C5 Compliance for Electronic Signatures: How to Meet the Requirements?

C5 (Cloud Computing Compliance Criteria Catalogue) is Germany's framework for evaluating the security of cloud services. 

If you’re in regulated sectors like healthcare, finance, and government, using a platform that meets C5 expectations is essential.

In this article, we’ll explain what C5 compliance means, why it matters for e-signature workflows, and how to evaluate platforms like Docupilot to make sure your documents stay secure and aligned with regulatory expectations.

What is C5 compliance?

C5 stands for Cloud Computing Compliance Criteria Catalogue. It was created by Germany’s Federal Office for Information Security (BSI) in 2016 and updated to its current version, C5:2020, in January 2020.

The framework defines a detailed set of security and transparency requirements for cloud service providers, such as:

• Infrastructure services (IaaS): Pure cloud service environments providing servers, storage, and networking. Example: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud
• Platform services (PaaS): Tools and environments to build and run applications. Example: Google App Engine
• Software services (SaaS): Ready-to-use applications. Example: e-signature platforms 

Most SaaS tools run on IaaS or PaaS from providers like AWS, Azure, so they are not audited under C5 themselves. Only SaaS providers that operate their own cloud service would be eligible for a C5 attestation.

Notice we say ‘attestation” not “certification” 

C5 is not a certification like ISO 27001. It is an attestation framework. An independent auditor reviews a cloud service’s controls against the C5 criteria and produces a detailed attestation report. That report is what regulators, clients, and partners use to evaluate whether the cloud service can handle sensitive data.

C5 attestation comes in two levels:

• Type 1: Confirms that the required security controls are properly designed and in place at a specific point in time.
• Type 2: Goes further and evaluates whether those controls actually work in practice over a longer period, usually six to twelve months.

Which level matters depends on your industry. In some sectors, like healthcare, Type 2 is a legal requirement. In others, it's a strong trust signal but not mandatory. We'll break down who needs what next.

Who needs to care about C5 compliance when using e-signatures?

C5 wasn’t created for casual cloud use. It was designed specifically for industries that handle sensitive data and operate under strict regulatory oversight. That’s why it matters far more in some sectors than in others. They include: 

• German federal agencies: If your agency signs contracts, processes authorizations, or collects approvals using a cloud-based tool, the infrastructure behind that tool must meet C5 requirements.
• Healthcare: Starting July 2025, cloud services processing health or social data in Germany must hold a C5 Type 2 attestation under §393 SGB V. If you're handling signed patient consent forms, treatment agreements, or insurance documents through a cloud-based e-signature platform, this applies to you.
• Financial services: Banks, insurers, and investment firms in Germany increasingly expect the cloud infrastructure supporting signed loan agreements, policy documents, or client onboarding forms to be C5-attested.
• International organizations working with German clients: Even if your company is outside Germany, if you process signed documents for German healthcare, government, or financial clients, C5 expectations apply. Customers and regulators will want assurance that the infrastructure is compliant.

The scope of C5 is growing. Its standards are influencing EU-wide cloud security frameworks, such as the European Cloud Certification Scheme (EUCS) and requirements under the NIS2 Directive. What applies in Germany today is likely to shape expectations across the EU in the coming years.

What to look for in an e-signature platform for C5-regulated environments?

Like we said earlier, most e-signature tools run on cloud infrastructure provided by a third party. That means the platform you use probably won’t have its own C5 attestation. Instead, you need to check whether the cloud services it relies on are covered by a valid C5 report.

But that doesn’t mean you’re automatically covered just because the platform runs on a major cloud provider. The e-signature provider is still responsible for how documents are handled inside the product, including encryption, access controls, audit logging, and secure storage. Without these protections, the platform can still be vulnerable even if the underlying infrastructure is secure.

