Sovereign Washing, AI Investigations, and the Illusion of Control

🧠 Editorial

This week in the backlog: AWS delivers certificates instead of answers, Germany discusses AI investigations, and Europe once again realizes that it has everything—except consistency.

Additionally, perhaps the most important insight: Digital sovereignty rarely fails due to technology. Almost always due to decisions.

🚨 The Tech News of the Week

AWS European Sovereign Cloud: Certified Sovereign—or Sovereignly Certified?

AWS has given its European Sovereign Cloud a new coat of paint—not with new features, but with audit reports and certificates. SOC 2 Type 1, a C5-Type-1 attestation from BSI, and no less than seven ISO certifications are meant to show that they are serious about European sovereignty. According to AWS, 69 services are already available under this setup, operated by EU personnel, organizationally separated, and with data retention within the EU.

On paper, this sounds exactly like what many public clients want to hear: clear processes, audited security mechanisms, and a setup that fits neatly into regulatory requirements. And this is precisely the strength of this move—not technically, but politically and commercially. Certificates are connectable. They can be incorporated into tenders, they can be checked off, they can be justified to oversight bodies.

The real problem, however, remains untouched, and it’s not a small detail but the structural foundation of the entire construct: AWS is and remains a US company. This means it is potentially subject to extraterritorial access possibilities like the Cloud Act—regardless of where the data is located or who operates it. The much-cited “organizational independence” within the EU is ultimately a governance construct within a corporation, not a legal decoupling.

This is precisely where the criticism of so-called “Sovereign Washing” comes in. Certifications verify whether processes are clearly defined and adhered to. They do not verify who ultimately has control. They do not answer the question of what happens when legal systems collide. And they do not replace true technical or legal autonomy.

One can hardly blame AWS for playing the game incorrectly—in fact, the opposite is true. The company responds precisely to market demands and delivers exactly the artifacts that procurement processes require. The real question is less whether AWS is doing something “wrong” here, but whether we are satisfied with the right things.

Or put differently: We are currently certifying dependency neatly—and calling it sovereignty.

🔗 https://aws.amazon.com/de/blogs/security/aws-european-sovereign-cloud-achieves-first-compliance-milestone-soc-2-and-c5-reports-plus-seven-iso-certifications/

Digital Sovereignty: Europe Has Everything—Except Decision-Making Ability

Arthur Mensch’s call for more digital sovereignty is not a new thought, but one that is becoming uncomfortably clear again. Europe is not dependent in key areas of AI because it lacks talent, research, or capital, but because it does not bundle and scale these resources with comparable consistency.

Especially with AI systems, the depth of this dependency becomes evident. Those who build and operate the models not only control technology but also access to knowledge, decision logics, and ultimately societal discourses. Chatbots are just the most visible example—in the background, it’s about infrastructure, training data, platform economy, and integration points into existing systems.

The often reflexive response to this situation is the call for regulation or isolation. Mensch argues more differentiated: It’s not about isolating from the global market but about developing one’s own ability to act. Sovereignty does not mean doing everything oneself—but having the ability to do so.

And it is precisely this ability that often fails in Europe due to organizational and political realities. National individual interests, slow decision-making processes, and a certain risk aversion ensure that initiatives remain fragmented or are scaled too late. Meanwhile, US companies and increasingly Chinese actors are expanding their positions—not necessarily because they have better ideas, but because they are quicker to implement them.

The truly frustrating part: The starting position is not bad. Europe has excellent universities, a strong industrial base, and a growing startup scene in the AI sector. What is missing is less the vision than the ability to translate it into infrastructure.

As long as this does not change, Europe remains in a strategically uncomfortable role: not a creator, but a user of foreign systems.

🔗 https://www.deutschlandfunk.de/ki-unternehmer-mensch-fordert-mehr-digitale-souveraenitaet-fuer-europa-102.html

AI Investigations and Biometric Web Search: The Long Shadow of Palantir

The new draft from the Federal Ministry of Justice is being sold as a modernization of the Code of Criminal Procedure, but upon closer inspection, it reads like the entry into a new quality of algorithmic investigative work. With §98d, the automated comparison of biometric features with publicly accessible internet images is to be enabled, while §98e creates the basis for AI-supported analyses and the linking of police data sets.

