Procurement law – legal framework for emergency procurements in the event of a cyberattack

The IT security situation in Germany remains alarming: according to the latest “Report on the state of IT security in Germany 2024” by the Federal Office for Information Security (BSI), cyberattacks are on the rise, paralyzing digital infrastructures and causing immense damage to the economy, administration and society. Public administration and critical infrastructure facilities are particularly affected.

Emergency procurements: A challenge under public procurement law

A cyberattack resulting in a complete failure of the IT infrastructure requires immediate action. This includes hiring IT consultants to repair the damage and – depending on the extent of the attack – purchasing new hardware and software. One aspect that is often overlooked in this context is the admissibility of immediate IT procurements under public procurement law. How can such emergency procurements be implemented in a legally compliant and efficient manner?

Can “emergency awards” be implemented quickly enough?

The urgency of immediate emergency procurements triggered by a cyberattack cannot be met with a conventional procurement procedure. Even so-called urgency awards pursuant to Art. 14 (4) No. 3 VgV (German public procurement regulation) do not allow for immediate procurements – contrary to what the wording “extremely urgent, compelling reasons” of the provision suggests – because a procedure in accordance with Art. 14 (4) No. 3 VgV also requires compliance with the usual framework under procurement law. This consists of the bidding phase, the evaluation of the bids, the preparation and dispatch of the information letters, the final award decision and the resulting various deadline regulations (bid deadline, waiting period, etc.). Consequently, it extends over a longer period of time.

Solutions for emergencies under public procurement law 

Public procurement law offers various approaches for carrying out emergency procurements immediately, i.e., without a time-consuming procurement procedure:

If the emergency procurements can be limited in terms of time to bridging a temporary outage of the IT infrastructure and in terms of content to maintaining the affected institution’s central tasks that are essential in the public interest, they can, for example, be regarded as a permissible amendment (extension) of existing contractual relationships in accordance with Art. 132 (3) or (2) sentence 1 no. 2 or 3 GWB (German Act against Restraints of Competition). In such case, they can be processed via the existing service providers and suppliers without a separate procurement procedure.

If the failure of the IT infrastructure can affect essential security interests of the Federal Republic of Germany due to the affected institution or authority’s task structure, emergency procurements can also fall under the special exceptions pursuant to Art. 117 No. 1 GWB under certain (narrow) conditions. Security interests in this sense can relate to internal and external security and also include concerns that only indirectly affect internal security. These include, for example, security of supply, healthcare or a functioning financial system.

In these cases, emergency procurements would be completely exempt from the requirements of public procurement law and could be procured on the open market immediately by way of a direct award – albeit only to the extent necessary for the temporary maintenance of security-relevant central functions. In such case, obtaining and evaluating competitive offers would also not be required under public procurement law, but would of course remain possible – especially with regard to budgetary considerations.

Practical recommendations for prevention

In order to remain capable of acting in an emergency, public institutions should take organizational and procurement-related precautions in advance:

• Organizational manual: Add notes on emergency procurement and keep them in various safe places.
• Emergency list: Keep a list of potential emergency procurements (IT consultants, hardware, software) and contact details of current and potential service providers.

These measures should be securely stored both digitally and in paper form so that they are also available in the event of a complete IT failure.

Furthermore, we recommend tendering consulting services now as a precautionary measure, especially in the event of a failure of the IT structure as a result of a cyberattack or including such specialized consultancy as an additional option within the meaning of Art. 132 (2) sentence 1 no. 1 GWB in the next invitation to tender/extension of existing consultancy contracts. We also recommend supplementing existing supply contracts for hardware and software with the option of limited subsequent deliveries for the emergency described above. This would eliminate, right from the start, the (legal) issue of having to justify, under public procurement law, the company’s decision to refrain from an award procedure – whether under Art. 117 or Art. 132 GWB.

Conclusion: prevention is key

Emergency procurements in the event of a cyberattack require precise planning and preparation. Precautionary measures such as the inclusion of emergency options in existing contracts or the strategic tendering of specialized consulting services can significantly expand the scope for action. This can minimize legal risks and quickly restore the ability to work in the event of a crisis – a key component for a more resilient public IT infrastructure.

Many thanks to Dr. Peter Czermak for his valuable support in writing this article.