Sovereignty in §58 VgV:
Germany’s quiet rewrite

The amendment is one bullet point.

Inserted by the Committee on Economy and Energy into §58 Absatz 2 Satz 2 of the German Public Procurement Regulation (VgV) as a new Nummer 4, the bullet point reads, in full: “Aspekte der digitalen Souveränität.” That is the change.

The committee’s reasoning runs longer. In Bundestag-Drucksache 21/5525 of 22 April 2026, the committee enumerates what “digital sovereignty” covers as an award criterion: interoperable and open IT systems or software, the traceability and control of data processing, special requirements for personnel handling data, security measures, the localisation of data, and “legal, organisational and technical immunity against unwanted access or availability restrictions.” The Berichterstatter — Dr. Andreas Lenz (CSU) and Georg Schroeter (AfD) — signed the report the day before the floor vote.

The Bundestag adopted it the following afternoon. Bundesrat assent followed on 8 May. The law enters into force on 1 July 2026. Inside an administrative-simplification statute, German procurement law had quietly acquired its first explicit sovereignty criterion.

How the criteria reached the regulation

The path is in the public record. The government’s draft, Drucksache 21/1934, framed the project as procurement simplification. Sovereignty criteria were not in the cabinet text. The Committee on Economy and Energy held a public hearing of experts in its 16th session on 10 November 2025; the written expert submissions are recorded as Ausschussdrucksachen 21(9)106, 21(9)107 and 21(9)115 to 21(9)120 in the committee record.

What emerged from the committee process was the textual change to §58 VgV plus a parallel clarification: that procurement involving cybersecurity or digital sovereignty falls within the “wesentliche Sicherheitsinteressen” of Article 346(1) TFEU. Article 346 is the EU Treaty provision that exempts procurement protecting essential security interests from full EU competitive-bidding rules. Reading the two changes together: sovereignty became an explicit award criterion in ordinary tenders, and sovereignty became a recognised security ground that can carve specific procurement out of EU-wide competition entirely.

Both changes survived the floor vote.

What the criteria allow a buyer to do

The new Nummer 4 sits alongside three pre-existing categories of quality criteria in §58 — environmental and social aspects, characteristics relating to the product, and customer-service availability. A public buyer designing a tender can now cite the sovereignty bullet point directly. The six categories listed in the committee’s reasoning are not themselves statutory text — they are the explanatory annex — but a Vergabekammer adjudicating a future challenge will read the statute through that explanation.

Concretely: a buyer can require interoperable and open IT systems and refuse a closed-stack bid on that basis. The buyer can require that the data-processing chain be technically traceable, and refuse opaque managed-cloud offerings on that basis. The buyer can require data localisation. The buyer can require that the offered system be immune to “unwanted access” — language that, under the committee’s reasoning, reaches the CLOUD Act question even though the regulation does not name it.

That is the practical change. None of these criteria were forbidden before; they were unenumerated, and a challenger to a tender could argue they were discriminatory. After 1 July, the challenger has to argue against the statute, not just the tender.

How this links to the EVB-IT change

On 20 March, the federal digital ministry BMDS and the digital industry association Bitkom published revised contract templates for IT procurement under the federal EVB-IT framework. The revisions made open-source-compliant fulfilment legally explicit in standardised contract language.

The two instruments interlock cleanly. The Vergabebeschleunigungsgesetz says sovereignty is a permissible award criterion. The EVB-IT templates say what a sovereignty-compliant fulfilment looks like in writing. A buyer can now write a tender saying “this contract uses EVB-IT in the open-source form, and award criteria include digital sovereignty under §58 Absatz 2 Satz 2 Nummer 4 VgV” — and both halves of that sentence are pre-drafted by the federal level.

What it does not do

The criteria are permissive. They are not mandatory. A public buyer who wants to award to Microsoft can still do so, as long as the procurement process itself is procedurally clean. The law removes a legal weapon from challengers; it does not require buyers to use the new criteria.

That is by design. German procurement law is generally permissive rather than prescriptive — the statute defines what is allowed, the buyer decides what is required.

The practical effect therefore depends on whether public buyers actually exercise the new discretion. Federal ministries will, because they are under BMDS oversight after Wildberger’s veto framework. Federal authorities in regulated sectors will, because their auditors expect them to. The variable is the thousands of municipal IT departments that procure independently and have institutional reasons to default to “what we know, which is Microsoft”. If municipal tenders adopt the criteria, the statute has teeth; if they do not, it remains text.

There is a quieter objection from outside Germany. The criteria are written in ways that German cloud providers find easier to satisfy than competing European providers. “Localisation of data” defaults to “German hosting” in practice. “Traceability and control of data processing” favours open-source stacks that the German ecosystem has invested more heavily in than the French or Dutch ones. A French or Dutch challenger to a German municipal tender now faces a criteria set that subtly favours German offerings. The statute is European in framing. It is German in operation.

What this article is not

It is not a claim that the law is empty. The textual change is small and the legal consequence is real.

It is not a claim that the law is sufficient. A federal statute does not, on its own, drive municipal procurement decisions, and the municipal volume is where most procurement happens.

It is not a claim that the criteria are intentionally protectionist. Statutes that protect domestic industry while delivering policy goals are a normal feature of how procurement law works. Whether the German criteria read as “neutrally European” or “neutrally German” is a matter of which audience the writer is addressing.

The Vergabekammer test ahead

The story will be settled by one specific kind of event: a municipal tender that explicitly cites §58 Absatz 2 Satz 2 Nummer 4 VgV to refuse a Microsoft or AWS bid, and that survives a Vergabekammer challenge.

If that happens within twelve months, the procurement-law specialists will cite the case in every subsequent memo. The criteria move from text to instrument. If it does not happen, the new Nummer 4 stays where it is — in the statute, available to be used, used by nobody. The Bundestag has done what the Bundestag can do. The municipalities are next.

Sources

• BT-Drs 21/5525: Beschlussempfehlung des Wirtschaftsausschusses (22 April 2026)
• BT-Drs 21/1934: Gesetzentwurf der Bundesregierung — Vergabebeschleunigungsgesetz
• Bundestag: Vereinfachung und Digitalisierung von Vergabeverfahren (23 April 2026)
• Cosinex Blog: Vergabebeschleunigungsgesetz und digitale Souveränität (2026)
• Noerr Insight: Bundestag passes the procurement acceleration law
• KPMG-Law: New requirements and scope for public procurement
• BMDS: Open Source rechtssicher beschaffen (20 March 2026)
• EUR-Lex: TFEU Article 346(1) — essential security interests

Topic overview: Digital Sovereignty in Europe Related articles: Germany Mandates Open Formats, Wildberger draws a line