10 May, 2022
On March 1, 2022, the Federal Commissioner for Information Technology (Federal CIO) issued supplementary contract terms and conditions for the procurement of cloud services known as “EVB-IT Cloud”. Public authorities that wish to engage with cloud service providers from the private-sector must consider EVB-IT Cloud and incorporate these into the relevant contracts. These new provisions are required for federal, state and local authorities. The new EVB-IT Cloud, supplements the ten existing contract templates for other IT services.
The template for contracts associated to cloud services governs the contractual relationship between a cloud service provider and a public authority. In particular, the new EVB-IT Cloud defines certain rights and obligations on the part of the contractual partners as well as numerous aspects of information security. These are largely based on the Cloud Computing Compliance Criteria Catalogue (“C5”) issued by the German Federal Office for Information Security (“BSI”). In particular, the new provisions impose stricter security requirements on cloud service providers and require them to comply with the BSI C5 criteria. Providers can demonstrate compliance with these requirements by obtaining a BSI C5 attestation report.
The EVB-IT Cloud includes specific obligations that cloud service providers must fulfill. These obligations are separated into the following eight categories:
One essential component of EVB-IT Cloud is the obligation to provide evidence confirming that the basic BSI C5 criteria are met.
While federal authorities have been required by law to apply the BSI Minimum Standard for external Cloud Services (“Mindeststandard des BSI zur Nutzung externer Cloud-Dienste”) in their procurement processes for several years, now state and local authorities must also only use cloud services that evidence conformity with the BSI C5.
EVB-IT Cloud provides five documents related to the drafting of contracts that can be downloaded from the Federal CIO website:
In addition, a data processing agreement with appropriate technical organisational measures (TOMs) must be signed and attached to the contract.
The EVB-IT Cloud requires monthly reporting on certain key figures that the cloud service provider must make available to the authority. This report should provide the authority with a comprehensive and detailed overview of certain key performance indicators as well as any incidents occurring during the previous month.
The cloud service provider must state, for example, how long its cloud service was unavailable and what impact this had on percentage availability. The report must also inform the public authority of any security-relevant incidents affecting performance, even if they have already been resolved, and must present any overruns of agreed response and recovery times if occurred.
The cloud service provider is responsible for observing confidentiality requirements and must protect the cloud computing service from unauthorised access. In addition, it is required to appoint an IT security officer, who must be available to the public authority.
The IT security officer is also responsible for addressing any incidents in a well-coordinated and timely manner. This particularly applies if an incident causes a failure in any part of the services.
For this purpose, EVB-IT Cloud divides incidents into three classes: serious, significant and minor incidents. Depending on the extent of the incident, further obligations may be imposed on the cloud service provider. The cloud service provider is responsible for continuously monitoring its service delivery.
The new EVB-IT Cloud specifies the type and scope of services in the following standard deployment models: IaaS (infrastructure as a service), PaaS (platform as a service), SaaS (software as a service) as well as other managed cloud services (MCS).
Depending on the deployment model, EVB-IT Cloud defines different obligations and areas of responsibility for the cloud service provider so that the obligations arising from shared responsibility are regulated transparently.
Upon the termination of the contract between the cloud service provider and the public authority, the cloud service provider must make the authority’s data available to them in an appropriate manner. The provider is also required to provide reasonable assistance in migrating the data to another cloud service provider.
EVB-IT Cloud addresses the three information security protection goals “integrity”, “confidentiality” and “availability”. The contractual provisions additionally underscore the relevance of data protection and require the cloud service provider to operate in accordance with the European Union’s General Data Protection Regulation (EU GDPR). Accordingly, the provider must appoint a data protection officer and enter into a data processing agreement with the authority providing for corresponding technical and organisational measures (TOMs).
PwC supports cloud service providers in all matters and activities related to EVB-IT Cloud and BSI C5.
“EVB-IT Cloud imposes stricter security requirements on cloud service providers. A BSI C5 attestation is ideal for demonstrating compliance with these requirements.”