6 min. read
Around 250 million euros, awarded on 21 May 2026, without a single US hyperscaler in either of the two winning consortia. With the Deutschland-Stack, the federal government is not building an administrative website – it is building a sovereign AI cloud as a Platform-as-a-Service (PaaS). The contract is split between T-Systems with SAP and a second consortium comprising SVA, Schwarz Digits, and Codesphere. The implications are relevant for anyone weighing sovereign cloud options of their own.
Key Takeaways
- The stack is awarded, not planned: Around 250 million euros are flowing into a sovereign AI cloud as PaaS. T-Systems and SAP lead with roughly 70 percent; the SVA consortium takes the remaining 30 percent.
- Sovereignty is baked into the architecture: Zero-trust, Bring Your Own Key, and a BSI-certified infrastructure layer were hard award criteria written into the specification. The authority retains the cryptographic keys.
- The pattern is transferable: Anyone privately considering repatriation or a second cloud will find in the stack a costed blueprint rather than an abstract debate.
Related:AI Sovereignty Starts with the Infrastructure / Europe’s Digital Sovereignty Is Getting Closer
What the Federal Government Actually Awarded on 21 May
The headline figure was 250 million euros. More interesting is what it is for. The contract covers a sovereign AI cloud as PaaS – the operational core of the Deutschland-Stack. On this platform, public authorities are to handle sensitive tasks: processing documents, unlocking knowledge, translating content, and accelerating planning and approval procedures. The federal AI solution Kipitz serves as the first use case.
What is the Deutschland-Stack? The Deutschland-Stack is the planned shared technical foundation for digital public administration at federal, state, and municipal level. It consolidates standardised interfaces, reusable components, and a sovereign cloud infrastructure so that authorities can share software rather than procuring it in parallel. The AI cloud now awarded is the first load-bearing layer of this stack.
The contract is split in two. The consortium of T-Systems as general contractor and SAP as technology partner holds the larger share at roughly 70 percent, delivering PaaS services for AI applications. The second consortium led by SVA receives the remaining 30 percent: SVA handles architecture and integration, Schwarz Digits provides the infrastructure layer via its BSI-certified cloud Stackit, and Codesphere contributes the platform tier. A competing consortium of Adesso and Google had filed a complaint with the public procurement tribunal in May, but subsequently withdrew it. Only after that did the award become legally binding.
Sovereignty as an architectural decision, not a label
Sovereign is a word that quickly becomes a buzzword in procurement documents. Here it is tied to conditions that can actually be verified. The platform runs a strict zero-trust architecture: no service trusts another simply because of its location on the network, and every access request is individually authenticated. On top of that sits an encryption concept based on the Bring Your Own Key principle. In plain terms: the agency generates and manages its own cryptographic keys, and the operator never sees the data in plaintext.
That is the difference between data residency and genuine key sovereignty. A data centre in Frankfurt alone does not create sovereignty, as long as the operator could technically decrypt the data. Only the separation of infrastructure and key control shifts power back to the customer.
Add to this the open-source approach. The platform relies on open standards, uniform interfaces, and open-source components to avoid vendor lock-in and establish shared technical norms. Part of the stack is set to be progressively open-sourced by 2028. One detail from the second consortium stands out: Codesphere touts a cold-start technology that, according to the provider, cuts compute costs for resource-intensive workloads by up to 90 percent in live operation. Whether that figure holds in production will be for regulators to determine. As a design goal, it reveals where the efficiency levers actually lie.
What private cloud operators can read from the stack
The interesting part for the private sector is not who commissioned this project, but how it was done. The federal government has demonstrated what a sovereignty-driven procurement looks like when it moves beyond the simple question of US cloud or not. Three takeaways translate directly.
First, sovereignty as a defined set of criteria rather than a gut feeling. Anyone evaluating a cloud contract should treat key management, infrastructure certification, and exit capability as separate, weighted criteria – not as soft side conditions. The stack proves this can be embedded in a procurement process.
Second, separate the layers. Infrastructure, platform, and application do not have to come from a single provider. In the Deutschland-Stack, one vendor supplies the certified infrastructure, another the platform. That decoupling is more demanding to manage contractually, but it prevents exactly the lock-in you set out to avoid.
Third, define exit paths upfront. Open interfaces and open-source components are not an ideological statement – they are insurance. They reduce the cost of switching later. Anyone currently evaluating a second cloud or a repatriation scenario should make that exit capability a design criterion, not a contingency plan.
None of this is new in principle. What is new is that a major public procurement has worked through all three requirements together, creating a reference that internal stakeholders can actually cite.
For IT decision-makers, the sober reading is the more important one. The Deutschland-Stack is no guarantee that public administration will go digital overnight. But it shifts the conversation from a letter of intent to a procurement record – and a procurement record is something you can cite when the next cloud contract comes up for review.
Frequently Asked Questions
What exactly was awarded in the Deutschland-Stack tender?
The contract covers a sovereign AI cloud as a PaaS platform worth approximately 250 million euros. It forms the core operational layer of the Deutschland-Stack, on which government agencies are to handle AI-assisted tasks such as document processing and translation.
Who won the contract?
The larger share of around 70 percent goes to a consortium led by T-Systems as general contractor and SAP as technology partner. The remaining 30 percent goes to a consortium led by SVA, together with Schwarz Digits and Codesphere.
What does Bring Your Own Key mean in this context?
Bring Your Own Key means that the government agency using the platform generates and manages its own cryptographic keys. The cloud operator stores the encrypted data but cannot view it in plain text. That is the technical foundation of key sovereignty.
Why is the stack relevant for private companies too?
The procurement process provides a fully calculated blueprint for translating sovereignty into measurable award criteria: key sovereignty, certified infrastructure, and the ability to exit. Companies evaluating a second cloud environment or a repatriation strategy can adopt this model directly.
Is the federal cloud entirely free of US providers?
Both winning consortia consist of European providers, with a BSI-certified German cloud supplying the infrastructure foundation. A competing consortium that included Google lost the tender and subsequently withdrew its complaint.
More from the MBF Media Network
Cover image source: Pexels / Brett Sayles (px:4508751)
Images in this article: AI-generated (May 2026)