That’s why you need to look beyond the hosting layer. Here’s what to check:

1. Your platform’s service is listed in the attested report: C5 attestation applies only to the audited cloud services themselves, not the cloud provider as a whole. So, just because Azure is a well-known provider doesn’t automatically mean all its services are C5-compliant. If your e-signature platform runs on Azure  Key Vault and Azure Blob Storage, you need to check the C5 report to confirm that those specific services are included. 
2. Check for recognized security certifications: Certifications like SOC 2 Type II or ISO 27001, GDPR and HIPAA don’t replace C5 attestation, but they indicate that the platform has implemented strong controls around access management, encryption, incident response, and operational security, which are consistent with the goal of C5.
3. Encryption in transit and at rest: Signed documents contain sensitive data. Confirm that the platform encrypts documents both during transmission (when a signer receives or returns a document) and in storage.
4. Verify role-based access controls: The platform should enforce granular permissions for who can create, send, sign, view, and manage documents to prevent unauthorized access or changes.
5. Confirm comprehensive audit trails: Every signing event should generate a tamper-proof record including timestamps, signer identification, IP addresses, and authentication details. This ensures accountability and traceability.
6. Look for transparency about data locations and subprocessors: The platform should clearly state where documents are stored, which jurisdictions apply, and which third parties are involved in processing. This transparency is important for regulatory compliance and aligns with the intentions behind C5’s data handling principles.

How Docupilot supports e-signatures in C5-regulated environments?

If you’re looking for an e-signature tool built on a C5-attested cloud platform, Docupilot is a strong option.

It’s more than just an e-signature tool: it’s also a document automation platform. Instead of generating a document in one tool and routing it to a separate signing service, you can create, populate, and sign documents within the same workflow.

This means that instead of using two tools to handle sensitive data and managing compliance for both, you only have to focus on one.

What makes Docupilot secure and aligned with C5 expectations?

• Docupilot is hosted on AWS, which holds a C5 Type 2 attestation for specific services
• It is SOC 2 Type II and ISO 27001 certified, and GDPR, HIPAA, and CCPA compliant
• It also offers platform-level security features, including:
  
  • Tamper-proof audit trails recording who signed, when, from where, and under what authentication method
  • Signer identity verification and authentication
  • Secure document transmission throughout the signing process
  • Encryption in transit and at rest
  • Role-based access controls for document and signing workflow management

Choose an e-signature platform built on C5 regulated infrastructure

Most SaaS e-signature platforms don't hold a C5 attestation themselves. But using one that runs on C5-attested cloud infrastructure and implements strong platform-level security controls helps you meet Germany's high standards for data protection and transparency.

When evaluating a platform, focus on both layers: the security of the underlying cloud infrastructure and the platform's own measures, including encryption, access controls, audit trails, and data location transparency.

Docupilot provides an e-signature and document automation workflow built on AWS infrastructure with SOC 2 Type II, ISO 27001, GDPR, HIPAA, and CCPA credentials. It simplifies compliance while keeping your documents secure.

Ready to try it out? Sign up for your 30-day free trial today.

FAQs

What is C5 compliance in simple terms?

C5 (Cloud Computing Compliance Criteria Catalogue) is a security framework created by Germany’s Federal Office for Information Security (BSI). It defines strict requirements for cloud services to ensure data is stored, processed, and protected securely

Does an e-signature platform need to be C5 compliant?

Most e-signature platforms do not hold their own C5 attestation. Instead, what matters is whether the cloud services they rely on are covered by a valid C5 report and whether the platform itself applies strong security controls.

Who needs to care about C5 when using e-signatures?

C5 is especially important for organizations in regulated industries such as healthcare, financial services, and government. If you handle sensitive or regulated data in Germany, you should check whether the platform you use runs on C5-attested cloud services.

Is C5 the same as ISO 27001?

C5 and ISO 27001 are not the same. ISO 27001 is a certification standard for information security management systems, while C5 is an attestation framework specifically designed for cloud services.

How can I check whether an e-signature platform meets C5 expectations?

Start by confirming which cloud provider the platform uses and whether the specific services are covered by a C5 attestation report. Then check the platform’s own security features, such as encryption, access controls, audit logs, and data location transparency.