Atlassian achieves BSI C5 Type 2 for Jira, Jira Service Management, and Confluence

We’re excited to share that Atlassian has successfully completed the BSI C5:2020 Type 2 assessment for Jira Cloud, Jira Service Management, and Confluence Cloud.

The BSI C5 Type 2 report is now available to customers on request through the Atlassian Trust Center here C5 | Atlassian .

What is BSI C5 and why it matters?

The Cloud Computing Compliance Criteria Catalogue (C5) is a rigorous cloud security standard published by the German Federal Office for Information Security (BSI). It’s widely used by:

• Public sector organizations in Germany
• Operators of critical infrastructure
• Enterprises across the EU with heightened regulatory and security expectations

C5 Type 2 goes beyond a point‑in‑time review. It evaluates whether controls were designed appropriately and operated effectively over a defined period, providing stronger assurance than Type 1 alone.

What does this mean for you?

Completing the BSI C5 Type 2 assessment delivers several concrete benefits to our customers:

The C5 Type 2 report offers comprehensive and detailed insight into Atlassian’s internal controls as well as the results of their rigorous testing procedures. This report is designed to assist security, risk, and compliance teams in thoroughly assessing Atlassian’s practices against their own specific control frameworks. By providing this level of transparency, the report helps organizations streamline their vendor risk assessments and effectively satisfy various audit requirements that they may face.

As a result, European and German-based public sector and enterprise customers who have this particular compliance requirement can now confidently adopt Atlassian Cloud services. They can do so knowing that Atlassian meets stringent security and compliance standards, which supports their regulatory obligations and internal policies.

Our ongoing commitment to security, compliance, and risk management

Achieving C5 Type 2 is not a one‑off milestone—it’s part of our broader, ongoing commitment to:

• Maintaining strong, effective controls
  The assessment covers a comprehensive set of C5:2020 basic criteria across areas like organization & governance, identity and access management, operations, incident management, and more. We are committed to continuously operating and improving these controls so they remain effective over time.

• Proactively addressing risks and findings
  Where the assessment identifies issues or opportunities for improvement, our teams work to:

  • Analyze the underlying risk

  • Implement remediation measures

  • Incorporate lessons learned into our broader control framework

  This ensures that C5 is not just a checkbox exercise, but a driver for ongoing risk reduction and control maturity.

• Regular re‑assessments and continuous improvement
  C5, similar to SOC 2, is an attestation that is renewed on a recurring basis. We intend to maintain and enhance our C5 compliance posture, so customers can continue to rely on current, independently validated information about our controls and risk management practice.

For more information about our Security and Compliance Program, reports, and certificates, visit our trust center Trust Center | Atlassian.