Weekly Backlog Week 22/2026

🧠 Editorial

This week, Europe’s tech debate feels like a reality check after ten years of cloud marketing.

While the Netherlands suddenly treats American access to state infrastructure as a security issue, SCHUFA seriously sells its AWS migration as “digital sovereignty.” Apparently, having “European” in the product name is enough for everyone to act as if the CLOUD Act was just a bad rumor.

Meanwhile, California realizes that Open Source doesn’t work like Big Tech. Kubernetes publicly declares that some security vulnerabilities will never fully disappear. And suddenly, it’s about something that has long been suppressed in IT: technical reality.

Perhaps this is the real story of the week: Cloud is becoming geopolitical. Open Source is becoming political. And security is once again architecture instead of compliance theater.

Parts of Europe are slowly waking up - others are still sleepwalking.

📰Tech-News:

SCHUFA becomes one of the first companies in Germany to join the AWS European Sovereign Cloud

The SCHUFA Holding AG sells its migration to Amazon Web Services (AWS) as “digital sovereignty.” I consider this dangerous #SovereignWashing.

Because no matter how often AWS writes the word “European” in front of its cloud: AWS remains a US corporation. The CLOUD Act doesn’t disappear because of this. FISA doesn’t disappear because of this. And American authorities’ access doesn’t simply vanish through EU data centers or European employees.

That’s precisely why this debate now massively irritates me. It is pretended that digital sovereignty is a question of server location. It is not. Sovereignty means control over infrastructure, interchangeability, legal space, and technological dependencies. And all of that still lies with AWS in the USA.

SCHUFA outsources the data of 69 million people to a corporation that is directly subject to the American legal framework — and sells it simultaneously as European progress. Honestly: That’s absurd.

I find the political dimension behind it particularly problematic. Europe constantly talks about strategic autonomy, digital resilience, and the protection of critical infrastructure. At the same time, these critical systems are repeatedly tied to American hyperscalers.

And every time the same PR machinery starts: “Innovation and sovereignty.” “The best of both worlds.” “European control.”

No. This is not European control. This is an American corporation with European branding.

What bothers me most is how readily many companies now jump on these narratives. As soon as “Sovereign Cloud” is on it, every critical examination seems to end. Yet, the fundamental power relationship has not changed at all.

Those who truly want digital sovereignty must strengthen European providers, open standards, and Open-Source infrastructures - instead of expanding the dependency on US corporations and then selling it as progress.

That SCHUFA, of all entities, is taking this path, I consider a fatal signal. Because this is not about any service. This is about the most sensitive data of millions of people. And precisely this data is now landing even deeper in the sphere of influence of a corporation more closely intertwined with American power politics than many want to admit.

This is not digital sovereignty. Someone just fell for AWS marketing.

🔗https://www.schufa.de/newsroom/schufa/schufa-geht-amazon-aws-european-sovereign-cloud/index.jsp

California suddenly realizes: Open Source is not Big Tech

California just had to solve a problem that many regulatory authorities still don’t understand: Open Source doesn’t work like Big Tech.

The new law on age verification was supposed to require operating systems to verify the age of their users and pass this information on to apps and platforms. This would theoretically have affected Linux distributions and other Open-Source systems.

The problem: Who exactly is supposed to implement this control in decentralized Open-Source projects?

Most Linux distributions do not consist of centralized corporations with account systems, data silos, and surveillance infrastructure. They are developed by communities, often without central user management or telemetry. That’s why the law would have effectively forced Open-Source projects to turn into surveillance platforms.

Now California is backtracking and redefining the term “provider of an operating system.” Open Source is to be exempted. This is more than a legal correction. It highlights a fundamental problem of modern digital policy: Regulation is often written for platform corporations but ends up affecting open technologies as well.

Open-Source systems are often the last digital spaces not entirely based on identity enforcement, data collection, and central control.

The debate is therefore larger than youth protection or age verification. It concerns the question of whether digital infrastructure should fundamentally be based on surveillance in the future or whether there can still be technical spaces without permanent identity checks.

And that’s where the real confrontation over digital freedom begins.

🔗https://www.golem.de/news/open-source-kalifornien-definiert-anbieter-eines-betriebssystems-neu-2605-209045.html

The Netherlands set an example that Europe should have followed long ago

The Netherlands have just sent a signal that goes far beyond a single business acquisition: Critical digital infrastructure does not belong under the control of companies subject to the US CLOUD Act. That’s why the acquisition of the Dutch cloud provider Solvinity by the US company Kyndryl was prohibited.

