Weekly Backlog Week 29/2026
🧠 Editorial This week had it all: open databases, open GitHub repositories, open questions about …

This week had it all: open databases, open GitHub repositories, open questions about data protection – and a surprisingly large number of organizations suddenly discovering that digital dependencies might not be such a good idea after all.
If you want to know why Mecklenburg-Vorpommern, the Swiss Army, and Max Schrems are all telling the same story, you’re in the right place.
Let’s get started.
It’s nice to see that the next federal state is finally taking its task seriously and starting to use European alternatives to US hyperscalers.
Mecklenburg-Vorpommern has already migrated 5,000 users from Microsoft SharePoint to Nextcloud. In the medium term, this number is expected to grow to around 50,000. At the same time, they are examining how Microsoft Office can be replaced with open-source solutions.
Bravo!
This is actually a reason to celebrate. If it weren’t for the second piece of news.
An openly accessible database was discovered at Nextcloud GmbH. A serious incident that obviously needs to be addressed.
Is this now proof that European alternatives are failing?
No.
When software is increasingly used, when more and more people work on it, and when it evolves rapidly due to rising demand, mistakes happen. It’s annoying. It should be critically examined. But it is neither extraordinary nor an exclusive problem of European providers.
What matters is how such mistakes are handled.
Nextcloud now has to do its homework. That’s perfectly clear. Security processes need to be reviewed and improved. That’s exactly what users rightly expect.
Those who now use this incident as proof of the alleged lack of alternatives to hyperscalers should perhaps first look at the history of their preferred providers. Not everything runs smoothly there either – neither technically nor at the corporate level. Not to mention political entanglements, power politics, and questionable relationships.
Mecklenburg-Vorpommern is sending the right signal. Europe doesn’t need fewer European providers, but more of them.
🔗https://www.heise.de/news/Offene-Datenbank-Nextcloud-GmbH-behebt-potenzielles-Datenleck-11358275.html & https://www.heise.de/news/Open-Source-Strategie-Mecklenburg-Vorpommern-will-auch-Microsoft-Office-abloesen-11359864.html?utm_term=Autofeed&utm_medium=Social&utm_source=LinkedIn#Echobox=1783612525
Chat control 1.0 was politically dead long ago. Now it’s back.
Not because the European Parliament is suddenly convinced of its necessity. But because a procedural trick just before the summer break was enough to extend the temporary transitional regulation once again.
This keeps a regulation in place that enables one thing: the mass scanning of private communication.
The justification is the same as it has been for years. The fight against sexual violence against children.
This goal is beyond question.
What remains in question, however, is the price Europe is willing to pay for it.
Because chat control is based on a principle that is difficult to reconcile with the core values of a democratic constitutional state: Not the concrete suspicion justifies the control, but the control is supposed to create the suspicion in the first place.
Private communication thus loses its protective space. Every chat, every email, every picture potentially becomes an object of scrutiny by automated systems.
Ironically, the European Union, which has declared the protection of personal data a global standard with the GDPR, simultaneously holds on to an instrument that questions exactly this principle.
The contradiction could hardly be greater.
Europe cannot credibly export data protection while simultaneously establishing surveillance mechanisms that place millions of innocent citizens under general suspicion.
Child protection is a state duty.
Mass surveillance is not.
Equating the two risks exactly what Europe should actually protect: the confidentiality of private communication and the trust of citizens in their fundamental rights.
Max Schrems wants to challenge the EU-US Data Privacy Framework again. If he succeeds once more before the European Court of Justice, it would be the third data protection agreement between the EU and the USA to fail.
Safe Harbor was declared invalid in 2015. Privacy Shield followed in 2020. Now the Data Privacy Framework is under scrutiny.
The trigger is a ruling by the US Supreme Court. According to Schrems, this means that the independence of the Federal Trade Commission is no longer given. Yet this independence was precisely the essential condition the EU Commission used to assess the level of data protection in the USA as adequate.
If this assessment proves untenable, not only the agreement will be in jeopardy. Once again, companies in Europe would face the same legal uncertainty they have already experienced twice.
