Microsoft poses threat to Germany's digital sovereignty, warns study

German government is too dependent on "single software providers", but changing that will be difficult and costly.
Written by Cathrin Schaer on

A study commissioned by the German interior ministry has confirmed what many critics have long argued: the German government is too dependent on Microsoft software.

Germany's ministry of the interior asked management consultancy PricewaterhouseCoopers, or PwC, to produce a "Strategic market analysis on reducing dependence on single software providers".

SEE: Digital transformation: A CXO's guide (ZDNet special report) | Download the report as a PDF (TechRepublic)

In the 34-page document released yesterday, researchers conclude that "at all levels" the German government is "strongly dependent" on very few software providers.

And that is particularly true for Microsoft, whose Office and Windows programs are running on 96% of public officials' computers.

This dependence results in "pressure points in the federal government, that work in opposition to the government's [stated] strategic IT goals," the report notes. Concerns about information security at Microsoft could "endanger the country's digital sovereignty".

That observation is not new. The German administration's dependence on Microsoft has already come in for plenty of criticism, most recently this summer, when ministers agreed to extend contracts with Microsoft to 2022.

In 2018, the central government had spent €73m ($80m) on Microsoft licenses, around €25m ($27.5m) over the forecast budget – and that was without the cost of providing German state governments with Microsoft software.

As opposition politicians pointed out, the total amounts to hundreds of millions of taxpayers' money.

Besides financial concerns there are also political ones. Despite their best attempts, Germany's Data Protection Conference, or BSK, a collection of state-appointed data-protection officers who are trying to establish whether Windows 10 conforms to national regulations, has not been able to find out exactly what diagnostics, or telemetric information, Microsoft is collecting and where it is being sent.

Reacting to the PwC report, Microsoft told the Tagesspiegel newspaper that the company is only there to support the German government and to "improve services for citizens".

Its customers had made a choice to use them, and anyway, the Microsoft statement said, even the PwC study said there is "no realistic option" that could be implemented in the medium term.

The interior ministry appears to agree, with a spokesperson telling the same newspaper that it isn't planning to stop using Microsoft tomorrow.

Instead, there would be further negotiations with software providers, including Microsoft, and then research into options suggested in the PwC report.

"We will also be assessing alternative programs, to be able to replace certain software," interior minister Horst Seehofer said in a statement. "This will happen in close coordination with the [German] states as well as the EU."

Digital sovereignty is particularly challenging for the German government, Sidonie Krug, a spokesperson for political affairs at Eco, the Association of the German Internet Economy, tells ZDNet.

"The federal system means that practically every state and even every district has its own IT system."

Even at federal level, hierarchies of responsibility for IT create a lengthy decision-making process that can delay necessary changes.

"That's why we've been saying for years that a ministry of digital affairs is needed," she argues, an appropriately financed body that can coordinate all these activities.

Bernhard Rohleder, head of Bitkom, an association representing more than 2,600 German companies, says digital sovereignty isn't something that's decided by the operating system running on a civil servant's computer.

"It's about being able to freely choose, and have the ability to produce, IT products."

Rohleder believes the findings of this report mostly highlight Germany's lost leadership role in critical technologies.

"Mutual interdependence is acceptable," he tells ZDNet. "But one-sided dependence must be avoided at all costs."

The PwC report presents the German government with various options for improvement. These included setting a framework and rules for the future use of other software, particularly open source.

Another option involves negotiating individual deals with software providers. For example, the Dutch justice department has come to an arrangement with Microsoft about the security of telemetric data, while the Israeli government had done a deal on the cost of cloud storage.

Realistic goals, user acceptance, taking it step by step, ensuring the right IT skills are available and utilizing the knowledge of open-source communities are all important aspects to seeking digital independence and reaching critical mass, the report's authors argue.

It also provides an example of how not to do it: In the early 2000s, city administrators in Munich decided to switch to open-source software – Linux and LibreOffice (formerly OpenOffice) – for both security reasons and to save money.

The migration was partially successful with some user groups but around a third of the Bavarian civil servants stayed with Microsoft for one reason or another.

This led to the emergence of two parallel systems and eventually, to more expense and less efficiency. In 2017, Munich decided to switch back to just one system: Microsoft's.

Digital sovereignty is not impossible for Germany, Dirk Riehle, a professor of open-source software at Friedrich Alexander University in Nuremberg, tells ZDNet.

There are three main aspects to it, he says: software, data and servers. Data is the most difficult – as the Eco association reports, only about 4% of the world's data is hosted in the EU – and Germany is tied to the US and China.

SEE: Germany to publish standard on modern secure browsers

But when it comes to software, open source presents realistic opportunities, Riehle says, and the country can also build its own server centers.

In terms of the German government, he says, some departments obviously need digital sovereignty more than others, while some aspects of general online consumer behavior may not need any. So this should be carefully assessed, Riehle adds.

"And we should be clear. It's not easy and it will be expensive, not least because it will be difficult to maintain," he says.

"Germany will never have the economies of scale in this area either, so we will be paying extra for our sovereignty. Digital sovereignty is possible, yes, but there will be high costs."


Microsoft Azure-certified roles are well-paid, and you can study for certification for $39

Microsoft Azure-certified roles are well-paid, and you can study for certification for $39

Microsoft is bringing more Loop components to Microsoft Teams and Outlook

Microsoft is bringing more Loop components to Microsoft Teams and Outlook

Microsoft wants to improve IoT security with Edge Secured-core devices

Microsoft wants to improve IoT security with Edge Secured-core devices