Building OZG Software is One Thing. Building OZG Software is One Thing.

OZG Implementation: Software Alone is Not Enough

The Online Access Act (OZG) obliges the federal government, states, and municipalities to make administrative services digitally available. On paper, this sounds like software projects. In practice, it’s no longer just about the application.

The key to feasibility is how the underlying infrastructure is operated. Authorities no longer expect mere development partners but operational concepts that secure the entire service chain: processing of personal data, processing of registration data, register access, identities, interfaces, compliance, and auditability.

And this is precisely where the demands are rapidly increasing.

Operational Concepts under OZG: Growing Requirements

Once software is deployed productively in the OZG environment, a whole series of additional requirements come into play, often underestimated by software developers:

• GDPR / BDSG-compliant processing of personal data
• Integration with existing specialist procedures and register interfaces
• Operation within the European legal framework
• Compliance with information security requirements (BSI Basic Protection, ISO27001, IT-SiG)
• Traceability of changes, audits, and documentation
• Technical and organizational measures (TOMs) that are documented in a way that can be audited
• Operational concepts that are SLA-capable in the long term, independent of development teams

The real challenge lies less in the development of the specialist applications themselves but in what must run stably, traceably, and auditably afterward.

ISO27001: Standard Layer for Productive Operation

At this point, infrastructure suddenly becomes a bottleneck. Those who cannot provide their own ISO27001-compliant operational environment will not be able to deliver in the long run. Authorities demand not only functioning applications but documented security architectures, lived processes, regular audits, and transparent evidence.

ISO27001 is not just a certificate appendix for offer documents but the technical foundation for traceable and auditable operational models in the public sector. It defines, among other things:

• How infrastructure is segmented
• How access is documented and controlled
• How key material is managed
• How incidents are detected and processed
• How change and deployment processes are securely executed
• How backup and disaster recovery mechanisms are organized

These requirements can only be operationalized cleanly if the platform is designed accordingly.

ayedo Cloud Services: Infrastructure that Delivers Operational Security

We provide an infrastructure for these requirements that is consistently ISO27001-certified. It’s not about “Cloud” as a platform marketing term, but about precisely controlled operational environments that meet the following criteria:

• Full control over the infrastructure: no external platform dependency, no vendor lock-in on international hyperscalers.
• Operation within the German legal framework: Data centers exclusively in Germany, under European jurisdiction, without third-party access.
• Comprehensive auditability: Every administrative action, every deployment, every change is traceably logged.
• Secure integration possibilities: Stable connection to specialist procedures, registers, interfaces in the administrative environment.
• Highly automated deployments: GitOps-driven infrastructure for consistent operational states.
• Audit-proof processes: Documented technical and organizational measures, fully auditable by supervisory authorities.

In short: An operational environment precisely tailored to what is permanently required in the OZG environment.

Conclusion

The real challenge in OZG projects is no longer solely in the development of specialist applications but in the ability to operate these applications securely, traceably, and auditably in the long term.

Those who develop software for the public sector need not only development teams but a robust operational concept that withstands regulatory requirements in the long term.

This is exactly where we provide the technical foundation to implement these operational models securely and controlled — without platform dependencies, without gray areas, without international compromises.