Remarkable is less the lawsuit than the political reaction to it. Instead of using the occasion to consistently reduce dependence on US services, there is once again discussion about how to save the existing agreement.
Even the data protection officer of Schleswig-Holstein is now advising companies to review their data flows to the USA and to better secure themselves technically, organizationally, and legally.
After two failed agreements at the latest, the European response should no longer consist solely of hoping for the next agreement. Those who take digital sovereignty seriously must finally understand European alternatives as strategic infrastructure – not just when the European Court of Justice creates facts again.
When even the Cyber Command of a military concludes that dependence on Microsoft poses a security risk, Europe should not dismiss this decision as an isolated case.
Switzerland is migrating its cyber specialists to OpenDesk. Not for ideological reasons. But because sensitive military communication, in their view, should not be permanently dependent on the cloud infrastructure of a US corporation.
The reasoning is remarkable.
Microsoft is increasingly shifting its services to its own cloud. Emails, documents, calendars, and video conferences can only be used via the company’s infrastructure in the future. For the Swiss Cyber Command, which deals with highly sensitive and sometimes classified information, this development is unacceptable.
The army explicitly cites the US Cloud Act and the resulting possibility of state access as a reason. Added to this are geopolitical risks that have become increasingly apparent in recent months. Those who have observed how political decisions by the US government have had immediate impacts on technology companies quickly recognize that digital dependencies are no longer a theoretical problem.
But it’s not just the decision itself that is remarkable.
Switzerland is not simply replacing Microsoft with another software. It is relying on OpenDesk, a European open-source solution, operating it in its own data centers, and actively participating in its further development. Digital sovereignty there does not mean buying as many European products as possible. It means regaining control over one’s own digital infrastructure.
While many are still debating whether digital sovereignty is even worth the effort, the Swiss Army is creating facts.
Perhaps it is worth considering this decision less as an isolated case – but as what it actually is: a security policy reassessment of digital dependencies.

A guest contribution by Dr. Tim Frey
To understand the absurdity of the current sovereignty debate, sometimes you just have to look at the source code. A current example from practice is causing heated discussions on LinkedIn: Dr. Tim Frey took a closer look at Project SPARK – the new AI-based open-source modules from the Federal Ministry for Digital and State Modernization (BMDS), which are supposed to accelerate planning and approval processes in Germany and make administration “secure and sovereign.”
The principle is actually: Public Money – Public Code. However, if you look into the official repository, you find the following template entry in the default configuration for the embedding and chunking model:
Plaintext
CHUNKING_MODEL="self-hosted/BAAI/bge-m3" EMBEDDING_MODEL="baai/bge-m3"
The problem: BAAI stands for the Beijing Academy of Artificial Intelligence – a state elite research institution from China.
Although the system is modular and the models could theoretically be swapped flexibly, the fact that a state-owned Chinese model is delivered as the official standard blueprint for sensitive national administrative infrastructure leaves more than just a sense of discomfort.
It once again shows the deep divide in German IT policy: While digital sovereignty and European independence are spoken of on stage, the code in the default setting looks to Beijing. Notices to the ministry have so far gone unheard. Transparency also means asking the uncomfortable questions about where the foundation of our digital future is being laid.
To Dr. Tim Frey’s LinkedIn post
Hynix-CEO warns of memory shortage – underscores risk structure of global supply chains; strengthens the need for a European semiconductor strategy and independent infrastructure solutions.
IT service provider leak reveals dependencies on third-party vendors; highlights risk of vendor lock-in, lack of transparency, and regulatory consequences for compliance and resilience of critical online infrastructure.
Demand for a central, sovereign long-term archive emphasizes national infrastructure control, legal framework, and independence in digital cultural heritage – a central question of digital sovereignty in Germany.
🔗<https://www.heise.de/news/Kulturinstitutionen-for
🧠 Editorial This week had it all: open databases, open GitHub repositories, open questions about …
🧠Editorial: This week, it becomes clearer than ever that digital sovereignty is no longer an …
🧠 Editorial This week is about much more than just Cloud and AI: The EU is targeting AWS and Azure, …