🧠 Editorial

This week clearly shows where things are tipping:

We talk about digital sovereignty – and simultaneously realize how deeply we are still entangled in dependencies. Whether it’s messengers, cloud, or infrastructure: control is lacking exactly where it would be critical.

The Vercel hack, new governmental messengers, discussions about “sovereign” cloud, and Big Tech’s influence on EU regulations are not isolated incidents. It’s a pattern.

We have outsourced infrastructure – and with it, a piece of decision-making capability.

Now it gets uncomfortable: It’s no longer about tools or features, but about who has access, who is reading along, and who can pull the plug if necessary.

📰Tech-News:

European Governments Building Their Own Messengers

What’s happening now is overdue.

European authorities are slowly moving away from WhatsApp & Co. and building their own messengers – not because the encryption is bad, but because control is lacking. User management, metadata, archiving: all things you don’t really have a grip on with consumer apps.

The real point, however, is another: We are structurally dependent on US platforms. Even Signal is no exception.

And this is increasingly understood as a risk – politically and in terms of security. At the latest since the recent incidents (phishing, MDM gaps, “disappeared” messages), it’s clear: For governmental communication, “it’s encrypted” is not enough.

My opinion: The step is not only sensible but long overdue. Digital sovereignty also means operating critical communication yourself – and not parking it with US providers.

Anyone dealing with this should read the heise article. It’s not about tools, but about dependencies.

🔗https://www.heise.de/news/Souveraenitaet-Viele-europaeische-Beamte-muessen-WhatsApp-und-Signal-Adieu-sagen-11261147.html

Vercel Hacked: When Environment Variables Suddenly Become Public

Vercel was compromised – not in a spectacular zero-day manner, but classically via a hijacked employee account (Google Workspace via Context.ai). Result: access to internal systems and potentially credentials and environment variables of customers.

The platform remains online, affected users have been informed. Nevertheless, this is exactly the type of incident that hurts: Env Vars contain API keys, tokens, and database accesses – everything that keeps modern apps running.

Particularly unpleasant: Vercel sits directly in the deployment and supply chain. Anyone who gains access here is often already halfway into production.

Meanwhile, an alleged “Shinyhunters” actor is offering stolen data for sale (including tokens and source code). Whether genuine is still unclear – the risk remains.

Takeaway: SSO is not a shield, CI/CD platforms are Tier-0 infrastructure – and “secrets in Env Vars” are only as secure as the platform that holds them.

🔗https://www.golem.de/news/cyberangriff-trifft-vercel-grosse-cloud-entwicklerplattform-gehackt-2604-207757.html

Cloud from Europe: What “Sovereign” Really Means

European cloud offerings are not automatically sovereign – but also not insecure. This is shown by an analysis from the cyberintelligence institute together with the WDR Servicezeit, including assessments by Prof. Dr. Dennis-Kenji Kipker.

The core is simple:

1. Law Trumps Location A data center in the EU is not enough. What matters is which law the provider is subject to – and whether, for example, US structures indirectly allow access.

2. Architecture Trumps Marketing True security means: encryption by default, with no access possibility for the provider.

The differences lie in the details: infrastructure, corporate structure, transparency.

Anyone seriously dealing with cloud selection should take a look at this. The relevant part starts at minute 14:00 in the WDR report:

🔗https://lnkd.in/es76fuyc

The New Sovereignty Standard or a Classic Sales Funnel?

Tools for measuring digital sovereignty always pursue the same core goal: they aim to make visible how dependent an IT infrastructure really is and provide concrete indications of how these dependencies can be reduced. This is exactly what the ES³ model from STACKIT addresses – structured, comprehensive, and with a clear aim to bring more commitment to the debate.

This is an important step. Because the need to make sovereignty tangible is real. At the same time, a point emerges in the implementation that should at least be discussed.

While other approaches – like our assessment at ayedo – deliberately rely on anonymity and keep access as low as possible, STACKIT ties the evaluation to prior identification. Anyone who wants to understand their status provides context and thus already moves within a provider framework.

Especially in an environment where Hashtag#digitaleSouveränität aims to recognize and reduce dependencies, this creates a certain contradiction. The analysis itself is sensible and necessary – but it gets a bitter aftertaste when it simultaneously becomes part of a promotional measure.

The number of dimensions is initially secondary. What matters is whether the evaluation is independent – or already part of a system that has an interest in its outcome.

An assessment can provide orientation or generate demand. Ideally, it creates transparency without defining expectations or dictating the next step.

This does not diminish the fundamental contribution of initiatives like ES³. On the contrary: they bring an important topic to the forefront and increase the pressure to seriously engage with one’s own infrastructure.