This is not about any hosting provider. Solvinity operates central systems of the Dutch state: DigiD, MijnOverheid, and Digipoort. These are precisely the platforms through which citizens pay taxes, access health data, or communicate with authorities. Whoever controls this infrastructure controls digital access to the state.

The crucial point: With the acquisition, this infrastructure would have been indirectly subject to the US CLOUD Act. This means American authorities could demand access to data – even if it is physically located in Europe. This legal extraterritoriality has been underestimated in Europe for years. The Netherlands are now drawing the consequences.

Remarkable is not only the decision itself but its political clarity. The Dutch investment review recommended no conditions, no compromises, no “security guarantees.” Instead, a complete prohibition. This is a fundamental difference from the previous European practice, where digital dependency was often accepted as inevitable.

The reality is uncomfortable: Europe’s digital infrastructure largely runs on American platforms. AWS, Microsoft Azure, and Google Cloud dominate the European cloud market. At the same time, governments talk about digital sovereignty, while their most sensitive systems remain technically and legally dependent on non-European corporations.

The Netherlands expose precisely this contradiction.

Interesting is also the geopolitical context. The decision comes just before the announced EU Tech Sovereignty Package. The direction is clear: Europe is beginning to understand that technological dependency is no longer just an economic issue but a question of state capability.

Whoever controls cloud infrastructure today controls data access, administrative processes, and, in case of doubt, political sovereignty. That’s why “data protection” as a debate is no longer sufficient. It’s about power structures.

Particularly revealing is a detail from the article: Even European “Sovereign Cloud” projects are still partly based on US technology. This shows how deep the structural dependency already reaches. Europe has largely slept through the infrastructure battle of the last 15 years. Now political reality is catching up.

The Netherlands may be providing a preview of what could soon become standard across Europe: No foreign legal access to critical public infrastructure.

And honestly: This is not radicalism. This is digital self-defense.

🔗https://thenextweb.com/news/the-netherlands-just-blocked-a-us-company-from-buying-the-cloud-provider-that-runs-dutch-digital-identity

📖Book Recommendation:

Panopticon 2.0: This book dismantles the illusion of digital control

The debate over digital sovereignty often remains abstract. Thierry Gilgen does the exact opposite in Panopticon 2.0 – Governing in an Age of Total Surveillance: He precisely shows where control actually lies today – and why Europe has become dangerously technologically dependent.

The book analyzes how surveillance has changed. Away from classic espionage, towards invisible dependencies through cloud infrastructures, platform monopolies, sensor technology, and AI systems. It’s not just intelligence agencies that define power, but providers of chips, hyperscalers, API ecosystems, and proprietary standards.

Gilgen’s approach of the “Five Layers of Control” is particularly strong. He describes digital power not as a political buzzword but as a technical reality – from semiconductors to cloud laws to contractual lock-ins. It is precisely here that it is decided today who possesses digital capability and who remains merely a user of foreign systems.

The book connects geopolitical developments with concrete technical structures. CLOUD Act, AI platforms, supply chains, data spaces, and governance vacuum are not viewed in isolation but analyzed as an interconnected power system. This provides a rarely clear view of the actual weak point of many organizations: lack of control over their own digital infrastructure.

Important: Panopticon 2.0 doesn’t stop at criticism. Gilgen provides a practical framework to systematically assess digital risks and make technological dependencies visible. This is particularly relevant for companies, authorities, and strategy managers. Because digital sovereignty is not created by Sunday speeches but by architectural decisions.

The book is aimed at people who not only consume technology but also want to understand its political and strategic consequences. Anyone dealing with European digital policy, Open Source, cloud dependency, or AI governance should read it.

Because the central question is no longer whether we are being surveilled. But who controls the systems on which our society functions.

ISBN: 978-3-6951-2427-5

📌Short-News:

Farewell to Windows and US Big Tech: Linux parties celebrate digital sovereignty

Discussion about digital sovereignty in Europe, OS independence, and dependencies on US platforms. Practical impacts on everyday infrastructure and political debates about alternatives to Big Tech.

🔗 <https://www.golem.de/news/abschied-von-windows-und-us-big-tech-linux-partys-f