+OPS-32.01B

1. Übersicht

OPS-32.01B

If the cloud service comprises capabilities for confidential computing, policies and procedures and technical safeguards are documented, communicated and provided according to SP-01, in which the following aspects are described:

1. Purpose and scope, including which information security risks on the cloud service provider's side are to be mitigated through the use of confidential computing (cf. OIS-07) and how the cloud service customers can use the provided features to manage information security risks on their side;
2. Available confidential computing technologies;
3. Determination of which parts of the cloud stack are protected with each technology and where third-party access is possible;
4. Listing of involved suppliers/service organisations; and
5. Utilisation of Trusted Execution Environments (TEEs) or secure enclaves.

Confidential computing as defined by the Confidential Computing Consortium and within the meaning of this criterion is the protection of data 'in use' by performing computation in a hardware-based, attested Trusted Execution Environment (TEE).

A TEE represents an isolated part within a system that provides a specially protected runtime environment. The TEE can be part of the main processor (CPU) or part of the system-on-chip (SoC). Generally, a TEE enforces that only authorised code can execute within the TEE and data used by that code cannot be read or tampered with by code outside the TEE. The attestation of the TEE and the application running within the TEE serve to validate the trustworthiness of the processing.

Confidential computing measures include the implementation and monitoring of technical and organisational controls to ensure the secure deployment and operation of confidential computing technologies. Such measures may include the validation of TEE configurations, continuous attestation processes, monitoring for unauthorised code changes, and lifecycle management of attested environments.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html