That’s why it’s worth taking a close look at the design. Because digital sovereignty does not end with the question of where systems are operated – it begins with how we evaluate them.

🔗https://www.heise.de/news/Schwarz-Digits-stellt-Standard-fuer-digitale-Souveraenitaet-vor-11264086.html

🎙️Podcast Recommendation:

“As Usual” – When Microsoft Co-Writes EU Laws

Sascha Pallenberg 潘賞世 describes in his current podcast how US tech companies apparently had direct influence on an EU law for AI data centers – down to formulations that were adopted almost unchanged. At the center is a decision that was actually supposed to ensure transparency and now achieves the opposite.

The EU wanted to disclose how much energy, water, and resources this infrastructure consumes. Exactly what you need to know if you want to politically steer the massive expansion. In the end, the law includes a confidentiality clause that shields exactly this information.

And then comes this sentence from the commission: They considered feedback and adopted the text – “as usual”.

That’s the real scandal. Not the individual clause, but the self-evidence behind it. If it’s “usual” for suggestions from Microsoft and Co. to flow into legislative texts, then the balance of power has long since irretrievably shifted.

Because, of course, it’s not just about transparency reports. It’s about the foundation of AI infrastructure in Europe. Data centers are not abstract cloud constructs but industrial facilities with enormous resource consumption. Anyone who keeps the data on this under wraps removes them from any serious control.

At the same time, approval procedures are accelerated and participation reduced. More speed in expansion, less insight for the public??? This is not contradictory policy, but a clear line.

Europe talks about digital sovereignty and invests billions. But sovereignty is not decided by the question of where data centers are located. It is decided by who writes the rules for them.

If the answer to that is “as usual,” then it’s not a slip-up. Then it’s a system.

Pallenberg’s podcast shows quite precisely how this system works – and why it is more dangerous than any missed technology initiative.

🔗https://www.metacheles.de/europas-ki-rechenzentren-so-diktiert-big-tech-die-gesetze/

📰Short-News:

Artificial Intelligence: Merz Wants to Ease EU Regulation for Industrial AI

EU regulation for industrial AI is to be eased; regulation influences infrastructure strategies, potentially burdening sovereignty.

🔗https://www.golem.de/news/kuenstliche-intelligenz-merz-will-eu-regulierung-fuer-industrie-ki-lockern-2604-207744.html

Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials

Security incident at cloud platform shows dependency risk: third-party tools enable access to infrastructure; strengthens need for sovereign, open infrastructures and redundant platforms.

🔗 https://thehackernews.com/2026/04/vercel-breach-tied-to-context-ai-hack.html

Youth Protection and Security: EU App for Age Verification Hacked in Two Minutes

Security flaw in EU age verification app shows governance and security risks of European digital infrastructure; need for robust standards, sovereignty in the legal space.

🔗 https://www.golem.de/news/jugendschutz-und-sicherheit-eu-app-fuer-altersnachweis-nach-zwei-minuten-gehackt-2604-207736.html

✍️Blogpost:

Digital Sovereignty is a Nice Buzzword – Until You Have to Measure It.

That’s exactly where it fails in practice: Everyone talks about dependencies, hardly anyone can concretely name them. (Except maybe in promotional measures ;)

The ayedo Sovereignty Score aims to change exactly that – with a compact assessment that makes visible where you really stand (and where it gets uncomfortable).

Why this is more than just another maturity score – and why the uncomfortable answers are the truly valuable ones, explains the article.

💬 LinkedIn Post of the Week

Felix Becker pretty directly points out what many are just beginning to realize: The hyperscalers have not only grown big – they now set the rules.

His argument is simple: We have outsourced infrastructure over the years, reduced know-how, and let ourselves be convinced that “cloud is cheaper.” Now these very providers are buying up the hardware market – and further exacerbating the dependency.

The uncomfortable part: This is not a temporary market problem, but a structural lock-in at the infrastructure level. When even hardware becomes a scarce resource, “we’re going back on-prem” suddenly isn’t a real option anymore.

And this is where it gets critical: Anyone who no longer has their own operational competence today will also have no bargaining power tomorrow.

My addition to this: It’s not just about prices or vendor lock-in – but about delivery capability. If hyperscalers are supplied first, infrastructure becomes a downstream problem for everyone else.

https://www.linkedin.com/feed/update/urn:li:activity:7445181947212922881/?utm_source=share&utm_medium=member_desktop&rcm=ACoAADCSWyQBU4m7hUbXDJqk27ftrkLIYOZzONU

😄Meme of the Week: