Weekly Backlog Week 29/2026
🧠 Editorial This week had it all: open databases, open GitHub repositories, open questions about …

This week, it becomes clearer than ever that digital sovereignty is no longer an abstract debate. While a US Supreme Court ruling once again questions the stability of transatlantic data agreements and highlights European companies’ dependency on US clouds, concrete alternatives are emerging.
Mecklenburg-Vorpommern is turning to Nextcloud and European AI, Ubuntu is strengthening ARM64 as an equal platform, and German research institutions are developing an open RISC-V security chip. The direction is clear: Europe is beginning to not only discuss technological dependencies but to reduce them step by step.
Additionally, we take a look at a critical security vulnerability in Argo CD, a 16-year-old flaw in Linux-KVM, and other developments from the world of Open Source, Cloud, and Kubernetes.
Enjoy the read!
As reported by heise, Mecklenburg-Vorpommern is gradually moving away from Microsoft services in collaboration and cloud areas. The previously used SharePoint environment is being replaced by the open-source platform Nextcloud, which is operated on the state’s own infrastructure. The transition of the first 5,000 employees is already complete, and in the long term, more than 50,000 employees will work with it.
But it’s not just the switch to Nextcloud that’s exciting. In terms of AI, the state consciously wants to use European solutions. Instead of relying on the big US hyperscalers, Mecklenburg-Vorpommern is turning to language models like Mistral from France or Tilde from Latvia.
For me, this is excellent news.
More and more public administrations are recognizing that digital infrastructure is not just an IT issue. Relying solely on non-European providers for central services for communication, collaboration, or future AI makes one dependent—technically, economically, and increasingly politically.
Digital sovereignty, therefore, does not mean replacing everything tomorrow. It means regaining control where possible and sensible. This is exactly the path Schleswig-Holstein and now Mecklenburg-Vorpommern are taking. I sincerely hope that many other federal states will follow this example.
A detail from the heise article made me smile, though: A complete farewell to Microsoft is not yet planned. Windows will remain on the work computers for now; a switch to Linux is currently not a priority.
Dear Mr. Anschütz: What isn’t yet, can still become. 😉
The most important step has already been taken: The willingness to systematically reduce digital dependencies is there. Everything else is then no longer a fundamental question but a matter of prioritization.
🔗https://www.heise.de/news/Mecklenburg-Vorpommern-verabschiedet-sich-von-Microsoft-11352440.html

