Weekly Backlog Week 3/2026

🧠 Editorial

Digital sovereignty is often invoked as long as it remains abstract. As a target image. As a vision. As a strategy paper. However, as soon as it demands concrete decisions—different providers, different contracts, different responsibilities—it becomes uncomfortable. This week, it becomes very clear who truly means sovereignty and who merely manages it.

Studies, reports, and real projects paint a consistent picture: The dependencies are known, the alternatives exist, the knowledge is available. What is missing is consistency. And the willingness to trade short-term convenience for long-term control.

🚨 The Tech News of the Week

Sovereignty Barometer: Dependency is Not an Exception

The sovereignty barometer of public IT by next:public provides solid figures on a structural problem. Around two-thirds of the surveyed administrations see themselves as heavily dependent on non-European IT providers—not in special cases, but in daily operations. Operating systems, office software, collaboration: precisely where administration practically takes place.

Particularly severe is the lack of ability to shape. Over 40 percent of administrations can only adapt or further develop their specialized procedures to a very limited extent. Thus, software is no longer used as a malleable tool but accepted as a fixed requirement. Control is reduced to contract management.

The causes have been known for years: proprietary standards, historically grown lock-ins, lack of personnel and organizational capabilities among public IT service providers. What is new is only the openness with which the barometer shows that strategy papers have so far changed nothing. Sovereignty does not arise from diversity on paper, but from real options for change in operations.

The upcoming cloud transformation exacerbates this situation. Currently, around two-thirds of applications still run on-premise. The migration is a unique opportunity to deliberately reduce dependencies—or to cement them for the next decade. What matters is not the location of the infrastructure, but who sets standards, controls software, and can act independently if necessary.

🔗 https://nextpublic.de/studie/souveraenitaetsbarometer/

US Access to European Data: Legal Space Follows the Relationship

A previously withheld legal opinion commissioned by the Federal Ministry of the Interior confirms what has been legally foreseeable for years: European corporate data is not protected by EU hosting alone.

The decisive factor is not the server location, but the legal and economic relationship with the USA. A branch is sufficient, but even weaker connections like US customers or a non-excluded US market can suffice to construct a judicial jurisdiction.

Additionally, there are access rights beyond classic procedures. FISA 702 obliges US service providers to disclose data about non-US persons. Executive Order 12333 allows data collection abroad without transparency or control—including the targeted exploitation of security vulnerabilities.

The consequence is clear: Legal risks arise from dependencies, not from geography. “Our data is in Europe” is not a protection concept, but a reassuring phrase.

🔗 https://www.golem.de/news/bundesinnenministerium-fuer-us-zugriff-auf-deutsche-firmen-genuegt-us-niederlassung-2512-203104-2.html

BSI-NIS2 Portal on AWS: Security Without Control

The Federal Office for Information Security (BSI) launches a central NIS2 portal—operated on AWS. Technically, this is explainable. Strategically, it is problematic.

Especially for a portal where security-relevant reports from critical infrastructures converge, dependencies are not a detail. AWS is subject to a foreign legal space, creates structural vendor lock-in, and reinforces market concentration—risks that the BSI itself otherwise identifies.

European, certified alternatives have existed for years. That they apparently played no significant role here is a signal—also to other authorities.

NIS2 aims for resilience and responsibility. Both arise not from functionality alone, but from control over one’s own infrastructure.

🔗 https://www.heise.de/news/Cybersicherheit-BSI-Portal-geht-online-und-nutzt-dafuer-AWS-11130478.html

Aleph Alpha Without Andrulis: When the Narrative Leaves Before the Structure

The complete withdrawal of Jonas Andrulis from Aleph Alpha is more than a leadership change. He leaves every formal role, while around 50 positions are cut. This is not a transition, it is a rupture.

Aleph Alpha was a political promise: European AI, sovereign, independent. This promise was closely tied to Andrulis. He was founder, face, and narrator of the mission.

His departure reveals how fragile this construct was. When the central architect leaves before sustainable structures are in place, it is not a scaling problem, but a governance problem.

The shareholder circle—Schwarz Group, SAP, Bosch, Deutsche Bank—stands for stability but hardly for open ecosystems or technological independence. This fundamentally changes the character of the project.

The Aleph Alpha case does not show the failure of the idea of European AI, but the failure of its implementation under real power conditions.

🔗 https://www.manager-magazin.de/unternehmen/tech/aleph-alpha-gruender-andrulis-zieht-sich-offenbar-aus-dem-unternehmen-zurueck-a-6707380e-0b8f-430a-a9d4-8d03940cc29c

ADVERTISEMENT

🔍 Open Source & Administration

Schleswig-Holstein. The Real North.: Sovereignty in Everyday Life

Schleswig-Holstein implements digital sovereignty in ongoing operations. LibreOffice, Nextcloud, Open-Xchange, prospectively Linux—not a pilot, not a fig leaf.

The decisive point is not the tool, but the attitude. Proprietary dependencies are not accepted but actively dismantled. License costs decrease, but more importantly, there is a regaining of the ability to shape.

Resistance shows how deeply proprietary standards are entrenched. This is precisely why this path is relevant.

🔗 https://www.heise.de/news/Schleswig-Holstein-Open-Source-ist-praxistauglich-trotz-Umstellungsproblemen-11131005.html

💥 Security

Owncloud, Nextcloud, ShareFile: Operation is Security

The recent data leaks were quickly read as an open-source problem. In fact, no software was compromised. No zero-days. No exploits.

The attackers used valid credentials. MFA was not enforced, sessions not invalidated. Sovereignty does not end with the license. It begins in operation.

🔗 https://www.golem.de/news/dringend-mfa-aktivieren-massenhaft-daten-aus-cloud-instanzen-abgeflossen-2601-203932.html

👍 Good News:

Europe’s Automotive Industry Relies on Open Software

More than 30 companies in the automotive value chain—including Volkswagen, BMW, Mercedes-Benz, Stellantis, Schaeffler, Infineon, and Qualcomm—have agreed on open software collaboration.

The step is the result of years of experience with expensive, proprietary software and structural dependencies. Common open-source baselines reduce development effort, accelerate innovation, and shift control back to the actors.

Governance will be crucial. Open software only works if responsibility and management are clarified.

🔗 https://www.reuters.com/business/auto-industry-expands-open-source-pact-boost-development-cut-costs-2026-01-07/

🎧 Recommendation

INNOQ Podcast: Digital Sovereignty as a Business Risk

In the current INNOQ Podcast, Anja Kammer and Gil Breth place digital sovereignty beyond cloud costs and data protection. The focus is on the question of how companies remain capable of action when geopolitical, legal, or economic conditions shift.

Dependencies are not inherently problematic—they become critical when they are no longer manageable.

🔗 https://www.innoq.com/de/podcast/179-digitale-souveraenitaet/

😄 Meme of the Week