New contractual requirements for the use of cloud services by public authorities: What does EVB-IT Cloud mean for cloud service providers?

Your expert

Markus Vehlow
Partner at PwC Germany
Mobile: +49 160 7139-416
Email

New Cloud Service Provider Obligations

The EVB-IT Cloud includes specific obligations that cloud service providers must fulfill. These obligations are separated into the following eight categories:

1. BSI C5 conformity requirements

One essential component of EVB-IT Cloud is the obligation to provide evidence confirming that the basic BSI C5 criteria are met.

While federal authorities have been required by law to apply the BSI Minimum Standard for external Cloud Services (“Mindeststandard des BSI zur Nutzung externer Cloud-Dienste”) in their procurement processes for several years, now state and local authorities must also only use cloud services that evidence conformity with the BSI C5.

2. Formal requirements for drafting contracts

EVB-IT Cloud provides five documents related to the drafting of contracts that can be downloaded from the Federal CIO website:

• EVB-IT Cloud standard terms and conditions (“EVB-IT Cloud AGB”): The standard terms and conditions provide the framework.
• EVB-IT Cloud contract (“EVB-IT Cloud Vertrag”): The contract specifies the services to be provided by the cloud service provider for the public authority.
• EVB-IT Cloud Services Criteria Catalogue (“EVB-IT Cloud Kriterienkatalog für Cloudleistungen”): Further cloud performance parameters are defined in the criteria catalog. These include the type of the cloud service (public/private), location, details on the provider’s identity and access management as well as type of connection for backups or provisions for availability or information security.
• Annex to EVB-IT Cloud - contractor’s standard terms and conditions (“EVB-IT Cloud Anlage auftragnehmerseitige AGB”): The contractor’s standard terms and conditions, i.e. those of the cloud service provider, are subordinate to the EVB-IT Cloud standard terms and conditions. If individual components of the cloud service provider’s own standard terms and conditions are to be included in the contract, these must be defined in the annex.
• Notes for the use of EVB-IT Cloud (“Hinweise für die Nutzung der EVB-IT Cloud”): This document contains a fully completed contract as an example.

In addition, a data processing agreement with appropriate technical organisational measures (TOMs) must be signed and attached to the contract.

3. Monthly reporting

The EVB-IT Cloud requires monthly reporting on certain key figures that the cloud service provider must make available to the authority. This report should provide the authority with a comprehensive and detailed overview of certain key performance indicators as well as any incidents occurring during the previous month.

The cloud service provider must state, for example, how long its cloud service was unavailable and what impact this had on percentage availability. The report must also inform the public authority of any security-relevant incidents affecting performance, even if they have already been resolved, and must present any overruns of agreed response and recovery times if occurred.

4. Information security

The cloud service provider is responsible for observing confidentiality requirements and must protect the cloud computing service from unauthorised access. In addition, it is required to appoint an IT security officer, who must be available to the public authority.

5. Incident management

The IT security officer is also responsible for addressing any incidents in a well-coordinated and timely manner. This particularly applies if an incident causes a failure in any part of the services.

For this purpose, EVB-IT Cloud divides incidents into three classes: serious, significant and minor incidents. Depending on the extent of the incident, further obligations may be imposed on the cloud service provider. The cloud service provider is responsible for continuously monitoring its service delivery.

6. General obligations arising from the deployment models

The new EVB-IT Cloud specifies the type and scope of services in the following standard deployment models: IaaS (infrastructure as a service), PaaS (platform as a service), SaaS (software as a service) as well as other managed cloud services (MCS).

Depending on the deployment model, EVB-IT Cloud defines different obligations and areas of responsibility for the cloud service provider so that the obligations arising from shared responsibility are regulated transparently.

7. Exit management and data migration

Upon the termination of the contract between the cloud service provider and the public authority, the cloud service provider must make the authority’s data available to them in an appropriate manner. The provider is also required to provide reasonable assistance in migrating the data to another cloud service provider.

8. Data protection

EVB-IT Cloud addresses the three information security protection goals “integrity”, “confidentiality” and “availability”. The contractual provisions additionally underscore the relevance of data protection and require the cloud service provider to operate in accordance with the European Union’s General Data Protection Regulation (EU GDPR). Accordingly, the provider must appoint a data protection officer and enter into a data processing agreement with the authority providing for corresponding technical and organisational measures (TOMs).