A Technical Project That Raises Political Questions

The announcement initially sounded straightforward: The Bundeswehr will build its private cloud infrastructure with the support of Google. Specifically, BWI GmbH – the IT service provider of the Bundeswehr – has signed a framework agreement with “Google Cloud Public Sector – Germany GmbH” to set up two isolated cloud instances. The term Google itself uses: Air-Gapped Cloud.

At first glance, this seems like a pragmatic solution: data centers operated in-house, physical separation from the public internet, and supposedly complete data control by the Bundeswehr.

However, upon closer inspection, it becomes clear: This decision is in clear contradiction to what we understand as digital sovereignty.

The CLOUD Act: Technically Isolated, Legally Open

A crucial point is consistently omitted in official communications: The use of US technology is subject to US law – even in German data centers.

The so-called CLOUD Act (Clarifying Lawful Overseas Use of Data Act) allows US authorities to access data, even if it is stored outside the USA, as long as the responsible company is headquartered in the USA – as is the case with Google.

This means:

• The location of the data (e.g., in a military data center) is irrelevant.
• It suffices that Google has software, updates, remote support, or operational control over parts of the solution.
• Access can – theoretically – occur without the consent of the German government.

In short: From a security perspective, the air-gap architecture offers little if the software is not entirely under European control.

The Real Question: Who Controls Our Security-Critical Infrastructure?

This is not about a simple cloud solution for office workloads. The so-called “pCloudBw” (private cloud of the Bundeswehr) is intended to process business-critical applications, SAP systems, and operational data of the German armed forces. Choosing a US corporation for this infrastructure is highly problematic from a technical – and especially from a security policy – perspective.

Even if Google contractually commits not to access, the legal reality remains: US laws like the CLOUD Act or FISA (Foreign Intelligence Surveillance Act) have extraterritorial effects. A company like Google cannot escape these laws – even if it wanted to.

Therefore, the decision is not merely a technical detail but a strategic loss of control over central digital resources of the Bundeswehr.

Digital Sovereignty Begins with Architecture – Not Labels

Decision-makers repeatedly emphasize that digital sovereignty is an important goal. Yet, we witness decisions that are diametrically opposed to this. Those who rely on US infrastructure cannot guarantee full control – not even with air-gap, custom contracts, or regional subsidiaries.

Sovereignty means:

• Control over the source code, not just the deployment.
• Control over updates, maintenance, operational processes – without external obligations.
• Protection from legal-political access by third parties – even through indirect channels.

All of this is not fully provided with the chosen model.

Why European Alternatives Are Crucial

It is no secret that finding European providers at this level is difficult. But this is not a law of nature – it is the result of too little political will, hesitant support, and lack of strategic prioritization.

Instead of planning billion-dollar defense projects over decades, it would be appropriate to invest specifically in European cloud infrastructure that:

• Uses Open Source as a foundation,
• is under European legal oversight,
• is fully operator-secure,
• and allows the scaling necessary for authorities and defense.

With projects like Sovereign Cloud Stack, Gaia-X, and federated operational models, there are already approaches that meet these criteria – but they need political priority.

Conclusion: This Was a Mistake – With Warning

The decision to build security-critical cloud components of the Bundeswehr based on Google technology was not naive. It was negligent. Because the risks have been known for years – and were not eliminated, only communicatively packaged.

Air-Gapped does not mean: legally shielded.

Private Cloud does not mean: sovereign.

US provider means, in case of doubt: not under German control.

If we seriously talk about digital sovereignty, we must also be prepared to demand technological independence – and enforce it. Anything else is labeling without substance.