The IT Planning Council has fundamentally changed the procurement rules for public software. Open source is now the rule for new developments. This has far-reaching consequences for companies with sensitive data - even beyond the administration.
What has been a political demand in strategy papers for years is now a contractual reality: at its 48th meeting on November 26, 2025, the IT Planning Council revised eight of the so-called Supplementary Contract Terms for IT Services (EVB-IT). Federal, state and local authorities can now procure open source software (OSS) with legal certainty for the first time - and OSS will even become the standard for new developments. The new templates have been published on the website of the Federal Ministry for Digital and Transport Affairs (BMDV) since March 2026 and integrated into the EVB-IT Digital tool.
The decision sounds technical. In practice, it fundamentally changes the rules of the game for public IT procurement - and sends a signal that reaches far beyond the offices.
The most important change is in the EVB-IT creation: if new software is developed on behalf of the public sector, open source provision is now the standard. The code is to be published on OpenCoDE, the public administration's central repository for open source software. In addition, contractors must provide a Software Bill of Materials (SBOM) - a machine-readable list of all software components and dependencies used. This improves the transparency of the libraries used and makes vulnerability management much easier.
In templates for which both open source and proprietary software are possible - such as EVB-IT Überlassung Typ A and EVB-IT Dienstleistung - checkboxes have been created. Procurement agencies can thus select OSS specifically or activate corresponding provisions in the general terms and conditions. The Open Source Business Alliance (OSBA) confirms that a total of eight contract types have been adapted: Creation, Transfer Type A, Maintenance S, Service, System, System Delivery, Service and Framework Agreement.The EVB-IT Cloud and type B transfer have not yet been revised- this is planned for 2026.
The fact that it has taken so long is not due to a lack of political will, but to a very practical problem: the previous EVB-IT model contracts were exclusively tailored to proprietary software. Many procurement agencies interpreted this to mean that OSS simply could not be procured in a "procurement-compliant" manner - and did not even allow such offers to be submitted. Open source providers were therefore effectively excluded from numerous procurement procedures.
Birgit Becker, spokesperson for the OSBA's Procurement Working Group, puts it in a nutshell: adapting the contract templates has meant a considerable amount of extra work for open source companies to date. Many providers were unable or unwilling to make this effort - with the result that procurement offices received significantly fewer offers.
The OSBA had already published a handout in 2015 to support authorities in OSS purchasing with the old EVB-IT. Obviously, this was not enough to dispel the concerns across the board. The new EVB-IT now provides clarity and legal certainty - at contract level, not just at the level of intent.
The EVB-IT amendments did not come out of nowhere. In July 2024, the new Section 16a of the E-Government Act (EGovG) came into force with the OZG Amendment Act. This clearly states that federal authorities should prioritize the procurement of open source software when purchasing new software. The new EVB-IT now implements this requirement at contract level and thus anchors the principle of "public money, public code" - publicly financed code should be publicly available - as a lived practice rather than a political slogan.
OpenCoDE plays a central role in this: the platform enables public authorities to reuse software that has already been developed, exchange configurations and learn from each other. Authorities can see which solutions are already in use in comparable administrations. Tasks such as license verification and security audits can be carried out centrally - this reduces redundant developments and promotes interoperability between government systems.
Germany is not alone with the EVB-IT decision. In July 2025, the European Alliance for Industrial Data, Edge and Cloud published a roadmap entitled "The Open Source Way to EU Digital Sovereignty & Competitiveness". Among other things, the 68-page document recommends making the principle of "Public Money, Public Code, Open Source First, European Preference" binding in public procurement.
In January 2026, the EU Parliament adopted a resolution on "European technological sovereignty and digital infrastructure" by a large majority. The core: Europe should massively expand its own cloud and AI capacities, make open standards and interoperability mandatory and strengthen open source. The German EVB IT adaptations are therefore likely to serve as a blueprint for similar initiatives in other EU member states.
The fact that open source works in the administration is no longer a thought experiment, but documented practice. Schleswig-Holstein has converted the entire state administration's mail system from Microsoft Exchange to Open-Xchange and Thunderbird - with over 40,000 mailboxes and more than 100 million migrated emails and calendar entries.
Around 80 percent of workstations outside the tax administration already work without Microsoft Office. The economic effect: the state estimates the annual savings in license costs at around 15 million euros, with one-off investments of nine million euros for migration and further development.
The Bundeswehr has signed a seven-year contract with the Center for Digital Sovereignty (ZenDiS) for the introduction of openDesk in 2025. By the end of 2025, 160,000 openDesk licenses are to be rolled out in the federal administration. And the International Criminal Court (ICC) has switched to openDesk after the much-publicized failure of its Microsoft email access in 2025 - around 1,800 workstations.
The EVB-IT decision is aimed at public administration. But the signal effect goes much further. There are three reasons why companies in regulated sectors in particular should take a close look:
Firstly, the direction is set. If the state makes open source the rule for software procurement, this will change the entire ecosystem. Vendors, integrators and IT service providers will adapt their portfolios. Any company investing in new IT infrastructure today should take this dynamic into account.
Secondly, open standards reduce lock-in risks. The new EVB-IT explicitly requires provision on OpenCoDE and the transfer of an SBOM. This is a role model for companies that want to reduce their dependency on proprietary ecosystems: those who pay attention to open standards, documented interfaces and exit capability when making their own procurements gain flexibility and reduce switching costs.
Thirdly, compliance requirements are increasing. NIS2, DORA and industry-specific regulations are increasingly demanding transparency regarding the software components used, supply chains and access options. An SBOM, as provided for in the new EVB-IT, is not a luxury here, but is becoming mandatory in many regulated industries - or at least best practice.
One important detail: The EVB-IT Cloud and EVB-IT Überlassung Typ B have not yet been revised. This is relevant insofar as cloud services in particular touch on the most critical issue of digital sovereignty: Who controls infrastructure, data, keys and operation?
The discussion about sovereign cloud offerings from AWS, Microsoft and Google has shown in recent months that "hosted in Europe" alone does not guarantee sovereignty. The US CLOUD Act obliges US providers to hand over data over which they have control - regardless of where it is stored. And the BMI report from December 2025 confirmed that US authorities can also have extensive access to data stored in the EU.
For authorities, KRITIS and regulated companies, the question of who owns the cloud infrastructure and which jurisdiction it is subject to therefore remains at least as important as the question of whether the software running on it is open source.
The EVB-IT decision is an overdue and important step. It ends years of legal uncertainty, opens up the market for OSS providers and anchors the principle of "public money, public code" at contract level. For public authorities, this will make purchasing OSS as easy as buying proprietary software - and will even become the norm for new developments.
For companies with sensitive data, the message is clear: the trend towards open standards, transparent supply chains and independent infrastructure is unstoppable. Anyone who takes sovereignty seriously should now examine where dependencies exist in their own tech stack - and how these can be reduced in a controlled manner.
However, sovereign cloud infrastructure does not start with the software license, but with the question: Who controls my data, my keys and my operations? SecureCloud supports organizations with precisely this question - with an infrastructure that is operated exclusively in Germany, is BSI C5-tested and is not subject to access by third countries.