Formally, much remains reassuringly formulated. There is talk of “no new databases” and that decisions will continue to be made by investigators. Technically and structurally, however, these statements hold only limited weight. Anyone who wants to conduct biometric comparisons on a large scale inevitably needs pre-structured data sets. And this is precisely where the collision with European regulations like the AI Act begins, which very narrowly limits the mass collection and processing of such data.

It becomes even more interesting with the second part of the draft. The planned AI-supported analyses aim to make connections between data points visible that would be too complex for human evaluation. This logic was a central part of the Federal Constitutional Court’s criticism of existing systems like Palantir: opaque analysis mechanisms whose functioning is hardly comprehensible, even though they deeply interfere with fundamental rights.

The new draft now creates something that has been missing: an explicit legal basis for exactly this type of analysis. This shifts the debate. It’s no longer just about whether certain tools may be used, but about whether the structural prerequisites for their use are being created.

The often-repeated statement that a human always makes the final decision falls short. Because the real power lies not in the final decision, but in the pre-selection—in the definition of what is considered relevant, conspicuous, or suspicious. This definition is increasingly being taken over by algorithms whose logic is neither transparent nor easily verifiable.

Against this backdrop, the question almost seems inevitable: Is the legal framework being created here to reintroduce systems like Palantir—or functionally comparable platforms—this time on a more stable legal basis?

Regardless of the specific provider, the structural problem remains. When state investigative logic is based on proprietary analysis platforms, part of the state’s decision-making architecture shifts into private, difficult-to-control systems.

This is not a technical detail question. This is a question of the rule of law in the age of AI.

🔗 https://www.heise.de/news/Digitale-Rasterfahndung-Justizministerium-will-biometrischen-Internet-Abgleich-11209379.html

Nextcloud vs. Microsoft: The Excuse Is No Longer Technical

The debate about alternatives to Microsoft 365 has been ongoing for years, and it is technically long decided. Platforms like Nextcloud today offer a range of functions that is completely sufficient for many organizations: file storage, collaboration, calendar, communication—complemented by a crucial difference that often only appears on the margins of marketing slides: control over one’s own infrastructure.

Particularly interesting is the concept of federation. Instead of forcing all users onto a central platform, organizations can operate their own instances and still collaborate across them. Data remains where it is generated and is still shareable. Technically, this is exactly the kind of architecture one imagines under digital sovereignty.

And yet the reality is different. Authorities and companies renew their Microsoft contracts, often without seriously examining alternatives. The reasoning is rarely openly political or strategic, but almost always operational: Migration is cumbersome, users need to be retrained, existing processes work—somehow.

This is precisely where the core of the problem lies. Sovereignty is not a feature that can be activated. It is the result of decisions that initially mean more effort. Those who shy away from this effort implicitly decide against sovereignty—even if they write it into strategy papers.

This leads to a remarkable discrepancy between claim and reality. On one side are political programs and position papers emphasizing digital independence. On the other side are concrete procurement decisions that further reinforce existing dependencies.

The uncomfortable truth is therefore relatively simple: The technology for more sovereignty is available. What is missing is the willingness to draw the consequences from it.

🔗 https://www.heise.de/meinung/Kommentar-Digitale-Souveraenitaet-Haben-wir-schon-uns-fehlt-nur-der-Mut-11192309.html

⚡ Short News

Atlassian cuts around 1,600 jobs to invest more in AI—a classic example that technological transformation rarely comes without structural cuts. 🔗 https://www.heise.de/news/Atlassian-Chef-KI-ersetzt-bei-uns-keine-Menschen-aber-wir-feuern-sie-trotzdem-11208681.html

Google has completed the acquisition of Wiz and is positioning itself even more aggressively in the cloud security market—with a clear focus on multicloud environments. 🔗 https://retail-news.de/google-cloud-wiz-acquisition-abgeschlossen/

📖 Worth Reading

Contracts Are Not Control—They Are Tickets

The article by Hannah Kremer-Hennig pinpoints a debate that is often surprisingly superficial. The assumption that digital sovereignty can be established through contractual frameworks persists—despite the fact that it hardly withstands the reality of modern cloud platforms.

Because the actual control does not take place in the contract, but in the operational details: in configurations, policies, APIs, and continuously changing platform logics. Contracts describe a state, platforms change it permanently. Those who cannot actively manage this dynamic lose control—regardless of what is legally agreed upon.

This becomes particularly evident in topics like liability, audit, and exit. Liability is limited, while responsibility remains with the user. Audits provide snapshots, but no intervention possibilities. And exit strategies often exist only on the p