Weekly Backlog Week 53/2025

🧠 Editorial – New Year’s Eve with Residual Logfiles

December 31, 2025. While many tech year-in-reviews pretend everything was a feature release, these last days of the year deliver an uncomfortably clear message: We don’t have a knowledge problem. We have an execution problem.

Whether it’s the Chaos Communication Congress, domain chaos at the federal level, or the Germany Stack – analyses, warnings, and alternatives are laid out openly everywhere. Yet digital sovereignty remains a political footnote, an organizational pilot project, and technically often a fig leaf on proprietary platforms.

This issue is therefore longer. Not out of nostalgia, but because the topics demand it. Anyone toasting to a better digital year 2026 tonight should know what it can realistically fail on – and what it won’t.

🚨 The Tech News of the Week

The CCC and the Question of Power: What the 39C3 Reveals About Technology Policy

The 39th Chaos Communication Congress (39C3) in Hamburg is not an event to see new gadgets. It is a political venue – just with better technical competence than many ministries.

With around 16,000 participants and 165 lectures, the Congress provides a condensed assessment of global technology policy. The motto “Power Cycles” does not describe an abstract theory but an observable process: States are losing their shaping power while technological control is concentrated among a few platform and infrastructure actors – mostly outside Europe.

Particularly noteworthy is the classification of Artificial Intelligence. The CCC does not treat AI as a productivity booster but explicitly as a power instrument. As a technology that strengthens existing economic elites, displaces creative work, and centralizes decision-making processes. This perspective is almost entirely missing in political debates, which negotiate AI either as a location factor or as an administrative accelerator.

At the same time, the CCC formulates a counterproposal: open software, open protocols, open interfaces. Not out of idealism, but out of political necessity. Digital sovereignty does not arise here through national clouds or European branding initiatives, but through verifiable technology, communal development, and real control over infrastructure.

That heise online reports on-site is logical. The Congress is not a scene meeting but a seismograph. Those who listen here recognize misdevelopments earlier – and alternatives that are technically realistic. Europe’s problem is not a lack of knowledge but a lack of resolve to translate these voices into real politics.

🔗 https://www.heise.de/news/Chaos-Communication-Congress-Der-39C3-hat-begonnen-11125134.html

Domain Chaos of the Federal Government: When the State Does Not Know Its Own Identity

The heise-online article on the domain chaos of the federal government reveals a problem that is as banal as it is dangerous: The German state does not reliably know under which domains it officially appears online – and even declares this information partially classified.

A domain in the digital space is what a seal was on paper: proof of identity. The state does not fulfill this function. Instead, there is a historically grown jumble of .de domains, project addresses, relics of old ministries, and half-hearted bund.de constructions. For citizens, it is hardly recognizable what is official and what is not.

It was only through the work of IT security researcher Tim Philipp Schäfers that over 2,000 federal domains were compiled. Not through state documentation, but through scraping, DNS analyses, and search engines. This alone is already a political indictment.

Particularly problematic is the underlying mindset: Security by Obscurity. Parts of the federal government apparently believe that secrecy creates security. Technically, this assumption is refuted. Attackers do not need official domain lists – DNS scans, certificate transparency, and search engines provide this information automatically. Secrecy does not prevent attacks but control.

The consequences are real: imitated government websites for corona aid, expired federal domains in foreign hands, typo domains like “bund.ee”, demonstrated at the 39C3. These are not theoretical risks but lived practice.

Other countries have pragmatically solved this problem for years – the USA with .gov, the UK with gov.uk. Germany discusses gov.de, decides on it in 2024, and barely implements it in 2025. As long as citizens have to guess whether a URL is genuine, the state has not fulfilled its digital responsibility.

🔗 https://www.heise.de/news/Malware-Betrug-Co-Riskantes-Domain-Chaos-der-Bundesregierung-enthuellt-11126024.html

Germany Stack: Digital Sovereignty as a Footnote

The Germany Stack is supposed to be the central digitization project for administration and business according to the federal government. A unified infrastructure, interoperable, sovereign, future-proof. What netzpolitik.org reveals, however, shows the opposite: a non-transparent process, non-binding criteria, and political haste that mainly benefits large tech providers.

The Federal Ministry for Digital and State Modernization is focusing on speed – but at the cost of content dilution. Digital sovereignty is not clearly defined but becomes a stretchable buzzword. Open Source, legally actually prioritized, appears at best on the sidelines.

The consultation process is symptomatic: Statements are public, central workshops take place behind closed doors. Who was invited, what was discussed, what conclusions were drawn – remains unclear. The temporary omission of civil society as a target group is not a mistake but a political signal.

