In July 2023, the German Federal Ministry of Health presented the draft law on Digital Act, affecting digital health data and thus for the information security of cloud-based services.

Digital technologies enhance healthcare with innovations like electronic patient records and video consultations but raise data protection and cybersecurity concerns. At the same time, more and more cloud-based applications (e.g. Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure) are being used to process sensitive health data, which leads to higher risks.

Germany's Digital Act (DigiG) and the Act on the Improved Use of Health Data (GDNG) aim to streamline treatment and boost research. From July 2025, cloud services handling German patient data must have a BSI (Federal Office for Information Security) C5 Type 2 audit report.

Even though the new laws only apply to Germany so far, Swiss providers of digital health services must check whether they are affected by them, because the requirements have extraterritorial appeal. To achieve compliance with the legal requirements in Germany and ensure that the cloud provider meets all the requirements of the Digital Act in a timely manner, Swiss companies should follow a roadmap that includes these steps:

• Evaluate the law's applicability.
• Conduct a BSI C5 gap assessment & prepare for BSI C5 exam.
• Perform a BSI C5 Type 1 audit (design and implementation) by end of 2023 and a BSI C5 Type 2 audit (design, implementation and operating effectiveness) by mid-2024.
• Publish the BSI C5 report by July 2025.