Recently, the issue of digital sovereignty has once again come into focus, triggered by two news stories from Denmark and Germany.
The Danish Ministry for Digitalization plans to eliminate Microsoft products in favor of open-source software , while the German Bundeswehr is relying on Google Cloud with an “air-gap” solution and plans to establish two physically separate cloud instances in its own data centers by 2027.
In the video, you will get an overview of both news stories.
Watch the video
In this blog, we have compiled the summaries of both developments along with a few related questions.
After reading, you might gain a better understanding of the topic and see why digital sovereignty is so important for the European Union.
Denmark Exits Microsoft
According to a report by Politiken, the Danish Minister for Digitalization, Caroline Stage Olsen, is gradually phasing out the use of Microsoft in her ministry and plans to replace it with open-source programs. (Source: Original article)
The open-source solutions to be implemented—specifically the Linux operating system and the LibreOffice office suite—are intended to replace Microsoft Windows and Office 365.
By the end of this summer, about half of the ministry's employees are expected to have switched to the new system. Internal preparations are already underway, and staff are being trained and introduced to the new software.
As early as April, Olsen warned that continued dependence on U.S.-based digital tools posed a strategic risk.
“There is a risk that a third country could cut off access,” she said, calling on the EU to create the framework for building a European digital infrastructure.
Germany Embraces Google Cloud
According to information published by the Bundeswehr, the IT service provider of the German Armed Forces (Bundeswehr), BWI, is relying on Google Cloud with an “air-gap” solution and plans to set up two physically separate cloud instances in its own data centers by 2027. The goal is to ensure secure control of sensitive data in the so-called “private cloud of the Bundeswehr” (pCloudBw). (Source: Original article)
This move stems from the decision to run business-critical applications using the “Business Technology Platform” (BTP) from SAP SE in a private deployment. According to BWI, the collaboration with Google Cloud and SAP provides an isolated and secure environment to support logistical and administrative IT processes. With this step, the Bundeswehr continues its “cloud-first” strategy, where future applications are to be primarily cloud-based but remain fully controlled and hosted within its own infrastructure.
However, IT experts criticize this approach for creating digital dependency on the U.S. and question the security of the concept. (Source: Original article)
Criticisms and Key Arguments Against the Bundeswehr’s Google Cloud “Air-Gap” Solution
Lack of Digital Sovereignty
Although providers like Google and Microsoft increasingly promise more European oversight, true sovereignty remains limited when using non-European cloud solutions.
Recent incidents, such as Microsoft suspending an email account of the International Criminal Court, have heightened concerns about digital dependence.
Dependence on U.S. Tech Companies
The Bundeswehr entrusts critical data to a U.S. provider, creating strong dependency in its digital infrastructure.
IT and security experts express alarm and criticize the lack of an exit strategy.
Despite the “air-gap,” updates and patches still depend on Google, and software control remains with them.
Limited Effectiveness of the Air-Gap Concept
The air-gap is criticized as a false sense of security: though physically isolated, code and updates remain in Google's hands.
There is no independent code auditing and no protection at the firmware, BIOS, or hypervisor levels.
Hidden remote access may still be possible despite the air-gap.
Ultimately, control of the cloud remains with Google, which hinders digital sovereignty.
Lack of Open-Source Transparency
Google Cloud is proprietary and not open-source, making independent audits impossible.
A proprietary software stack creates 100% dependency on the provider, making it nearly impossible to switch vendors.
Legal Risks
As a U.S.-based company, Google is subject to the U.S. Cloud Act, which allows U.S. authorities access to data or control over software updates.
This poses significant political and legal risks to the Bundeswehr's digital security.
Lack of Transparency and Trust
Experts call for a clear exit strategy, continuous evaluation of open-source alternatives, and public disclosure of risk assessments.
Currently, there is a lack of transparency toward the parliament and the public.
Summary of Expert Opinions
Security experts and industry representatives describe the decision as a serious mistake. Nextcloud’s CEO Frank Karlitschek warns of the irreversible dependence once Google Cloud APIs are integrated. The decision contradicts the current trend toward digital sovereignty in Europe.
If you found this post helpful, feel free to share it with your colleagues.
FAQ
Digital sovereignty refers to the ability of a state or region to independently control its digital infrastructure, data, and technologies.
It’s about ensuring decision-making power, data protection, security, and technological development in the digital realm without foreign influence or dependency.
Put simply, digital sovereignty means remaining independent and self-determined in the digital world, protecting national cybersecurity and data ownership, and avoiding excessive reliance on foreign technologies or services to safeguard national security, economic interests, and citizens' privacy.
Digital sovereignty means the European Union’s ability to independently control and shape its digital infrastructure, data, and technologies.