Particularly critical are the criteria themselves. They are deliberately consequence-free formulated. Even if solutions fail to meet central requirements for interoperability or sovereignty, it has no consequences. There are no exclusion mechanisms, no red lines. The criteria catalog describes states but enforces nothing.

The definition of digital sovereignty is almost arbitrary: Influence on data locations counts for 20 percent, community participation for 40 percent, a provider change is considered sufficient if it is “possible with manageable effort.” This completely empties the term.

Additionally, there is ignorance of existing law. The E-Government Act obliges federal authorities to prioritize the procurement of Open Source. Nevertheless, tenders continue to be formulated that are effectively tailored to hyperscalers. The Germany Stack institutionalizes this practice – instead of correcting it.

🔗 https://netzpolitik.org/2025/deutschland-stack-open-source-vor-verschlossenen-tueren/

Sovereignty Barometer: The Numbers Confirm Political Failure

The new study by next:public, published at egovernment.de, delivers no surprise – but a ruthless quantification.

65% of administrations see themselves as heavily or very heavily dependent on non-European IT providers, with municipalities at 70%. Particularly affected: office software, operating systems, and collaboration tools. Exactly the level where daily administrative work takes place.

The lock-in is deep. More than half of the respondents find a provider change even to European solutions inflexible. More than 40% cannot even independently adapt a quarter of their specialized procedures. This is not digital sovereignty but structural external control due to previous architectural decisions.

Particularly relevant is the view on the Cloud: Two-thirds of applications still run on-premises. The much-cited cloud transformation is therefore yet to come. This is precisely where the strategic crossroads lie. Without political guidelines, existing dependencies will not be reduced but translated into license agreements.

The study names clear prerequisites: strong public IT service providers, genuine consideration of European cloud offerings, binding procurement strategies. The problem is not a lack of knowledge – but a lack of will.

🔗 https://www.egovernment.de/souveraenitaetsbarometer-der-oeffentlichen-it-veroeffentlicht-a-789adc035db4f8af05c95a984526691b/

CRA Standardization: Transparency Does Not Replace Digital Sovereignty

The Federal Office for Information Security (BSI) reports progress on the Cyber Resilience Act (CRA) and refers to a new CRA dashboard. Around 20 employees are actively working in European standardization bodies, the schedule is ambitious, and the work is progressing well.

The dashboard creates transparency – and that is good. But transparency is not the same as shaping power. In the CRA, it is not the legal text that decides, but the standards. They define what “Security by Design” practically means and what requirements actually apply.

Standardization has been a playing field for large industry players for years. Global platform providers have resources, personnel, and strategic experience – and a clear interest in formulating requirements in such a way that existing business models are changed as little as possible.

The often-invoked “broad consensus” is ambivalent. Consensus often ends at the lowest common denominator. For the CRA, that would be fatal. Security requirements that orient themselves to the status quo legitimize risks instead of reducing them.

Additionally, there is the question of Open Source. Although the CRA provides exceptions, whether these are practicably implemented in the standards is decided now. Without a clear political guideline, Open Source risks being overwhelmed by regulation – with massive consequences for European digital infrastructure.

🔗 https://www.linkedin.com/posts/bsibund_cradashboardzeitstrahl-ugcPost-7411768057976729600-QNLO/

💬 LinkedIn Post of the Week

6G: The USA Organizes Power – and Does So Now

The LinkedIn post by Sebastian Barros does not describe a vision but an industrial policy decision. With a Presidential Memorandum, the US government orders state-controlled radio frequencies to be made available for 6G early – years earlier than in the 5G cycle.

The lesson from 5G is clear: China acted early, bundled frequencies, coordinated industry and standards. The USA reacted too late. This should not be repeated for 6G. Frequency policy, semiconductors, cloud, devices, standards, and network operators are synchronized.

Barros describes eight building blocks of this power structure – from Nvidia in AI-RAN, over AWS, Azure, and Google in network operations to the dominant role of the USA in the 3GPP. 6G is treated as critical infrastructure, not as consumer technology.

Europe, on the other hand, remains fragmented. No cloud strategy, no clear position on open network architectures, no coordinated power policy. Those who set standards early determine dependencies for decades. The USA acts accordingly. Europe manages.

🔗 https://www.linkedin.com/posts/sebastianbarros_us-goes-all-in-for-6g-dominance-president-activity-7411043392564084736-rGH_

🧪 Year-End Recommendations

Blog Post Recommendation: De