BSI Critical Infrastructures (KRITIS)
OVHcloud is officially registered at the Federal Office for Information Security (BSI) as an operator of Critical Infrastructures (KRITIS) in Germany. OVHcloud thus fulfills the BSI's requirements for companies whose services are of central importance for the common good and security of supply.
The German IT Security Act obliges operators of Critical Infrastructures (e.g. data centers) to register at the BSI and comply with legal obligations. These obligations include demonstrating compliance with security requirements and focusing on the implementation of suitable technical and organizational measures. This includes, for example, the introduction and maintenance of an effective information security management system (ISMS) or physical and logical access controls to data centers and systems. The evidence and documentation must be submitted to the BSI every two years in an audit.
OVHcloud's German subsidiary, DCD Data Center Deutschland GmbH, is registered at BSI as a Critical Infrastructure operator and meets all of the BSI's required standards. OVHcloud's data center in Germany is regularly audited by independent auditors for compliance with the KRITIS Regulation and the IT Security Act.
You can request a free callback from an OVHcloud advisor.
C5 - Cloud Computing Compliance Criteria Catalogue
The German Federal Office for Information Security (BSI) has created the C5 (Cloud Computing Compliance Criteria Catalogue) as an audit standard. This standard was last updated in 2020. For OVHcloud customers and partners, C5 certification confirms that a platform complies with the relevant security controls. C5 supplements the IT security standard, which is defined in the regulations and is equivalent to IT baseline protection, with additional controls specifically designed for the cloud.
Parameters and certificates
In its catalog of requirements, the BSI formulates criteria according to which, for example, the location of the court and the existing certifications of the cloud provider must be communicated, as well as how to deal with investigation requests from government agencies for access to or disclosure of cloud customers' data. The cloud provider must also be able to specify the exact location of data processing and service provision. Thanks to this transparency, potential cloud customers can decide whether legal regulations (e.g. the GDPR on data protection), customer guidelines and possible threats from industrial espionage together make the use of the cloud service appear appropriate.