heise PlusAbo
Anzeige

Commentary: Sovereignty is not in the catalog, but in the contract

The Germany Stack is intended to revolutionize administrative IT. But without binding procurement, the standards remain ineffective, argues Moritz Förster

listen Print view
Germany on a holographic map

(Image: bluefish_ds/Shutterstock.com/heise medien)

7 min. read
iX Magazin
By
Contents

The Germany Stack of the IT Planning Council is the most ambitious standardization paper for German administrative IT in years. Over 50 standards, protocols, and regulations, seven architectural layers, from the cloud to artificial intelligence. On paper, this looks impressive. But paper is patient – and unfortunately, so is the German administration.

An opinion by Moritz Förster
Ein Kommentar von Moritz Förster

Moritz Förster has been writing for iX and heise online since 2012. He is responsible for the iX channel and the areas of workstations and servers.

The crucial question for the Germany Stack is not which standards it names. It is whether these standards will ever appear in enough tenders. Because between resolution and procurement, there is an abyss in the German administration that cannot be bridged by any architectural diagram.

Binding sounds good – but is hardly

Anyone who reads the resolution text carefully will notice: The binding nature is weaker than one might initially assume. The standards are considered the “binding basis for the solutions of the Germany Stack.” This means: Anyone developing a solution within the Stack must adhere to the standards. However, whether an authority actually uses the finished product is another question. Here, the resolution merely states that federal, state, and local governments “strive” to use them in new and further developments.

Strive. Not: implement. Not: mandatorily introduce. Strive.

The resolution itself mentions no sanctions, no audits, no reporting obligations. It targets new and further developments – the vast majority of existing systems remain practically untouched. And municipalities, which provide a large portion of administrative services, are institutionally involved in the IT Planning Council but are not voting contractual parties. A binding standard without enforcement instruments is ultimately a recommendation in disguise.

ODF: Repeatedly resolved, hardly implemented

How ineffective do standard resolutions remain without procurement consequences? This is shown by a format that also reappears prominently in the Germany Stack: the Open Document Format. ODF has been on the wish lists of administrative digitalization for ages. Only in March 2025 did the IT Planning Council, with Resolution 2025/06, decide that ODF should become the standard for document exchange by 2027. Now ODF is also included in the Germany Stack. That's good.

But: The reality in the authorities is different. Federal and many states continue to rely heavily on Microsoft. Schleswig-Holstein is one of the few states actively driving the switch to LibreOffice and open formats – a process that is lengthy and politically contested even there. Bavaria, on the other hand, urgently wants to move to the M365 cloud. These are not the conditions under which another ODF resolution will suddenly have an effect.

One may therefore ask: ODF is now also in the Germany Stack – will anything have changed by 2028 regarding authorities sending DOCX files to each other? Unfortunately, the fear must be: No.

Sovereign Cloud Stack: Standard without funding

The contradiction between claim and reality becomes even clearer with the Sovereign Cloud Stack. The SCS, developed by the Open Source Business Alliance, defines a completely open, interoperable cloud technology stack for administration. The Germany Stack includes it as a binding cloud standard alongside OpenStack and the standards of the German Administrative Cloud.

At the same time, the federal government has allowed the funding for the SCS to expire; instead, the member companies of the OSBA stepped in. The project, which is intended to provide the technical basis for sovereign cloud infrastructures, must continue to develop without public funding – while AWS, Azure, and Google stand at the door with well-funded US offerings.

In procurement reality, this means: If a contracting authority has to choose between a turnkey hyperscaler offer and an SCS-compliant offer based on such a funded open-source platform, the former will likely win in numerous instances. Not out of malice, but out of understandable pragmatism. So, a standard is named, but not funded. And thus, the credibility of the entire endeavor is undermined.

Videos by heise

The contracting authority decides, not the committee

The structural problem behind all of this: In practice, committees do not decide on the technology used, but contracting authorities. And they often follow different logic than an architectural paper.

Procurement law does allow for qualitative and technical award criteria – digital sovereignty could thus be mapped in procurement law. In practice, however, economy and competition are the maxim. The chronic shortage of skilled workers in authorities exacerbates the concern: Even if a tender requires SCS conformity – who is supposed to operate the infrastructure afterwards? In procurement practice, the solution that is available fastest and can be operated with the least internal effort regularly wins. And often, these are the proprietary market leaders.

The Germany Stack simply cannot take the reins from them. It merely defines which standards are sovereign. It says little about how they should be incorporated into service descriptions, qualification criteria, and award decisions.

From catalog to contract

Yet, there are starting points. The EVB-IT – the Supplementary Contract Conditions for IT Procurement – are already in the Stack. This is a correct step. But they would need to be extended with concrete Stack conformity criteria, so that adherence to the defined standards becomes an auditable part of contracts.

A model for this exists: The BSI's C5 catalog has established itself as a central criterion in public administration cloud tenders. While a C5 certificate is formally not the only way to prove security requirements – in practice, hardly any cloud provider wanting to work for the administration can bypass it. This principle could be transferred to the Germany Stack: Stack conformity as a significant qualification criterion, not as a non-binding recommendation.

The real test begins now

The Germany Stack deserves recognition. Although there were earlier standardization frameworks with SAGA and the Federal IT Architecture Guideline – in its concrete focus on over 50 named standards across seven architectural layers, the Germany Stack goes significantly further than its predecessors. Anyone who knows the tough history of administrative digitalization in this country knows that this alone is not a matter of course.

But the history of German administrative digitalization is also a history of resolved standards that never made it into contracts. Of strategy papers that disappeared into drawers. Of pilot projects that never scaled.

The actual test for the Germany Stack is not the IT Planning Council. It begins in the next tender by a state data center. In the next procurement procedure for a municipal specialized application. In the next framework agreement for cloud services.

We have planned our sovereignty enough. Let's finally get to work!

(fo)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten