Is Kubernetes ready for BSI C5:2026?

On April 7, 2026, the German Federal Office for Information Security (BSI) released the new C5:2026 standard, which is an update to the previous C5 2020 standard. The C5 (Cloud Computing Compliance Controls Catalogue) is a set of requirements and controls for cloud service providers to ensure the security and compliance of their services.

Link to the official BSI C5:2026 Catalogue: BSI C5:2026

Key Changes

"Inclusion of new criteria addressing current technical developments and advances, in particular regarding container management, supply chain management, post-quantum cryptography, and confidential computing;" - BSI C5:2026 P. 8

The following sections summarize the key changes, but for a comprehensive understanding, it is recommended to review the official BSI C5:2026 Catalogue.

Container Management

Based on the C5:2026 OPS-34 and OPS-35 criteria, container management requirements include:

Lifecycle Policies: Document and communicate procedures for image creation, testing, validation, storage, retrieval, deployment, management, operations, and decommissioning. The provider must actively implement and maintain these technical and organizational measures.
Inventory and Change Control: Maintain a documented container inventory and ensure all changes to containers or images follow a regulated process.
Security and Hardening: Assess and enforce malware protection while hardening images to industry standards to remove unnecessary system services.
Data Isolation and Access: Separate customer data using risk-based assessments and restrict container host access through formal roles, rights, and authorization policies.
Encryption: Protect data stored on containers and data in transit through encryption aligned with established security policies.
Monitoring and Networking: Log and monitor events across the entire lifecycle and establish network security to detect anomalies, unauthorized access, or unexpected data flows.
Integrity and Scanning: Cryptographically sign images with secure key storage, monitor behavior with runtime controls, and scan images and dependencies for vulnerabilities or malicious components.

Confidential Computing

Based on the C5:2026 OPS-32 and OPS-33 criteria, Confidential Computing requirements include:

Policies & Transparency: Document and communicate purpose, scope, utilized technologies, protected cloud stack areas, and involved service organizations.
Data-in-Use Protection: Utilize hardware-based Trusted Execution Environments (TEEs) or enclaves to isolate and process sensitive data securely.
Zero-Access Security: Implement technical safeguards preventing provider or unauthorized access to customer data and keys while using compliant cryptographic algorithms.
Technical Framework: Maintain documented interfaces, hardware attestations, encryption techniques, and regular Trusted Computing Base updates.
Assurance & Audits: Establish monitoring, logging, security reviews, and event-driven penetration tests to verify safeguard effectiveness.
Remote Attestation: Provide cryptographically rooted functionalities and customer interfaces to verify TEE identity, measured state, and executed code.
Trust Levels: Define attestation levels ranging from weak (provider-managed) to very strong (customer-verified in a fully trusted environment).

Post-Quantum Cryptography

Based on the BSI C5:2026 criteria, here is the condensed summary of the Post-Quantum Cryptography (PQC) requirements:

PQC Strategy: Document a formal roadmap for transitioning to quantum-resistant standards.
Cryptographic Inventory: Maintain a list of cryptographic mechanisms prioritized by quantum vulnerability and remediation effort.
Hybrid Models: Combine classical cryptographic mechanisms with quantum-safe algorithms for dual protection.
Crypto-Agility: Enable efficient substitution of cryptographic mechanisms during their intended lifetimes.
Risk Assessments: Perform annual reviews addressing "store now, decrypt later" threats and evolving quantum capabilities.

Supply Chain Security

Based on the BSI C5:2026 criteria, here is the condensed summary of the Supply Chain Security, SSO-07 (Transparency) and SSO-08 (Functional Components), requirements:

Governance & Policy: Document procedures for identifying, classifying, and monitoring all service organizations.
Mandatory Risk Assessments: Evaluate service organizations prior to engagement regarding data protection, dependencies, and subcontractors. Conduct reviews at least annually.
Zero-Access Principle: Prohibit service organization access to customer or account data unless justified by risk assessment and authorized by the customer.
Transparency & Subcontractors: Maintain a service organization directory and inform customers of any subcontractors processing data. Document all data flows and security interfaces.
Compliance Monitoring: Regularly review quality reports, ISO certificates, and independent audit reports (e.g., ISAE 3402, C5).
Exit Strategies: Document termination and transition plans for providers with "very high dependency," such as data center operators.
Component Control: Authorize all updates or content from functional component suppliers before they enter the service infrastructure.

Kubernetes Readiness

Kubernetes is one if not the most used products in cloud environments, when it comes to running containers. The changes and additions to the BSI C5:2026 standard need to be implemented to be compliant. While everything around Container Management is the core disciplin of Kubernetes, the other areas of Confidential Computing, Post-Quantum Cryptography and Supply Chain Security are not directly related to Kubernetes but must be implemented in a Kubernetes environments.

For Container Management one needs to follow well-known security best practices, such as:

• Regularly update and patch Kubernetes components and container images to address vulnerabilities.
• Implement Role-Based Access Control (RBAC) to restrict access to Kubernetes resources based on the principle of least privilege.
• Use Admission Controllers to enforce security policies and validate container configurations.
• Enable Kubernetes Network Policies to control traffic flow between pods and services.
• Implement logging and monitoring to detect and respond to security incidents in the Kubernetes environment.
• Use secure container registries and scan images for vulnerabilities before deployment.
• Implement secrets management to securely store and manage sensitive information used by containers.
• Regularly perform security assessments and penetration testing to identify and mitigate potential vulnerabilities in the Kubernetes environment

In order to meet Post-Quantum Cryptography requirements, Kubernetes depends support in its used libraries and programming language, go. A very informative blog post about the state of Post-Quantum Cryptography in Kubernetes can be found here: Post-Quantum Cryptography in Go. In conclusion, the crypto/tls library used by Kubernetes already supports the X25519MLKEM768 hybrid key exchange. This mechanism provides robust protection against future quantum threats by combining the industry-standard security of classical elliptic curve cryptography (X25519) with the post-quantum resilience of ML-KEM (formerly Kyber).
Signature algorithms, like ML-DSA (FIPS-204) are not yet supported in the standard library, but there are ongoing efforts and might be shipped in upcomming Go releases.

For confidential computing, there is the Confidential Containers project, to enable confidential computing in Kubernetes. It provides a framework for running workloads in a secure and isolated environment, leveraging hardware-based Trusted Execution Environments (TEEs) to protect data in use. It is a Container Runtime Interface (CRI) implementation, based on Kata Containers.

Managing the supply chain security in Kubernetes environments is a complex task. A paper by the Cloud Native Computing Foundation (CNCF) Tag-Security Working Group, Supply Chain Best Practices provides a comprehensive overview of best practices for securing the software supply chain in cloud-native environments. There are also frameworks and tools, such as SLSA (Supply chain Levels for Software Artifacts) and Sigstore to deal with supply chain security.
Using SBOMs (Software Bill of Materials) helps to manage supply chain risks by providing visibility into the components and dependencies used by Container Images.

Conclusion

Kubernetes can be compliant with the BSI C5:2026 standard, if the go implementation of post-quantum signatures is done, but it requires a comprehensive approach to security that goes beyond just the container management aspects. Organizations need to implement best practices for container security, stay informed about developments in post-quantum cryptography, and manage supply chain risks effectively to ensure compliance with the new standard. Additionally, leveraging tools and frameworks designed for confidential computing and supply chain security can help organizations meet the requirements.

For organizations looking to achieve BSI C5:2026 compliance in their Kubernetes environments, KolTEQ is here to help. Contact us today to learn more about how we can assist you in achieving BSI C5:2026 compliance.