Many German government offices rely heavily on software from US firms, creating a risk that US authorities could gain access to documents held by state and federal agencies. Critics point to the US CLOUD Act of 2018, which lets US law enforcement compel data held by US companies — and can reach information stored abroad if servers are owned or controlled by US entities.
Advocates for data protection say the exposure is serious. The German Center for Digital Sovereignty in Public Administration (ZenDiS) was set up to lessen that dependence and develop alternatives to services from US companies like Microsoft. “Any data stored in US databases can potentially be exposed,” said ZenDiS spokesperson Lutz Niemeyer, arguing that public institutions have a responsibility to keep citizens’ sensitive information secure.
An illustrative example came from the International Criminal Court: French judge Nicolas Guillou and colleagues were added to a US sanctions list after the ICC issued an arrest warrant for Israel’s prime minister. Guillou says accounts with US providers such as Amazon and PayPal were closed and he could not book hotels through Booking.com, whose US parent company severed ties with those sanctioned.
ZenDiS also warns of more subtle ways pressure could be applied. If US companies were compelled to stop delivering crucial software — including security updates — state operations from municipal offices to central ministries could be disrupted quickly.
ZenDiS’s practical response is openDesk, an open-source office suite tailored for the public sector with a focus on digital sovereignty, security and collaboration. Instead of reinventing every component, a 40-person team assessed German and European offerings and packaged them into one interoperable solution. “We link individual products and integrate them,” said ZenDiS managing director Pamela Krosta-Hartl.
Founded in 2022 with €16 million in seed funding from the federal government, ZenDiS reports it has sold 160,000 openDesk licenses and generated more than €18 million in revenue last year, roughly half of which came from license sales.
Demand for non-US cloud and software extends beyond government. Private firms, notably in finance, are also looking at alternatives. ZenDiS plans a partner program to distribute its solutions to businesses, though as a public entity it may only earn up to 20% of income from private customers. Most clients so far are state and federal agencies, but Krosta-Hartl says companies abroad have shown interest; recent talks included a Spanish telecom operator.
At the same time, corporate arrangements with US tech companies persist and raise questions. Germany’s largest electricity producer, RWE, struck a deal with Amazon that allows Amazon to buy power from RWE while RWE places data in Amazon’s cloud and uses Amazon’s AI tools. Krosta-Hartl said ZenDiS does not pass judgment on private commercial choices but cautioned that reliance on US cloud providers carries political and operational risks. “Today we can see that risk is very real,” she said, adding that digital sovereignty should be part of corporate risk assessments.
This article was originally published in German on March 18.