German Federal IT Committee Issues New Restrictions for Cloud Service Providers

August.24.2015

Last month the German Federal Government IT Advisory Committee ("Federal IT Committee") issued new cloud computing service criteria for all prospective vendors to German Federal Agencies. Cloud services providers who offer, or are considering offering, cloud computing services to relevant German Federal Agencies should plan proactively for these restrictive requirements and think of strategies to address them. The Federal IT Committee defines Cloud Services very broadly as any SaaS, PaaS or IaaS, which is provided by vendors not belonging to the public administration of the German States (Länder) or the Federal State.

Under the IT Advisory Committee's criteria, before purchasing third party cloud services, German Federal Agencies must first evaluate whether similar services can be obtained from their own resources, e.g. their own IT department, or Federal or State owned IT providers. If it is determined that the service needs to be outsourced, vendors under consideration must meet the critical criteria summarized below, along with other requirements. 

  • Business sensitive information, including critical infrastructure information, must be stored in servers in Germany.
  • Cloud service providers must sign vendor contracts agreeing not to disclose sensitive data to, and ensuring that data is not accessible by, foreign agencies. This requirement may trigger compliance issues for U.S. providers due to their obligations under the US Patriot Act.
  • Data that is subject to professional secrecy rules must be protected against unauthorized third party access.
  • Personal Data (PII) can be stored/processed in the cloud only when cloud service providers enter into commissioned data processing agreements that conform to the requirements of Section 11 of the Federal Data Protection Act (BDSG).
  • Open Standards must be used to prevent a "Vendor Lock-in."
  • Service contracts are subjected to German law and German courts, and do not include mandatory preceding alternative dispute resolution.
  • The Federal Agency must conduct a risk analysis based on the recommendations of the Federal IT Security Agency (BSI) and contractually ensure that required security controls can be met.

The publication of the afore listed criteria represents a very important, predominantly German trend to localize the data storage/processing services for the purpose of (re)gaining more control over such data that will have significant impacts for US and European cloud services providers. This trend is mainly caused by the news reports on access to data by non-German intelligence agencies. US service providers will thus face significant challenges if they want to continue competing in this market. They will need to find smart technical and legal solutions, but could potentially use this as an opportunity to build a brand differentiator. In addition, this publication demonstrates the need for a better understanding between the US and EU on their security needs and interests if serious business interruptions are to be avoided.

Kriterien für die Nutzung von Cloud-Diensten der IT-Wirtschaft durch die Bundesverwaltung