On March 18, 2026, the German IT Planning Council, the central policymaking body for the digitalization of public administration, adopted the “Deutschland-Stack.” This federal framework establishes ten architectural principles for all government IT in Germany, from the federal level to local municipalities.
One of these principles stands out for its clarity: “DevSecOps only.” This marks the first time agile, security-integrated software development has been established as a binding standard. By 2028, concrete implementation plans for all federal levels in Germany will be available.
Rather than postponing security checks until the end of the project, DevSecOps integrates them directly into the development pipeline. Thus, security checks, automated tests, and Infrastructure as Code become part of everyday development. The Deutschland-Stack explicitly cites OWASP (the Open Web Application Security Project) as a guideline and Policy as Code as a standard principle.
In short: Security should be built in from the beginning, not demonstrated at the acceptance stage.
This is not a gradual adjustment. German government agencies that still use the V-Model XT or traditional, phase-based models must undergo a structural transformation of their development and acceptance processes.
The resolution establishes a standard. Implementation falls to the authorities. There, the new requirement faces the challenging reality that approximately 78 percent of IT budgets in Germany’s public administration are allocated to maintaining and operating existing systems. There is little room left for developing new infrastructures.
At the same time, pressure is mounting from another direction. The German NIS-2 Implementation Act, which took effect on December 6, 2025, with no transition period, explicitly requires security in the development and procurement of IT systems. Those who do not implement DevSecOps risk a compliance gap, which will become apparent during upcoming audits and procurement procedures.
Added to this is the shortage of skilled workers. Public administration in Germany currently lacks around 39,000 IT specialists, and this number is growing. DevSecOps experience is one of the most in-demand skills on the market and correspondingly difficult to develop internally.
The good news is that: DevSecOps can be implemented in stages. The first federal states in Germany are demonstrating how it’s done. For example, Lower Saxony uses the Scaled Agile Framework (SAFe) with Program Increment Planning for up to 125 participants. The “V-Modell XT Bund” has been modified so that work can be carried out entirely on a Scrum basis. This approach is effective, but it requires structure, experience, and reliable verification artifacts.
Pragmatic entry points for government agencies:
An initial DevSecOps building block does not replace a comprehensive security concept. However, it establishes a development foundation upon which all subsequent measures can be built. In its position paper on the Deutschland-Stack, Bitkom calls for exactly this: “Standardized development and test environments, API catalogs, reference architectures, and automated processes” are prerequisites for a consistent developer experience.
If you’d like to know what an initial DevSecOps building block might look like in your agency, please speak with our Gov-IT team. We will guide you from conception through implementation in compliance with procurement regulations and with verifiable quality assurance.
The Deutschland-Stack establishes ten architectural principles, including “DevSecOps only,” a zero-trust model, and an API-first approach. OWASP is explicitly cited as a guideline. By 2028, concrete implementation plans must be in place for all federal levels.
The Deutschland-Stack defines a medium-term target framework. However, since the German NIS-2 Implementation Act has been in effect since December 2025 and already requires security in software development, it is advisable to begin establishing the necessary processes early on.
In principle, yes. Agile service delivery can comply with public procurement law through functional service specifications, iterative acceptance procedures, and thorough documentation. Experience in the Gov-IT procurement context is crucial.
A realistic starting point is to implement automated security checks in the CI/CD pipeline and robust test automation for regression testing. These building blocks generate verification artifacts and shorter release cycles without requiring an immediate overhaul of the entire IT organization.
In the short term, external Gov-IT service providers can bridge gaps in DevSecOps expertise while simultaneously building know-how. It is crucial that the scope of services, documentation, and acceptance criteria be clearly defined in accordance with public procurement law.
Firstname:
Lastname:
E-Mail Address:
Phone:
Subject:
Your message:
Yes, I consent to my personal data being collected and stored electronically. My data will only be used for the purpose of responding to my inquiry. I have taken note of the privacy policy.
You are currently viewing a placeholder content from OpenStreetMap. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
You need to load content from hCaptcha to submit the form. Please note that doing so will share data with third-party providers.
You are currently viewing a placeholder content from Hubspot Meetings. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
You are currently viewing a placeholder content from Google Maps. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.