Amazon Web Services has expanded its C5 compliance attestation to cover 183 cloud services across nine regions, including eight in Europe and one in Asia-Pacific. The expansion addresses growing demand for regional security standards in regulated markets, particularly from German public sector organizations and European companies handling sensitive data.
What Is C5 Compliance
The C5 standard, Cloud Computing Compliance Criteria Catalogue, is a rigorous security framework established by Germany’s Federal Office for Information Security (BSI). For organizations in the German public sector and highly regulated industries, C5 compliance is often a non-negotiable prerequisite for using cloud services.
The standard provides a verified baseline for data security and operational transparency. According to the German BSI, C5 builds upon established international security certifications like ISO/IEC 27001 while adding specific requirements for transparency and data sovereignty.
Why This Matters
The expansion allows organizations to build and deploy applications using a wider array of AWS tools while maintaining compliance with BSI’s demanding criteria. Services now covered range from core compute and storage to advanced offerings like Amazon Verified Permissions and the AWS Security Incident Response framework.
This simplifies the due diligence process for companies that must demonstrate adherence to stringent security standards. Instead of vetting each individual service, compliance teams can rely on the independent, third-party attestation provided by AWS.
Geographic Coverage
The 2025 C5 attestation applies to nine AWS Regions:
European regions:
- Europe (Frankfurt)
- Europe (Ireland)
- Europe (London)
- Europe (Milan)
- Europe (Paris)
- Europe (Stockholm)
- Europe (Spain)
- Europe (Zurich)
Asia-Pacific:
- Asia Pacific (Singapore)
The inclusion of the Frankfurt region is particularly crucial, as it allows German organizations to keep their data within national borders while leveraging a vast ecosystem of C5-compliant services.
What C5 Requires
To achieve C5 attestation, a cloud provider must provide detailed information about:
- Service operations and architecture
- Legal jurisdiction and governance
- Data processing locations
- Legal disclosure obligations
- Physical data center security
- Personnel access controls
- Incident response procedures
This level of transparency enables customers to conduct thorough risk assessments and ensure their cloud provider aligns with internal governance policies and national regulations.
Practical Benefits for Organizations
The expanded C5 coverage provides several concrete advantages:
Reduced audit burden: Compliance teams can focus on securing the application layer and their own data rather than vetting underlying infrastructure
Faster innovation: Organizations previously limited by compliance constraints can now use a broader range of AWS services without creating compliance gaps
Multi-service architectures: The breadth of attestation means customers can design complex systems using multiple AWS services while maintaining compliance
Cost savings: Relying on AWS’s third-party attestation drastically reduces the time and cost associated with conducting independent audits of each service
Accessing Compliance Documentation
AWS provides several resources for customers navigating cloud compliance:
Services in scope: The AWS Services in Scope page provides an up-to-date matrix of services and their corresponding compliance certifications, including the complete list of 183 C5-compliant services
Compliance programs: The AWS Compliance Programs page details various global and regional standards AWS adheres to
C5 attestation report: For specific inquiries or to obtain a copy of the C5 attestation report, AWS advises customers to contact their account team directly
Industry Impact
The expansion reflects growing importance of regional security standards as data sovereignty and national regulations continue shaping the cloud landscape. For European organizations, particularly in Germany, the ability to use 183 AWS services while maintaining C5 compliance removes a significant barrier to cloud adoption.
The attestation benefits:
German public sector: Government entities can leverage advanced cloud services while meeting mandatory security requirements
Regulated industries: Financial services, healthcare, and other sectors with strict data protection requirements gain access to modern cloud capabilities
Data sovereignty concerns: Organizations can address data residency requirements by using Frankfurt and other European regions
What This Signals
AWS’s expansion of C5 attestation to 183 services across nine strategic regions demonstrates commitment to meeting stringent European market security and compliance demands. The breadth of coverage, spanning foundational infrastructure to advanced authorization services, allows organizations to build comprehensive cloud solutions without compromising compliance.
As regional regulations continue evolving, comprehensive compliance initiatives like this expansion will remain critical for building digital trust and enabling cloud adoption in regulated environments.
Follow us on Bluesky, LinkedIn, and X to Get Instant Updates