For the EU, digital sovereignty is crucial in order to protect the privacy and security of its citizens, promote economic independence, and guard against dependencies on non-European technology providers—especially from the United States and China.
It also includes the development and promotion of its own technologies and digital standards, the support of open-source solutions, as well as ensuring that European companies and public institutions retain sovereignty over their data.
This is intended to strengthen the EU’s competitiveness, minimize strategic risks, and maintain control over critical digital infrastructures.
In short, digital sovereignty stands for preserving self-determination, security, and economic strength in the digital age.
Open-source software is software whose source code is publicly accessible. Anyone can view, use, modify, and distribute it.
Closed-source software has source code that is not publicly accessible. Only the developing company has access and controls its development and distribution.
| Feature | Open Source | Closed Source |
|---|---|---|
| Source Code Visibility | Yes, publicly accessible | No, only accessible to the developer/company |
| Usage Costs | Usually free or low fees | License fees or subscriptions required |
| Customizability | High – source code can be modified | Low – users can hardly modify the software |
| Security & Transparency | Higher – flaws and vulnerabilities are openly visible | Less transparent – users must trust the vendor |
| Support | Community-based or via third-party providers | Official support from the vendor |
| Vendor Lock-in | Low – users remain independent | High – users are tied to the vendor |
Linux is a free, open-source operating system that serves as an alternative to Microsoft Windows.
It is especially popular in the server world, among developers, and increasingly in public administrations.
There are many variants (so-called distributions), such as Ubuntu, Debian, or Fedora.
LibreOffice is a free and open office software suite that includes programs for word processing, spreadsheets, presentations, etc.—comparable to Microsoft Office (Word, Excel, PowerPoint).
Main advantages: free of charge, open-source, privacy-friendly.
Digital Sovereignty
- The government wants to avoid dependency on U.S. tech corporations
- Control over software and data remains in Danish hands
More Transparency and Security
- The source code is open—experts can review it
- Less risk of "backdoors" or hidden data sharing
Lower Costs
- No license fees for operating systems or office packages
- Savings can be invested in IT personnel or local solutions
Support for the Local IT Sector
- Open software allows local companies to make adaptations
- Knowledge remains in the country instead of being paid to large corporations
When a country—particularly its ministries or critical infrastructure—relies heavily on proprietary software or cloud services from third countries, a major risk emerges:
A third state could restrict or cut off access for political, economic, or security reasons.
Specific risks at a glance:
1. Dependence on Third-Country Politics
If a U.S. company, for example, provides digital services, it could be forced by laws like the U.S. CLOUD Act or export restrictions to shut down services—even against the will of the user.
-> Authorities might suddenly lose access to their systems or data.
2. Access to Sensitive Data
Third countries may legally require companies to hand over user data, communication content, or metadata—even if servers are located in Europe.
3. Geopolitically Motivated Service Interruptions
In crisis situations or political conflicts, providers from third countries could unilaterally terminate services—e.g., revoke software licenses, block cloud accounts, or stop technical support.
Examples of this have occurred with Western providers in Russia or Iran.
4. Lack of Technical Control
With closed-source software, there’s no way to inspect or further develop the source code. If access is blocked, authorities cannot maintain or migrate the systems independently.
The so-called “Air-Gap” solution from Google Cloud refers to a cloud infrastructure that is physically isolated and completely disconnected from the public internet and other networks. It is primarily aimed at customers with the highest security requirements, such as the military, government agencies, or intelligence services.
Core Features of the Google Cloud Air-Gap Solution:
Physical Separation
*Servers are not operated in Google’s global data centers, but directly in the customer’s own data centers (e.g., the German Bundeswehr)
- No direct connection to the public Google Cloud or the internet
Dedicated Hardware and Network Architecture
- Use of dedicated hardware and closed networks not shared with other customers
- No shared infrastructure, no multi-tenant model
Controlled Update Process
- All software updates, security patches, and new features must be manually approved by the customer
- Google cannot install anything automatically – everything follows a defined and verifiable process
Local Access Only
- Access is only possible within the customer’s secured internal network
- No remote access, no cloud connection – all data remains local
Update Dependency:
- All updates and patches still come exclusively from Google
- The customer has no control over the source code and cannot make independent changes
Not Open Source:
- Google Cloud is not open-source software
- There is no independent code review by external parties
U.S. Legal Risks:
- As a U.S. company, Google is subject to the CLOUD Act
- In critical situations, the U.S. government could demand access or prohibit updates (e.g., under a president like Trump)
Air-Gap Doesn't Fully Protect:
- Security researchers point out that an air gap does not protect against hidden access at the firmware, BIOS, or hypervisor level
- Remote access through “out-of-band” channels remains possible