New contractual requirements for the use of cloud services by public authorities: What does EVB-IT Cloud mean for cloud service providers?

10 May, 2022

On March 1, 2022, the Federal Commissioner for Information Technology (Federal CIO) issued supplementary contract terms and conditions for the procurement of cloud services known as “EVB-IT Cloud”. Public authorities that wish to engage with cloud service providers from the private-sector must consider EVB-IT Cloud and incorporate these into the relevant contracts. These new provisions are required for federal, state and local authorities. The new EVB-IT Cloud, supplements the ten existing contract templates for other IT services.

The template for contracts associated to cloud services governs the contractual relationship between a cloud service provider and a public authority. In particular, the new EVB-IT Cloud defines certain rights and obligations on the part of the contractual partners as well as numerous aspects of information security. These are largely based on the Cloud Computing Compliance Criteria Catalogue (“C5”) issued by the German Federal Office for Information Security (“BSI”). In particular, the new provisions impose stricter security requirements on cloud service providers and require them to comply with the BSI C5 criteria. Providers can demonstrate compliance with these requirements by obtaining a BSI C5 attestation report.

The main aspects in 30 seconds

  • EVB-IT Cloud includes new obligations that cloud service providers must fulfil if they wish to offer their cloud services to German public authorities.
  • These obligations include proof of compliance with the BSI C5 basic criteria, monthly KPI reporting and transparent incident management.
  • PwC supports cloud service providers with all issues relating to EVB-IT Cloud and BSI C5. PwC can draw on a wealth of international experience in preparing and performing audits, in particular, BSI C5 attestations.

Your expert

Markus Vehlow is your expert for cloud services at PwC Germany

Markus Vehlow
Partner at PwC Germany
Mobile: +49 160 7139-416

New Cloud Service Provider Obligations

The EVB-IT Cloud includes specific obligations that cloud service providers must fulfill. These obligations are separated into the following eight categories:

1. BSI C5 conformity requirements

One essential component of EVB-IT Cloud is the obligation to provide evidence confirming that the basic BSI C5 criteria are met.

While federal authorities have been required by law to apply the BSI Minimum Standard for external Cloud Services (“Mindeststandard des BSI zur Nutzung externer Cloud-Dienste”) in their procurement processes for several years, now state and local authorities must also only use cloud services that evidence conformity with the BSI C5.

2. Formal requirements for drafting contracts

EVB-IT Cloud provides five documents related to the drafting of contracts that can be downloaded from the Federal CIO website:

  • EVB-IT Cloud standard terms and conditions (“EVB-IT Cloud AGB”): The standard terms and conditions provide the framework.
  • EVB-IT Cloud contract (“EVB-IT Cloud Vertrag”): The contract specifies the services to be provided by the cloud service provider for the public authority.
  • EVB-IT Cloud Services Criteria Catalogue (“EVB-IT Cloud Kriterienkatalog für Cloudleistungen”): Further cloud performance parameters are defined in the criteria catalog. These include the type of the cloud service (public/private), location, details on the provider’s identity and access management as well as type of connection for backups or provisions for availability or information security.
  • Annex to EVB-IT Cloud - contractor’s standard terms and conditions (“EVB-IT Cloud Anlage auftragnehmerseitige AGB”): The contractor’s standard terms and conditions, i.e. those of the cloud service provider, are subordinate to the EVB-IT Cloud standard terms and conditions. If individual components of the cloud service provider’s own standard terms and conditions are to be included in the contract, these must be defined in the annex.
  • Notes for the use of EVB-IT Cloud (“Hinweise für die Nutzung der EVB-IT Cloud”): This document contains a fully completed contract as an example.

In addition, a data processing agreement with appropriate technical organisational measures (TOMs) must be signed and attached to the contract.

3. Monthly reporting

The EVB-IT Cloud requires monthly reporting on certain key figures that the cloud service provider must make available to the authority. This report should provide the authority with a comprehensive and detailed overview of certain key performance indicators as well as any incidents occurring during the previous month.

The cloud service provider must state, for example, how long its cloud service was unavailable and what impact this had on percentage availability. The report must also inform the public authority of any security-relevant incidents affecting performance, even if they have already been resolved, and must present any overruns of agreed response and recovery times if occurred.

4. Information security

The cloud service provider is responsible for observing confidentiality requirements and must protect the cloud computing service from unauthorised access. In addition, it is required to appoint an IT security officer, who must be available to the public authority.

5. Incident management

The IT security officer is also responsible for addressing any incidents in a well-coordinated and timely manner. This particularly applies if an incident causes a failure in any part of the services.

For this purpose, EVB-IT Cloud divides incidents into three classes: serious, significant and minor incidents. Depending on the extent of the incident, further obligations may be imposed on the cloud service provider. The cloud service provider is responsible for continuously monitoring its service delivery.

6. General obligations arising from the deployment models

The new EVB-IT Cloud specifies the type and scope of services in the following standard deployment models: IaaS (infrastructure as a service), PaaS (platform as a service), SaaS (software as a service) as well as other managed cloud services (MCS).

Depending on the deployment model, EVB-IT Cloud defines different obligations and areas of responsibility for the cloud service provider so that the obligations arising from shared responsibility are regulated transparently.

7. Exit management and data migration

Upon the termination of the contract between the cloud service provider and the public authority, the cloud service provider must make the authority’s data available to them in an appropriate manner. The provider is also required to provide reasonable assistance in migrating the data to another cloud service provider.

8. Data protection

EVB-IT Cloud addresses the three information security protection goals “integrity”, “confidentiality” and “availability”. The contractual provisions additionally underscore the relevance of data protection and require the cloud service provider to operate in accordance with the European Union’s General Data Protection Regulation (EU GDPR). Accordingly, the provider must appoint a data protection officer and enter into a data processing agreement with the authority providing for corresponding technical and organisational measures (TOMs).

PwC supports cloud service providers in all matters and activities related to EVB-IT Cloud and BSI C5.

“EVB-IT Cloud imposes stricter security requirements on cloud service providers. A BSI C5 attestation is ideal for demonstrating compliance with these requirements.”

Markus Vehlow, Partner at PwC Germany
Follow us

Contact us

Markus Vehlow

Markus Vehlow

Partner, Cloud Assurance Lead, PwC Germany