The German Association for Information Technology, Telecommunications and New Media (Bitkom) has reached an agreement with the public sector on contractual regulations for the procurement of cloud services. The EVB-IT Cloud have been available since 01.03.2022.
This is very pleasing, because until now it has hardly been possible to clothe the cloud solutions to be procured by the public sector in a decent contractual construct. This is all the more important as the public sector generally has to apply public procurement law (above certain thresholds) and use the EVB-IT contracts.
After 18 months, the EVB-IT Cloud will be evaluated and adapted if necessary.
Contract contents
Like the other EVB-IT contracts, the EVB-IT Cloud consists of the contract itself and the associated GTC Cloud. Further components of the contract are the EVB-IT Cloud criteria catalog for cloud services and the annex contractor-side GTC.
The EVB-IT Cloud is tailored to common cloud solutions, such as Platform as a Service (PaaS), Software as a Service (SaaS), Infrastructure as a Service (IaaS) or Managed Cloud Services (MCS).
It should certainly be taken into account that the Contractor must provide the services in compliance with the Computing Compliance Criteria Catalogue (C5) applicable at the time the contract is concluded in accordance with Section 1.2. of the EVB-IT Cloud T&Cs.
Annex Contractor's GTC
A special feature of the EVB-IT Cloud is the annex "Contractor's GTC". This gives the Contractor the opportunity to include provisions from its own GTC in the contract. Of course, only if the client agrees to this. The reason for this is probably the high degree of standardization among cloud providers, which makes it necessary to include certain GTC clauses. Annex I even offers the option of including the contractor's GTC in their entirety as a subordinate clause.
However, it should be noted that a blanket reference to the GTC is not sufficient. The clauses must be specifically named and "activated" by the client.
Criteria catalog for cloud solutions
The criteria catalog for cloud services (PDF) offers the possibility to specify the cloud services and to deviate from the regulations in the EVB-IT Cloud GTC.
Conclusion
First of all, it is pleasing that the long-awaited EVB-IT Cloud is finally available. This basically removes the uncertainty as to which contracts can be used as an alternative. However, the GTC do require a minimum standard of IT security. This is stated in section 6.2.1.
"The Contractor shall have at its disposal for the provision of the service (including the necessary infra-
structural, organizational, personnel and technical components) has an appropriate, documented and implemented security
documented and implemented security concept and an information security management
system (ISMS) in accordance with ISO 27001, including an emergency management system. The security
concept must be based on ISO 27017. If personal data is processed, it must also
processed,it must alsobe based on ISO 27018."
Against this backdrop in particular, it will be necessary for IT service providers in the cloud sector to take the appropriate precautions.
If you have any questions or if we can help you in any other way, please feel free to send us an e-mail.
