It’s not only German authorities who have access to documents created by government agencies at state and federal level — US authorities potentially do too, because many German agencies predominantly use software from US-based providers.
Data protection advocates in Germany warn the country is dangerously exposed under the US CLOUD Act, passed in 2018, which allows US authorities to compel access to data stored in US facilities. That reach can extend to data held in other countries if servers are owned by US companies or their subsidiaries.
ZenDiS, the German Center for Digital Sovereignty in Public Administration, aims to cut dependence on US tech firms such as Microsoft and is developing digital alternatives. “All data stored in US databases is potentially at risk,” said Lutz Niemeyer, ZenDiS spokesperson. The state, he added, has “a duty to ensure that crucial data entrusted to it by its citizens is kept secure.”
The case of Nicolas Guillou, a French judge at the International Criminal Court in The Hague, illustrates potential consequences. Guillou and other ICC judges and prosecutors were added to a US sanctions list after the court issued an arrest warrant for Israeli Prime Minister Benjamin Netanyahu over alleged war crimes in Gaza. Guillou said accounts with US firms such as Amazon and PayPal were closed, and he was unable to make hotel bookings via Booking.com, whose US parent company cut ties with those sanctioned.
Niemeyer warned the US could also pressure governments by directing tech companies to stop providing software updates — especially security updates — which would quickly impair state functions from local administrations to the chancellery.
ZenDiS’s response is openDesk, an open-source, all-in-one office suite for the public sector that emphasizes digital sovereignty, security and collaboration. Rather than building everything from scratch, a 40-strong ZenDiS team evaluated German and European products and bundled them into a single interoperable package. “We connect the various individual solutions and integrate them,” said ZenDiS Managing Director Pamela Krosta-Hartl.
Founded in 2022 with €16 million in seed funding from the federal government, ZenDiS has sold 160,000 openDesk licenses and reported turnover of over €18 million last year, about half from license sales.
Interest in reducing dependence on US cloud and software is not limited to the public sector. Private companies, especially in financial services, are exploring alternatives. ZenDiS is preparing a distribution partner program to offer its solutions to the private sector, though as a government entity it may only derive up to 20% of income from private customers. ZenDiS’s clients mainly include state and federal agencies, but Krosta-Hartl said firms from other countries have shown interest, and recent talks included a Spanish telecom company.
Despite moves toward digital sovereignty, some corporate deals raise concerns. Germany’s biggest electricity producer RWE recently reached an agreement with Amazon enabling Amazon to buy electricity from RWE while RWE would store data in Amazon’s cloud and use Amazon AI services. Krosta-Hartl said ZenDiS does not judge private partnerships, but warned of significant risks in relying on US cloud services, including the potential for political leverage. “We can see today that this danger is very real,” she said, pointing to political leaders leveraging ties to the tech industry. For Krosta-Hartl, digital sovereignty must be a core component of corporate risk assessments.
This article was originally published in German on March 18.