Last month the German Federal Government IT Advisory Committee ("Federal IT Committee") issued new cloud computing service criteria for all prospective vendors to German Federal Agencies. Cloud services providers who offer, or are considering offering, cloud computing services to relevant German Federal Agencies should plan proactively for these restrictive requirements and think of strategies to address them. The Federal IT Committee defines Cloud Services very broadly as any SaaS, PaaS or IaaS, which is provided by vendors not belonging to the public administration of the German States (Länder) or the Federal State.
Under the IT Advisory Committee's criteria, before purchasing third party cloud services, German Federal Agencies must first evaluate whether similar services can be obtained from their own resources, e.g. their own IT department, or Federal or State owned IT providers. If it is determined that the service needs to be outsourced, vendors under consideration must meet the critical criteria summarized below, along with other requirements.
The publication of the afore listed criteria represents a very important, predominantly German trend to localize the data storage/processing services for the purpose of (re)gaining more control over such data that will have significant impacts for US and European cloud services providers. This trend is mainly caused by the news reports on access to data by non-German intelligence agencies. US service providers will thus face significant challenges if they want to continue competing in this market. They will need to find smart technical and legal solutions, but could potentially use this as an opportunity to build a brand differentiator. In addition, this publication demonstrates the need for a better understanding between the US and EU on their security needs and interests if serious business interruptions are to be avoided.