Toxic Tech Dependency:

Why Germany’s Digital Sovereignty Has Become a Security Issue

Digital sovereignty is no longer just an industrial policy buzzword. It is a matter of state resilience. Relying on technologies from a few US corporations for central administrative processes, police work, military systems, and communication infrastructures creates a strategic dependency that becomes a risk under changing geopolitical conditions.

This is the situation.

US clouds dominate the European market. Microsoft, Amazon, and Google structure the digital basic services of authorities and companies. Analysis platforms like Palantir are operational reality in several federal states. Meanwhile, the political tone from Washington is intensifying. The Trump administration openly attacks European regulation, targets the Digital Services Act, and asserts influence over the EU. Tech CEOs demonstratively seek proximity to power.

In this context, dependency is not neutral. It is vulnerable.

The CLOUD Act allows US authorities to access data stored by US companies, regardless of server location. “Sovereign Cloud” offerings from European data centers do not change the structural problem as long as the parent company, core software, and update authority are outside Europe. Those who do not determine the codebase, supply chain, and ultimate legal control do not control their system.

This is not a theoretical debate. IT security researchers have been warning for years: If major US cloud services were to fail in the short term, administration and the economy in the EU would be incapacitated within days. Digital infrastructure is not a luxury. It is a prerequisite for state functionality.

There are counter-movements. Schleswig-Holstein is migrating tens of thousands of mailboxes from Microsoft Exchange to Open-Xchange, switching comprehensively to LibreOffice, and planning a move to Linux. The motive is political and economic: reduce dependencies, save on licensing costs, regain control. The Center for Digital Sovereignty (ZenDiS) is developing openDesk, a state-supported office and collaboration suite based on open source. Thuringia is also building its own administrative cloud.

These steps are concrete. They show: Sovereignty is achievable when there is political will.

Yet at the same time, procurement practices counteract the goal. Bavaria plans multi-billion euro contracts with Microsoft. Authorities speak of “strategic partnerships” while effectively cementing vendor lock-in. Studies on digital sovereignty show a clear discrepancy between aspiration and reality: Politically, European technology is demanded, but operationally, US providers continue to dominate.

The situation becomes particularly precarious in the security sector. Several federal states rely on Palantir software for police analysis. The company is deeply rooted in the US security apparatus, works with intelligence agencies and the military, and positions itself politically clearly. When proprietary big data platforms of a US company become the central analysis instance of German security authorities, a double dependency arises: technical and political.

The risks are structural. Proprietary systems create opacity. They hinder independent security audits. They tie know-how to external providers. They make exit strategies expensive and complex. And they shift decision-making power over updates, developments, and integrations to other legal jurisdictions.

The Bundeswehr faces similar challenges. Modern armed forces are software-defined. Supply chains are global, components are nested, dependencies often opaque. Every foreign component is a potential entry point. Those who do not have a complete overview of origin, maintenance, and control operate with blind spots. That partnerships with US cloud providers are being formed while digital sovereignty is politically invoked shows strategic inconsistency.

Other countries are reacting more cautiously. In Switzerland, expert reports advise against Palantir in the military context and point to European alternatives or in-house developments. The reasoning: data sovereignty, independence, reliance on external specialist personnel. These are not ideological arguments but security policy ones.

Digital sovereignty does not arise from declarations of intent in coalition agreements. It arises from clear procurement priorities. Open standards must become mandatory. Open Source should be the default in the public sector, not the exception. European providers need structural support instead of symbolic pilot projects. And every strategic IT decision must include an exit strategy.

Sovereignty does not mean autarky. Europe will remain globally connected. But it means control over core infrastructures, transparency over code and supply chains, and legal independence in crisis scenarios. Those who fully externalize digital key technologies also externalize their scope for action.

The question is not whether US technology is powerful. It is. The question is whether democratic states can afford to link their functionality to external power centers whose political agenda they do not control.

Schleswig-Holstein shows that migration is possible. ZenDiS shows that state coordination can bring about alternatives. The technical hurdle is surmountable. Political complacency is the real problem.

Digital sovereignty is not a luxury project. It is the prerequisite for European democracies to set their own rules—and enforce them when necessary.