Deutschland-Stack: Sovereign administration with over 50 open standards

Contents

Anyone who wants to use administrative services digitally in Germany quickly encounters a fundamental problem: 16 federal states, hundreds of municipalities, and the federal government each operate their own IT systems, which often cannot communicate with each other. Different formats, proprietary interfaces, established isolated solutions – the technical fragmentation of German administration is one of the main reasons why the digitalization of the state has been stagnating for years.

The IT Planning Council – the central political steering body for the digital administration of the federal and state governments – has now made an attempt to fundamentally address this problem. With B-2026/03-IT, the IT Planning Council has adopted a binding standard framework for the Deutschland-Stack. Federal, state, and local governments are to use the Stack solutions for new and further developments according to the portfolio.

The paper, presented by the Federal Ministry for Digital and State Modernization, divides the entire IT architecture of the administration into seven layers – from the virtualized infrastructure at the very bottom to artificial intelligence at the very top. For each layer, it names concrete standards that are to be considered sovereign: i.e., open, manufacturer-independent, and interoperable. At the same time, it explicitly lists in each layer where further definition is still needed – meaning standards are missing here.

As a result, the document is unusually concrete in its breadth and level of detail for the otherwise rather cautious standardization policy of German administration. It ranges from file formats like ODF to cloud standards like OpenStack and Sovereign Cloud Stack, and even AI agent protocols that are sometimes only a few months old.

Data and Documents: ODF Instead of MS Office

The core of the Stack is formed by the semantic technologies layer, which regulates the handling of data and documents. Here you will find most of the standards and some remarkable decisions.

For document formats, the IT Planning Council relies on the Open Document Format (ODF), the open ISO standard for text documents, spreadsheets, and presentations. ODF is natively supported by LibreOffice, for example, and has been considered the most important lever against dependence on Microsoft Office for years. The fact that ODF is in the Stack is no surprise: The IT Planning Council had already decided in March 2025 that open formats like ODF should be increasingly used in administration and become the standard for document exchange by 2027.

The choice of PDF/UA instead of PDF/A is striking. PDF/UA is the ISO standard 14289 for accessible PDFs. The fact that the Stack mentions this format fits the regulatory environment: The BFSG implements the European Accessibility Act and is generally applicable from June 28, 2025. Accessibility therefore takes precedence over pure archiving capability.

For data exchange, the Stack relies on proven web standards: JSON, XML, and CSV as formats, supplemented by SQL and the open database interfaces ODBC and JDBC for manufacturer-independent database access. For the semantic networking of data, the W3C standards RDF, OWL, SPARQL, SKOS, and DCAT are used – the classic toolkit of the Semantic Web, which forms the basis for the Open Data Portal GovData, among other things. The OAI-PMH protocol complements the catalog for metadata exchange between archives and repositories.

What is noticeable, however: there are no definitions yet for more modern forms of data storage – vector databases, graph databases, document- and object-oriented systems. Likewise, standards for data modeling, integration, analysis, and visualization, as well as for harmonized domain data spaces, are missing. The latter, in particular, would be crucial for standardizing data exchange – for example, of personal data – between specialized applications of different authorities.

Cloud and Infrastructure: SCS as the Foundation

On the infrastructure level, the Stack defines two layers. Virtualized software-based infrastructure, as the lowest layer, regulates the network level with the MEF-70 standard for Software-Defined Wide Area Networks (SD-WAN) and Network Function Virtualization (NFV) according to ETSI standard. Both aim to make the networking of authority locations software-based and flexible, rather than relying on proprietary hardware appliances. However, standards for software-defined storage and the management of virtual machines are still missing.

The overlying cloud layer names three central pillars: the standards of the German Verwaltungscloud (DVC), OpenStack as an open-source cloud platform, and the Sovereign Cloud Stack (SCS). The Sovereign Cloud Stack, developed by the Open Source Business Alliance (OSBA) and formerly supported by the Federal Ministry for Economic Affairs and Climate Action, builds on OpenStack and Kubernetes and defines a completely open, interoperable cloud technology stack.

The fact that the SCS is included in the Deutschland-Stack is noteworthy: Federal funding for the project had expired, which had caused considerable criticism in the open-source community. Its inclusion in the binding standard catalog could give the project new momentum.

The cloud layer is supplemented by the EVB-IT – the Supplementary Contract Conditions for the Procurement of IT Services, i.e., the standard contract templates of the public sector. However, standardized service level agreements are still missing for practically all relevant operating areas: Compute, Storage, Communication, Logging, Backup, Support, Cost Calculation, and Performance Management.

Modern Software Development Becomes Administrative Standard

The most extensive layer of the entire Stack is that of integrated lifecycle (DevSecOps) and interface management. It reads like the toolset of a modern software engineering team.

For software development, Git is defined as the version control system, CI/CD pipelines for automated build and deployment processes, Infrastructure as Code (IaC), and Policies as Code (PaC) as standards. Particularly noteworthy is the inclusion of SBOM (Software Bill of Materials), i.e., machine-readable parts lists of all software components, which are crucial for securing software supply chains. This is supplemented by OWASP, the Open Web Application Security Project, as a framework for web application security.

