Cloud Certifications Explained: ISO 27001, BSI C5, HDS & More

Every cloud provider has a footer full of certification logos. ISO this, SOC that, some German acronym you’ve never seen. Most people assume “more badges = more secure” and move on. That’s not quite how it works.

Some certifications are legally required for specific industries. Others are just nice-to-have. Here’s the breakdown.

The matrix

The details

ISO 27001 — The baseline

If a provider doesn’t have ISO 27001, run. It’s the absolute minimum for any serious infrastructure. Proves they have documented security processes that get audited.

Everyone has it. It’s table stakes, not a differentiator. Two companies with the same cert can have wildly different actual security.

BSI C5 — German government & healthcare

BSI C5 (Cloud Computing Compliance Criteria Catalogue) is Germany’s cloud security standard. Two levels:

• Type 1: Controls exist at a point in time
• Type 2: Controls work over a period (usually 12 months)

Who needs it:

• German federal agencies (mandatory since 2020)
• German healthcare / statutory health insurance (Type 2 mandatory since July 2025 per §393 SGB V)
• KRITIS operators (critical infrastructure)

Who has it: STACKIT, plusserver, T-Systems. The hyperscalers have it too, but remember the CLOUD Act problem.

STACKIT is interesting — owned by Schwarz Group (Lidl/Kaufland). No US ownership anywhere.

HDS — French healthcare

HDS (Hébergeur de Données de Santé) is mandatory for hosting French health data. Version 2.0 came into effect November 2024 with stricter requirements including mandatory EEA data storage.

Two scopes:

• Hébergeur d’infrastructure: You provide infra, customer runs health apps
• Hébergeur infogérance: You manage everything including health applications

Who has it: OVHcloud, Scaleway, Outscale. Also AWS, Azure, Google Cloud (but sovereignty issues apply).

SecNumCloud — French government

SecNumCloud is France’s national security certification from ANSSI. Mandatory for French public sector handling sensitive data and for OIVs (Operators of Vital Importance).

Version 3.2 has strict sovereignty requirements:

• Provider must be majority EU-owned (non-EU shareholders <25% individually, <39% collectively)
• All data and operations must stay in EU
• Must be immune to foreign law (read: CLOUD Act)

This is why US hyperscalers can’t get it directly. S3NS (Thales + Google) got certified in late 2025 with Thales having operational control.

Pure French providers with SecNumCloud: OVHcloud, Outscale, 3DS Outscale, Clever Cloud

DORA — EU financial services

DORA (Digital Operational Resilience Act) applies to all EU financial entities since January 2025. Not a certification per se, but a regulatory framework your cloud provider needs to support.

Who it covers: Banks, insurance companies, investment firms, payment providers, crypto-asset service providers.

What it requires from cloud providers:

• Audit rights in contracts
• Incident notification procedures
• Exit strategies
• Service level agreements

AWS, Azure, and Google Cloud were designated as Critical Third-Party Providers in November 2025, meaning they’re now under direct EU supervisory oversight.

Penalties: Up to 2% of global turnover or €10 million.

FINMA — Swiss financial

FINMA is Switzerland’s financial regulator. If you’re handling Swiss banking or insurance data, your cloud provider needs to be FINMA compliant.

The 2025 Swiss Bankers Association Cloud Guidelines added new requirements around foreign lawful access — acknowledging that many providers operate across jurisdictions.

Who has it: Exoscale is the main Kubernetes-focused option. They’re Swiss-owned with Swiss data centers.

SOC 2 — Selling to Americans

SOC 2 is an American standard. Not legally required in Europe, but if you sell B2B SaaS to US enterprises, their procurement teams will ask for it.

Type 1 = point-in-time audit. Type 2 = covers 12 months.

EU-based providers with SOC 2: Civo, Gcore, plusserver. Still European companies, still EU jurisdiction, but with the American checkbox.

NIS2 — Critical infrastructure

NIS2 is the EU’s updated cybersecurity directive for critical infrastructure. Applies to 18 sectors including cloud computing, data centers, and digital service providers.

It’s not a certification — it’s a regulatory framework. But member states can require “essential” and “important” entities to only use certified cloud providers once EUCS (the EU cloud certification scheme) is finalized.

Penalties: Up to €10 million or 2% of global turnover. Management can be personally liable.

EUCS — The future EU standard

EUCS (European Cybersecurity Certification Scheme for Cloud Services) is still being finalized. Will have three levels: Basic, Substantial, High.

There was supposed to be a “High+” level with sovereignty requirements (EU ownership, no foreign law exposure), but it’s been controversial and discussions are stalled.

Once adopted, expect public sector and critical infrastructure to require EUCS certification.

Provider quick reference

The bottom line

Certifications prove security practices. They don’t change legal jurisdiction.

AWS can have every cert in the book. They’re still an American company subject to American courts. A BSI C5 certification doesn’t make the CLOUD Act go away.

For actual sovereignty, you need:

1. EU/EEA/Swiss headquarters
2. No US parent company
3. No US companies in the ownership chain

Then look at certifications for your specific compliance requirements.

Check which providers have which certs: Provider Details