For the past few days, the cookie query has been appearing again after every restart of LinkedIn.
I’ve long made my decision. Yet, I’m supposed to confirm it repeatedly.
Today, of all days, I read on netzpolitik.org that Germany, together with Google, wants to prevent cookie banners from being replaced by a central browser setting. Instead of a one-time decision, users should continue to make the same choice on each individual website.
This quickly gives the impression that cookie banners are an unavoidable part of the internet.
They are not.
On our website at ayedo, there is deliberately no cookie banner.
Not because we interpret data protection differently, but because we forgo consent-required tracking. Server logs and privacy-friendly tools suffice for evaluating our website. No personal data needs to be transferred to third parties for this.
For me, this shows above all one thing:
The real discussion should not be about how cookie banners look or where they appear.
The real question is why so many websites use tracking that makes these banners necessary in the first place.
🔗https://netzpolitik.org/2026/online-tracking-deutschland-und-google-wollen-cookie-banner-retten/
While we discuss whether security-critical systems of a US company endanger our digital sovereignty, a recent US Supreme Court ruling provides the next reality check.
The Supreme Court has decided that the Federal Trade Commission (FTC) no longer needs to be independent but is subject to the control of the US President. However, this independence was a central prerequisite of the EU-US Data Privacy Framework, on which thousands of companies rely for data transfer to the USA.
The EU Commission refers hundreds of times in its adequacy decision to the FTC as an independent oversight body. If this assumption falls away, the entire foundation of transatlantic data transfer is shaken.
This affects not only Microsoft 365, Google, or AWS.
It highlights a fundamental problem: Europe builds its digital infrastructure on legal constructs dependent on political decisions in Washington. A US Supreme Court ruling is enough to call years of European data protection architecture into question.
Digital sovereignty does not mean that data happens to be located in Frankfurt. Digital sovereignty means that Europe bases its critical digital infrastructure on technologies and legal frameworks that it can design and control permanently.
This is the same point I described last week using the example of Palantir.
Whether proprietary analytics platforms for police authorities or transatlantic cloud services: As long as technical and legal control lies outside Europe, European sovereignty remains dependent on the goodwill of others.
The US Supreme Court ruling could have far-reaching consequences for transatlantic data traffic. With the decision in the case Trump v. Slaughter, the US President may now exert more control over federal agencies like the FTC.
Specifically, this means that protection mechanisms against political influence and arbitrary dismissal of agency leadership have been removed. As a result, the FTC is no longer legally considered independent but more subordinate to the White House.
This independence was a central prerequisite for the European Commission to deem data transfer between the EU and the USA as data protection compliant.
What appears to be a domestic US ruling could therefore have significant consequences for companies in Europe. Should the EU-US Data Privacy Framework fail, many organizations would have to reassess their use of American cloud and software services—just as they did after the end of Safe Harbor and Privacy Shield.
The European Commission refers to the independent oversight by the FTC 259 times in its adequacy decision. If this prerequisite falls away, the entire construct is shaken.
Max Schrems and noyb have already reacted and are calling for the annulment of the Data Privacy Framework. Those who have followed the past years recognize the pattern: Safe Harbor. Privacy Shield. And now possibly Schrems III.
The Data Privacy Framework still applies. There is no immediate need for action. However, the legal uncertainty is back—and is likely to accompany companies for years to come.
Those who have built their entire digital strategy on American hyperscalers once again bear a political and legal risk that is beyond their control.
This is exactly why the evaluation of European cloud providers must fundamentally change.
What was yesterday considered a smaller or more expensive alternative is developing into a strategic advantage. Digital sovereignty is no longer a political demand but professional risk management.
Many European cloud providers could benefit from this. Companies that consistently operate their infrastructure within Europe and are not dependent on the legal uncertainties of transatlantic data transfers gain strategic importance. In the future, not only the performance of a cloud will be decisive but also its long-term legal security.

Security researchers from Synacktiv have discovered a severe vulnerability in Argo CD that allows attackers to fully take over Kubernetes clusters. Particularly concerning: There is currently neither a patch nor a CVE identifier for the vulnerability.
The Repo-Server of Argo CD is affected. If its internal network port is accessible, attackers can execute their own code without authentication. This allows them to manipulate deployment data and roll out malicious code during the next automatic synchronization in the cluster.
Since many Argo CD installations are operated by default without enabled Kubernetes network policies, the risk is particularly high in compromised clusters. As an effective protective measure, researchers recommend consistently restricting access to Repo-Server and Redis via Network Policies.
Until an official patch is released, clean network segmentation remains the most important defense.
🔗https://thehackernews.com/2026/07/unpatched-argo-cd-repo-server-flaw.html?m=1
Fraunhofer Institutes are developing a Secure Element based on OpenTitan, manufactured in Dresden, strengthening digital sovereignty through open-source hardware and European manufacturing.
Study shows deep cloud dependency of German companies; emphasizes the need for resilient infrastructure, European cloud alternatives, regulatory frameworks for sovereignty.
Historical look at US legal frameworks and power structures in the tech ecosystem; highlights regulation, liability, and economic dependencies, impact on European sovereignty and digital infrastructure.
Security researcher Hyunwoo Kim (V4bel) has uncovered a severe vulnerability in the Kernel-based Virtual Machine (KVM) of the Linux kernel with CVE-2026-53359 (“Januscape”). Existing since 2010
🧠 Editorial This week had it all: open databases, open GitHub repositories, open questions about …
🧠Editorial: This week, it becomes clearer than ever that digital sovereignty is no longer an …
🧠 Editorial This week is about much more than just Cloud and AI: The EU is targeting AWS and Azure, …