Digital Security in a Foreign Jurisdiction: Why the BSI Portal on AWS Is a Political Mistake

A portal for more security – on an insecure foundation? With the launch of the central BSI portal for NIS2 reports, the Federal Office for Information Security (BSI) is pursuing an important goal: more overview, faster reactions, and a clear point of contact for operators of critical infrastructure. A “one-stop shop” for cybersecurity is to be created – and that is fundamentally to be welcomed.

But what sounds like progress at first glance raises serious questions upon closer inspection. Because: the new portal runs, of all things, on the cloud infrastructure of Amazon Web Services (AWS) – a US hyperscaler that is not subject to the European legal framework. What sounds like a technical detail is in truth a strategic and political decision with far-reaching consequences.

Between Aspiration and Reality: European Sovereignty Falls by the Wayside In political speeches, Europe’s digital sovereignty is regularly invoked. The NIS2 directive itself calls for more resilience, reduced dependencies, and a strengthened risk awareness. But with the choice of AWS as an infrastructure partner for the centerpiece of the German cybersecurity strategy, the BSI visibly and symbolically counteracts these goals.

Digital sovereignty means retaining control over one’s own IT infrastructure, data processing, and dependencies. This is not compatible with operating sensitive state platforms on an infrastructure that:

• is subject to the US Cloud Act (with potential access by third parties to data),
• uses a proprietary architecture that promotes a clear vendor lock-in,
• as part of a global corporation, does not allow strategic control by European institutions.

The BSI – the very agency that should stand for security, trust, and resilience in the digital space – sends a fatal signal with this decision: security is confused with functionality, and sovereignty with convenience.

There Would Be Alternatives. Strong Ones. That the BSI chose AWS is not a necessity – but a conscious choice against European alternatives that have long been available:

Some examples of European cloud providers:

• IONOS Cloud (Germany): GDPR compliant, ISO certified, OpenStack-based
• OVHcloud (France/EU): SecNumCloud certified, Gaia-X member
• Open Telekom Cloud (Germany/Europe): Operated by Deutsche Telekom, open source technology
• CLOUD&HEAT (Germany): Sustainable data centers, focus on security and digital sovereignty

Furthermore, with Gaia-X, a European initiative was launched specifically to address such use cases: interoperable, transparent, federated, European-controlled.

That these options played no role for the BSI shows: political will and strategic implementation are – once again – diverging in Germany.

The Consequences: Signal Effect, Loss of Trust, Strategic Weakness

1. Power Shift Through Infrastructure Whoever controls the infrastructure also controls the flow of information. If security-relevant reports from energy, administration, health, or transport are aggregated on a platform running on US infrastructure, then part of the control over their availability, performance, and access also shifts.
2. Dependency Despite Risk Awareness In almost every risk analysis, cloud dependencies appear as a strategic risk – especially in single-vendor scenarios. Nevertheless, the top German cybersecurity agency chooses exactly this model. This not only weakens the credibility of its own recommendations but also makes it harder to argue with companies that are supposed to be urged to rebuild their IT.
3. Endangering the European Cloud Economy Public demand is a crucial lever to strengthen European providers. If the state, of all entities, is not willing to set an example for European solutions with its most sensitive applications, how can private-sector companies be expected to follow?

Responsibility Begins with Setting an Example BSI President Claudia Plattner emphasizes that the BSI “cannot save the whole republic.” This is correct. But the BSI can set standards. It can make priorities visible. And it can build trust – or gamble it away.

A one-stop shop for cybersecurity on AWS is not progress. It is a step backward in the fight for digital independence. Building a resilient European IT infrastructure needs role models. The BSI could have been one. Instead, the impression remains: anyone who preaches sovereignty should also practice it.

Conclusion: Europe Needs Digital Backbone Building – Not Just Regulation NIS2 is a step in the right direction. But regulation alone is not enough. Anyone who wants to reduce digital dependencies must first avoid them themselves. Especially where the state should lead the way, there must be no room for half-hearted decisions. It’s not about technique. It’s about strategy. About trust. And ultimately about the question: who owns Europe’s digital future?