Weekly Backlog Week 49/2025

Editorial

Europe has been discussing digital sovereignty for over a decade. One might assume that the debate is now conducted at a certain altitude: sober, realistic, strategic. Yet instead of a vision, we are witnessing a poor reboot of old discussions.

This week exemplifies where we stand:

• ZenDiS patiently reiterates what sovereignty actually means.
• Switzerland draws very clear conclusions.
• GitLab reminds admins that security teams cannot rest.
• And in the EU Parliament, some prefer to discuss keyboards over infrastructure.

Europe is not too late – but time is running out.

The Tech News of the Week

ZenDiS Whitepaper: “Nothing Here is Sovereign.”

Zentrum Digitale Souveränität (ZenDiS) provides a whitepaper that should essentially be mandatory reading for every CIO, CISO, and government roundtable. It redefines — once again — the essential criteria for digital sovereignty: control, transparency, interoperability, reversibility, independence from non-European legal regimes. And it clearly states what many still refuse to accept despite years of discussion: Nothing that US hyperscalers currently sell as a “Sovereign Cloud” meets these criteria.

The marketing strategy is transparent: new regions with German branding, operating models with local service providers, attractive proprietary data space labels – but the structural power remains untouched. As long as code, updates, identity architecture, and legal frameworks lie in California, Europe remains dependent. The whitepaper unmistakably shows: These offerings address political expectations, but not technical or legal requirements.

CIOs in 2025 can no longer hide behind “complexity.” The facts are on the table. Those who still purchase proprietary black boxes are shifting risks into the future – and public ones at that.

Link: https://www.zendis.de/media/pages/newsroom/publikationen/souveraenitaets-washing/751a2c5eb1-1755243871/zendis-whitepaper-souveraenitaets-washing.pdf

Switzerland Against US Clouds: A European Reality Check

Privatim, the Swiss Data Protection Conference, causes a stir: A de facto ban on US hyperscalers for authorities when processing particularly sensitive or confidential data. This is not symbolic politics but a sober security policy analysis.

The reasons are clear:

• No genuine end-to-end encryption with full key sovereignty.
• Lack of transparency about technical measures and subcontractor chains.
• Contract changes without control.
• And above all: the US CLOUD Act - a law that allows US authorities access to data, regardless of where it is located.

Privatim thus formulates a truth that Europe has been circling for years: One cannot be “sovereign” while using central digital infrastructures from providers legally bound to foreign states.

This is not a data protection detail. This is geopolitics. And Switzerland is doing something the EU has not yet dared: a political decision based on technical logic.

Link: https://www.heise.de/news/Schweiz-Datenschuetzer-verhaengen-breites-Cloud-Verbot-fuer-Behoerden-11093438.html

GitLab Patches Critical Vulnerabilities – On-Prem Admins, Brace Yourselves

GitLab delivers three security patch releases (18.6.1, 18.5.3, 18.4.5) that are more than routine maintenance. They include fixes for vulnerabilities that are massively dangerous for on-premise installations.

The most important:

• CVE-2024-9183 (High): Race condition in CI/CD cache → potential capture of privileged credentials. A classic pipeline privilege escalation case.
• CVE-2025-12571 (High): Unauthenticated denial-of-service via manipulated JSON payloads → build and deployment blockade.

Other fixes address authentication bypasses, token leakage in the Terraform registry area, DoS in HTTP response handling, and errors in registry and markdown components. The releases include deep changes in Sidekiq, the container registry, pagination, and merge request polling.

On-prem teams should update immediately, especially if CI/CD internally manages critical deployments, secrets management, or automated rollouts. Zero-downtime is possible, but not guaranteed — depending on the setup.

Links:

GitLab Release Notes: https://about.gitlab.com/releases/2025/11/26/patch-release-gitlab-18-6-1-released/

Heise Analysis: https://www.heise.de/news/Sicherheitsluecken-in-GitLab-Angreifer-koennen-Zugangsdaten-abgreifen-11096105.html

The Accessory Debate

The initiative to abolish Microsoft 365 in the EU Parliament is correct and overdue. Yet parts of the debate are currently veering into an absurd direction: Suddenly, it’s about keyboards, monitors, and mice.

To recall: Digital sovereignty does not arise from peripheral devices. It arises from operating systems, identity infrastructures, cloud platforms, communication systems – all areas that can truly influence Europe’s political decision-making processes.

