Microsoft 365 was long considered a no-go for many German authorities - the concerns about data protection and dependence on a US company were too great. But now six federal states want to take the plunge and introduce Microsoft's cloud services. What risks and opportunities does this entail?
Public authorities in the cloud dilemma: data protection versus innovation
The debate surrounding the use of Microsoft 365 and Microsoft Teams in public administration is currently dividing many German authorities. Data protection experts and IT security experts are warning of the risks: Data could be unlawfully leaked to the USA and there are security gaps in the Microsoft cloud that could allow hackers to attack sensitive data. IT security expert Dennis-Kenji Kipker, for example, referred to the stolen master key from Microsoft's Azure cloud, which was exploited by suspected Chinese hackers to access important data.
Nevertheless, the federal states of Lower Saxony, Bavaria and North Rhine-Westphalia are relying on Microsoft's cloud solutions. They argue that Microsoft will increasingly only offer its software as a cloud solution. Another reason for the change: the pressure to innovate. Authorities need modern technologies such as artificial intelligence and automated IT solutions in order to remain competitive. For many state governments, operating their own IT infrastructures no longer seems up-to-date and too costly.
Data protection concerns: how secure is our data in the Microsoft cloud?
Data protection is and remains one of the central points of criticism. The question of whether the data is actually stored securely in the Microsoft cloud is particularly sensitive. Some federal states, such as Lower Saxony, have negotiated special contracts with Microsoft that stipulate that data may only be stored and processed on European servers. In addition, support should only come from countries that adhere to the strict data protection requirements of the GDPR. However, many data protection experts are skeptical. Despite special data protection clauses, doubts remain as to whether the protection of the authorities' sensitive data can actually be guaranteed.
In 2022, the Federal Data Protection Commissioner also found that Microsoft's standard terms and conditions in force at the time did not comply with European data protection requirements. Although Microsoft has made adjustments since then, fundamental points of criticism have not been resolved. The risks therefore remain - and with them the dependence on a single provider.
Are there alternatives to the Microsoft cloud?
Meanwhile, the German government is working on an alternative: the so-called Delos Cloud, which is to be operated by the SAP subsidiary Delos. This solution should enable the German administration to use Microsoft software without having to rely directly on Microsoft's infrastructure. This could minimize the risk of data access by the US company.
Delos would offer Microsoft services from its own data centers in Germany, reducing dependence on a foreign provider in the event of geopolitical tensions or sanctions. So far, however, the countries have shown little interest in Delos. They fear that the costs for the Delos cloud could be higher than when using Microsoft 365 directly. In addition, there are still no concrete details on pricing and scope of services.
Open source: an underestimated solution?
While most federal states rely on the Microsoft cloud, there are also isolated attempts to promote open source alternatives. Schleswig-Holstein and Thuringia are pioneers in this respect: both states have decided to switch to free office solutions such as LibreOffice or Nextcloud. These solutions offer the advantage that they can be managed by public institutions themselves, which reduces dependence on external providers in the long term.
The development of open source alternatives such as openDesk, a suite of various open source applications, is supported by the German government, but to a limited extent. Critics such as Anke Domscheit-Berg, a member of the Left Party, are calling for more financial support for open source projects in order to achieve greater digital sovereignty in the long term. However, funding for the "Center for Digital Sovereignty", which is supposed to coordinate the development of open source solutions, has currently been severely cut.
Conclusion: A risky step with an uncertain future
The decision of the six federal states to rely on Microsoft's cloud services is bold - and risky. While proponents emphasize the efficiency gains and the need for modern IT tools, concerns about data protection and dependency remain. It remains to be seen whether the authorities will benefit from this decision in the long term or whether the risks will outweigh the benefits.
One thing is clear: the switch to the Microsoft cloud could pave the way for other countries, but it also represents a far-reaching change in the IT strategy of public administration. It is to be hoped that data security will not fall by the wayside.