For interface management, the Stack defines a broad API ecosystem: REST and OpenAPI as the basis, supplemented by gRPC for high-performance service-to-service communication, GraphQL for flexible data queries, and MQTT as a lightweight messaging protocol, which is particularly relevant for IoT scenarios and smart city applications. Kubernetes is defined as the standard for container orchestration.

The document names IPv6, HTTPS, FTPS, SMTPS, and QUIC as prerequisite base protocols. The still young transport protocol underlies HTTP/3, which is increasingly establishing itself on the internet. The fact that QUIC is explicitly mentioned as a prerequisite protocol is unusually progressive for an administrative document.

Here too, there are open issues: Standards for observability, security tooling (SIEM, IDS, EDR), static and dynamic code analysis, as well as for package management, service mesh, and service discovery are still missing.

IT Security: Post-Quantum Cryptography Fully Planned

The IT security layer combines proven frameworks with future-oriented cryptography standards. The overarching frameworks are BSI IT-Grundschutz, the Technical Guidelines of the BSI, and the C5 catalog (Cloud Computing Compliance Criteria Catalogue). These are entirely established instruments that already form the security framework for administrative IT today.

In terms of cryptography, the Stack relies on the classic triad of AES (symmetric encryption), RSA, and ECC (asymmetric methods). However, the real message lies in a fourth standard: ML-KEM – the Module-Lattice-based Key Encapsulation Mechanism is a post-quantum standard for key exchange. It is intended to complement or replace classic public-key methods like RSA and ECC in this field in the long term. The fact that German administration is already including post-quantum cryptography in its standard catalog is a clear signal: it wants to be prepared before cryptographically relevant quantum computers become a reality.

For identity and access management, the Stack defines a complete protocol stack: OAuth for token-based authorization, OpenID Connect (OIDC) for federated authentication, JSON Web Token (JWT) as the token format, and OTP-based multi-factor authentication. This stack is suitable as a technical basis for federated identity services.

What is still missing is a format for crypto-agility, i.e., the ability to exchange cryptographic methods quickly and systematically when they are compromised. Given the post-quantum topic, this is a non-trivial gap.

AI Agent Protocols: The Biggest Surprise

Arguably the most unexpected layer of the Deutschland-Stack is the top one: artificial intelligence. Here, the IT Planning Council defines four protocols as standards, all of which are still quite young.

The Model Context Protocol (MCP), originally developed by Anthropic, standardizes the access of AI models to external data sources and tools – it is often described as "USB-C for AI." The Agent2Agent Protocol (A2A), initiated by Google, regulates direct communication between AI agents from different manufacturers. The Agent Network Protocol (ANP) enables the networking of autonomous agents in decentralized networks, and the Agent-User Interaction Protocol (AG-UI) standardizes the interface between AI agents and human users.

The fact that the traditionally conservative administration standardization is adopting protocols that are sometimes only a few months old and whose maturity is still being discussed in the industry is unusual. The goal may be not to lag behind AI, but to rely on open, interoperable standards from the outset. Nevertheless, the open definition needs in this layer are particularly extensive: Standards for selecting language models, for Retrieval-Augmented Generation (RAG), for Responsible AI and traceability, as well as for the exchange of models and training data are missing.

Despite all the courage, the Stack here describes more of a direction than a finished architecture.

The Gaps: LowCode Without Matrix

One layer falls out of line: workflow automation (LowCode). It is the only level of the Deutschland-Stack for which not a single standard has been defined. At the point where standards should be, the document merely notes "./" and lists exclusively open definition needs: formats for integrating external solutions, for exporting and importing models, and for cross-platform execution. It is also striking that established modeling standards like BPMN (Business Process Model and Notation) are not even mentioned.

At least as revealing as the included standards is what is missing. The Matrix protocol for federated communication, which is already used in the Bundeswehr's Bw Messenger, for example, does not appear – there is no separate layer for communication and collaboration in the Stack. TLS 1.3 as a specific transport encryption standard is not mentioned – while the BSI guidelines implicitly cover it, an explicit definition is missing. And the Open Container Initiative (OCI), the open standard for container formats that underlies Kubernetes, also remains unmentioned, even though Kubernetes itself is in the Stack.

Blueprint or Wish List?

The Deutschland-Stack, in its breadth and ambitious level, is initially a remarkable document. For the first time, German administration is attempting to commit its entire technical architecture across layers to open standards – from network virtualization to AI agent communication.

At the same time, the paper raises questions. The binding nature of the decision will have to prove itself in practice. Experience with previous standardization decisions does not inspire unreserved optimism. The long lists of open definition needs in practically every layer show that the Stack, in many parts, outlines a framework rather than providing a finished architecture. And the inclusion of extremely young AI protocols is in some tension with the stability one would expect from administrative standards.

What will be crucial is whether and how quickly the open definition needs are met – and whether the adopted standards actually find their way into tenders, procurements, and specialized applications. Because a standard catalog unfolds its effect not through the decision, but through its implementation.

The complete resolution is available on the website of the IT Planning Council.

(fo)