The major dependencies are not on the desk but in the backend:

• IAM
• Updates
• Jurisdiction
• Data flows
• Transparency
• Controllability

As long as Europe ignores these layers, any debate about “strategic autonomy” remains a joke.

Peripheral debates are convenient - but they do not solve problems.

Link: https://www.heise.de/news/Weg-von-Microsoft-Abgeordnete-fordern-digitale-Souveraenitaet-im-EU-Parlament-11097460.html

Blogpost

Operating Nextcloud Sovereignly – Why the How is Crucial

This week’s blog post comes from myself – inspired by Issue #214 of “allesnurgecloud.com” by Andreas Lehr. He mentioned a “bait offer” from IONOS: where Nextcloud, after the first month, is apparently billed per user. A model that seems cheap at first glance but can quickly become a cost trap.

This is exactly where I focus in my blog post: It’s not enough to offer Nextcloud. What matters is how it is operated and billed.

At ayedo, we pursue a different approach: Nextcloud runs as a Managed App directly in our customers’ Kubernetes cluster, with no user limits, no per-head costs, and genuine data sovereignty.

Why this operating model is more sovereign, transparent, and economically sensible in the long run – and why many “cheap” offers are not as independent as they seem – I explain in the full blog post.

Read the blog post: </posts/nextcloud-souveran-betreiben-warum-das-wie-entscheidend-ist/>

ayedo Nextcloud (Managed App): </apps/nextcloud/>

Newsletter #214 by Andreas Lehr: https://www.linkedin.com/pulse/shai-hulud-20-digitale-souver%C3%A4nit%C3%A4t-meeting-kultur-schweiz-lehr-ibhce?utm_source=share&utm_medium=member_ios&utm_campaign=share_via

Event Tip: Why Europe Needs an EU Sovereign Tech Fund

D64 discusses today (December 3) with Felix Reda the question of how Europe can not only demand digital sovereignty but finally institutionalize it.

The German Sovereign Tech Fund already shows how existentially important it is to systematically stabilize critical open-source components — because many of these projects are what keep the economy, administration, and critical infrastructure running in the first place.

A European fund would be the logical next step:

• permanently funded
• strategically oriented
• interoperable
• independent of lobbying and changing political whims

Europe cannot become sovereign as long as the technical infrastructure on which everything is built is project-based and randomly funded. The EU fund would be a paradigm shift — away from reactivity, towards strategic technical resilience.

Link: https://d-64.org/veranstaltungen/open-source-talk-mit-felix-reda/

Contribution of the Week

Klaus Meffert: Europe’s Sovereignty is Not a Theory – It is Already Being Lived

Dr.-Ing. Klaus Meffert provides one of the most precise snapshots of digital sovereignty in Europe currently available on LinkedIn. His contribution is not an opinion piece but an assessment – and it is surprisingly clear: Europe already has functioning alternatives to Microsoft & Co., but Germany consistently ignores them.

Meffert shows with real institutions how far Europe actually is:

• International Criminal Court consistently uses OpenDesk – a clear statement against proprietary dependencies.
• Austria’s Armed Forces use LibreOffice extensively – including in security-critical environments.
• Schleswig-Holstein leads with its open-source strategy and establishes an administration that functions independently of hyperscalers.
• BayernCloud School brings open technologies into the educational landscape – pragmatic, economical, auditable.

The common thread: These examples are not experiments, but productive, large, complex systems. Exactly the type of environments from which German authorities often claim that open source is “not feasible.”

Meffert also clearly identifies where the structural problems lie:

• Germany clings to US hyperscalers, even though central security-critical areas are dependent on foreign legal regimes.
• The notion that proprietary platforms of US providers can be made “secure” through audits is an illusion.
• Sovereignty means control – and that is neither technically nor legally achievable in proprietary clouds.
• While countries like Switzerland are already moving away from Microsoft, Germany seems like a state actively misunderstanding its digital situation.

His message is unequivocal: There is no lack of alternatives, no lack of technology, and no lack of know-how – there is a lack of political will and institutional consistency.

A contribution that could advance the debate in Germany significantly if more decision-makers would actually read it.

Link: https://www.linkedin.com/feed/update/urn:li:activity:7400105437846740993/

Meme of the Week

by Aleksandar Basara