BEEP Act clarifies requirements for new IT services in the healthcare sector

With the introduction of the Digital Act on 25 March 2024, the legislator formalised the security requirements for IT solutions and services offered by service providers in the healthcare sector: By 1 July 2024 at the latest, a Type I attestation in accordance with the Cloud Computing Compliance Controls Catalogue (C5) of the Federal Office for Information Security (BSI) was required, while a Type II attestation had to be available by 1 July 2025 at the latest. But what happens to services that were first marketed after 30 June 2025? For a long time, this question remained only partially answered, at least officially. With the entry into force of the Act on Authority, Expansion and Debureaucratisation in Care (BEEP), this question has now been answered definitively.

With its publication in the Federal Law Gazette, the Act on the Expansion of Powers and Debureaucratisation in Care (BEEP) came into force on 1 January 2026. In margin note 44, this law provides for an extension or clarification of the current Section 393 (4) of Book Five of the Social Code (SGB V), which was first introduced by the Digital Act. This simple but important extension now clearly regulates how to proceed with IT solutions that are used in the healthcare sector but will only be placed on the market after exceeding the BSI C5 Type II requirement on 30 June 2025.

Until now, the Digital Act only took into account the timing of BSI-C5 testing for cloud services already on the market, but not the handling of services that will be launched in the future.

This has now been supplemented by the BEEP in such a way that, for information technology systems coming onto the market for the first time after 30 June 2025, the BSI C5 Type I certification will continue to be sufficient for a period of up to 18 months. 

This decision resolves the primary challenge for cloud service providers, which was that they had to demonstrate compliance with the BSI C5 criteria over a test period (known as the performance period) when entering the market with their solution. This is because such proof would have required the processing of productive customer data or the operational running of the service on the market anyway.

The C5 Equivalence Regulation (Regulation on Equivalent Security Certificates to the C5 Standard for Cloud Computing Services in Healthcare – C5GleichwV) regulates the possibility of a transitional solution until the cloud provider achieves a BSI C5 certificate (Type I) or the level of this certificate. The main difference is that the cloud service provider can operate on the market with its solution without a BSI C5 certificate for up to 18 or 24 months after the service is launched, provided that it meets the requirements of the Equivalence Regulation. These require that:

• An existing certification or test according to one of the following standards is available: 
  • ISO/IEC 27001 
  • ISO 27001 according to IT-Grundschutz 
  • Cloud Controls Matrix Version 4.0. 
• In addition, within twelve months of creating a milestone plan, this plan must be implemented in such a way that the gaps in the above-mentioned certifications/ certifications mentioned above are closed and, 
• in addition, documentation of the measures is provided, such as how the cloud service provider will implement successful BSI C5 certification within 18 months (for Type I) or 24 months (for Type II) of the creation of the milestone plan.

If you are a cloud service provider in the healthcare sector and your solutions do not yet have BSI C5 certification, it is time to take action. By waiting any longer, you will reduce your market presence due to the risk of exclusion from tenders and the threat of existing contracts being terminated for non-compliance.

Our experts Andreas Steffens and Patrick Stadler will support you in preparing for a BSI C5 certificate.