Digital sovereignty? Unfortunately (still) wishful thinking

Sounds strong, but it's still a long way off: digital sovereignty for Germany - in other words, full control over its own data, technologies and systems without dependence on US giants such as Google, Microsoft or OpenAI. However, according to BSI President Claudia Plattner, this is currently "unattainable".

The reason: Germany is still heavily dependent on non-European providers when it comes to cloud solutions, artificial intelligence, operating systems and infrastructure. The USA in particular is ten years ahead of us in key areas - thanks to early investment, market dominance and a head start in terms of expertise.

Cloud giants control the infrastructure

This means that even central areas of administration - from health data and traffic control to internal IT systems - run via structures that can be accessed by US laws such as the CLOUD Act. This means that US authorities can access data - even without a German court - even if it is physically located in Europe.

Example: The controversial cooperation between the BSI and Google Cloud, which involves secure cloud solutions for German authorities. The aim is "data sovereignty" - but how sovereign can a system be if a foreign company is subject to a foreign legal system?

Criticism has come from the German Informatics Society, among others, which warns of the potential for blackmail by the US government. Because: "According to US law, Google cannot offer a fully sovereign service."

Security only with control

BSI boss Plattner is therefore calling for clear technical control mechanisms. It is not just about preventing data from flowing out unnoticed, but also about ensuring that no one can switch off systems from outside - such as clouds, solar systems or entire vehicle fleets.

In technical terms, this means encryption, access control and key sovereignty. Political agreements are not enough - security must be anchored in the technology itself.

A glimmer of hope: Ionos, a German cloud provider, is currently building a "private enterprise cloud" for the federal administration - strictly separated from the public internet and certified by the BSI. A step in the right direction, but only a first step.

And what about artificial intelligence?

The same problem is evident here too: systems such as ChatGPT or Gemini dominate the market - but control does not lie in Europe. Although EU-wide rules for safe AI have been in force since August 2, it is still unclear who is actually responsible in Germany.

The BSI wants this role - and rightly so: security gaps, manipulations (such as prompt injections) or abusive applications must not become a ticking time bomb. However, as long as there is a lack of clear structures, responsibilities and investments, AI security will remain an unresolved construction site project.

Not sovereign, but susceptible to blackmail

Instead of being sovereign, we are dependent. Instead of leading, we are lagging behind. While we are debating, others are already building the infrastructure of tomorrow - and holding the keys.

Data sovereignty must not be a PR term, but must become a binding legal and technical standard. Cooperation with US corporations? Yes, if there is no other way. But please not without an emergency brake and control option.

Because those who only "use" cloud & AI without understanding and securing them are making themselves vulnerable to blackmail. And that's not a technical issue - it's a security policy risk.