The digital law: time-critical requirements for cloud service providers

Digitization in Germany is a constant topic in the media. The need for digitalization in the healthcare sector is no exception. The government has been working on the so-called Digital Act (DigiG) for some time now. Now that the Federal Council has approved the draft law on February 2, 2024, its entry into force seems within reach.

The aim of the Digital Act is to simplify the interaction between patients and doctors using digital solutions and make it more secure. At the heart of the Digital Act is the electronic patient file (ePA). However, the digital medication overview and the further development and binding nature of the e-prescription, to name just three examples, are also covered by the Act.

In addition to the content specifications for the digitalization of the healthcare system, the law also places concrete requirements on cloud service providers who provide their solutions for hospitals, other healthcare providers or for data transmission between the parties involved, for example. This is intended to counter the IT security and cyber risks associated with digitalization.

For providers who provide services for the healthcare sector via cloud models, a regular audit in accordance with the requirements of the audit standard Cloud Computing Compliance Criteria Catalogue (C5) of the German Federal Office for Information Security (BSI) is to become mandatory in future.

With the Cloud Requirements Catalogue (BSI C5), the Federal Office establishes uniform criteria that cloud service providers can use to align their internal control system. In addition to "classic" IT security topics such as the organization of information security, cryptography and physical security, the 13 sub-areas of the catalog of requirements also cover topics such as portability, dealing with investigation requests and product security. Cloud service providers can have the conformity of their cloud models with the BSI C5 criteria confirmed following a successful audit by an auditing company. The corresponding audit has a fixed observation period and must therefore be repeated regularly (so-called type 2 audit).

In the current draft law, a C5 type 2 certificate is specified as a requirement for the provision of services from July 1, 2025. Until then, a C5 type 1 certificate (so-called appropriateness test - without effectiveness assessment) is sufficient. 2025 still seems a long way off, but we know from experience that an initial assessment can take a long time: First, the cloud offering must be presented in an auditable system description. In addition, the audit requires that IT controls have already been derived, implemented and documented on the basis of the requirements catalog (so-called observation period or performance period). An upstream analysis may be required in order to determine the current maturity level of the controls and identify any need for improvement. Preparation and subsequent testing can therefore quickly take several months.

Get an overview of the up-to-dateness and scope of your existing tests and certificates. The BSI C5 criteria catalog has various overlaps with widely used audits, such as ISO 27001 or SOC 2, making it easy to combine with comparable IT security standards. KPMG can support you in identifying areas for action through the targeted evaluation of your level of control coverage, as well as auditing your internal control system in accordance with the BSI C5 criteria.

Our experts can advise you on questions and support you in preparing for the Digital Act. Please feel free to contact us.