meaning that the C5 type 2 certificate should actually be required from July 2025 for all companies that are subject to the testing obligation under Section 393 para. 3 no. 2 SGB V.
However, the provision in Section 1 para. 1 no. 4 C5 Equivalence Regulation (draft) indicates that this should at least not apply to those companies that have an equivalent certificate (including action plan) in accordance with the regulation. This is because the action plan is ultimately intended to define measures that will lead to a C5 type 1 certificate being obtained within 18 months of the milestone plan being drawn up. This is to be understood as an 18-month period for obtaining a C5 type 1 certificate, which begins at the moment the milestone plan is created. If a deadline for obtaining a C5 type 1 certificate is therefore granted, which in any case extends beyond 01.07.2025, a C5 type 2 certificate cannot be required from 01.07.2025 at the same time.
The draft should therefore be understood to mean that if the requirements of Section 1 C5 Equivalence Regulation (RefE) are met, no C5 Type 2 certificate will be required from 01.07.2025. However, if this did not also apply to companies that already have a C5 type 1 certificate, they would be in a worse position than those that only have an equivalent certificate. This is because they would still have to obtain a C5 type 2 certificate by 01.07.2025.
Therefore, the regulation must be interpreted supplementarily in such a way that § 393 para. 4 sentence 2 SGB V is completely superseded by the regulation, meaning that currently either a C5 Type 1 attestation or an equivalent attestation under the regulation, including an action plan, is required, which provides for obtaining a C5 Type 1 attestation within 18 months. This also aligns with the objections raised by associations during the legislative amendment process of § 393 SGB V, who had criticized the short deadline for obtaining a C5 attestation during the legislative process.
Outlook
After all this, however it remains open as to when a C5 type 2 certificate should be required. As the disputed regulations are still at the draft stage and the ordinance has not yet been adopted by the entire government, it is to be hoped that the legislator will clarify the relationship to Section 393 para. 4 sentence 2 SGB V. However, the federal government does not have much time left to do so in view of the upcoming elections.
As a result, however, it should be noted that, according to the intention of the BMG, Section 393 para. 3 no. 2 SGB V requires a C5 test certificate in any case in the long term. Equating other standards, as permitted by Section 393 para. 4 sentence 3 SGB V, is not planned beyond a transitional period.
Companies should therefore immediately work towards fulfilling the C5 criteria. For companies that do not already have a certificate for an equivalent standard, it is generally not advisable to permanently focus on one of the three equivalent standards, as these are only sufficient for a transitional period.