Germany Creates Measurement Criteria for Digital Sovereignty: The ZenDiS Model Against Vendor Lock-in

Summary

The Center for Digital Sovereignty of Public Administration (ZenDiS) published a catalog of criteria in March 2026 for the measurable assessment of digital sovereignty. An open consultation process through May 2026 enabled feedback from civil society, administration, research, and business. The catalog aims to counter the problem of "sovereignty washing" – the marketing of cloud services as sovereign, even though the legal jurisdiction of the provider, not the server location, determines data access.

People

• (No individuals with direct responsibility mentioned by name)

Topics

• Digital sovereignty
• Vendor lock-in
• Cloud infrastructure
• Public administration in Germany
• Data security

Clarus Lead

German public administration is heavily dependent on individual software providers: 87 percent of municipalities report partial or complete dependence. The incident in May 2025, when Microsoft blocked the email account of the ICC Chief Prosecutor, revealed this structural vulnerability in practice. The ZenDiS model addresses an acute governance gap – while hyperscalers suggest data protection promises through EU data centers, the US legal jurisdiction of the corporations actually determines foreign data access. The catalog of criteria aims to distinguish marketing rhetoric from genuine sovereignty guarantees.

Detailed Summary

IT infrastructure in German-speaking public administrations exhibits dangerous concentration: A 2019 PwC market analysis documented that federal authorities rely almost exclusively on Microsoft products for operating systems and office software. A 2020 municipal survey showed that 87 percent of surveyed municipalities describe themselves as wholly or partly dependent on individual providers – not a niche problem, but structural vulnerability.

The practical damage of this dependence became tangible in May 2025, when Microsoft blocked the email account of the Chief Prosecutor of the International Criminal Court (ICC), Karim Khan, without apparent substantive justification. In parallel, international tech corporations (hyperscalers) strategically use the term "digital sovereignty" for marketing purposes: they present EU data centers or confidential cloud offerings as proof of sovereignty, but conceal a central criterion – that the legal jurisdiction of the company, not the server location, determines possible data access by foreign authorities. This leads to the phenomenon of "sovereignty washing" (see heise article "Under Scrutiny: Sovereignty Washing").

In response, ZenDiS published a discussion paper in March 2026 with concrete measurement criteria for genuine digital sovereignty. From March through May 15, 2026, an open consultation process via the open-source platform openCode enabled civil society, administration, research, and business to comment on and improve the proposed criteria. The approach is thus developed participatively.

Key Statements

• Structural Dependence: 87% of German municipalities and federal authorities are vendor-locked with Microsoft or similar corporations
• Legal Protection Gap: Data center location ≠ data protection; the company's legal jurisdiction determines data access by authorities
• Measurement Criteria Instead of Marketing: ZenDiS catalog aims to make "sovereignty washing" more transparent and distinguish genuine from claimed sovereignty

Critical Questions

1. Which Indicators does the ZenDiS criteria catalog specifically define to make legal jurisdiction and data sovereignty measurable – and will these be applied retroactively to existing cloud contracts?

2. Binding Force: Do ZenDiS recommendations have binding consequences for authorities and municipalities, or are they non-binding orientation criteria?

3. Counter Position: How do hyperscalers (Microsoft, Google, AWS) respond to the sovereignty measurement logic – do they threaten countermeasures or market withdrawal from Germany?

4. Implementation Costs: What financial and operational hurdles arise when switching from US providers to European or open-source alternatives for smaller municipalities?

5. Data Portability: Does the catalog also regulate practical exit scenarios – i.e., data transfer and system migration at contract end?

6. European Harmonization: Is the ZenDiS model coordinated with similar initiatives in France, Switzerland, or EU institutions, or are fragmented standards emerging?

Sources

Primary Source: ZenDiS Makes Digital Sovereignty Measurable with Criteria Catalog – heise.de, 2026

Supplementary Sources (mentioned in text):

1. PwC Strategy – Market analysis on IT infrastructure of German federal authorities (2019)
2. Municipal Joint Office for Administrative Management – Survey on vendor lock-in in municipalities (2020)
3. Heise article: "Under Scrutiny: Sovereignty Washing"
4. openCode platform of ZenDiS (open-source consultation portal)

Verification Status: ✓ May 2026

This text was created with the support of an AI model. Editorial responsibility: clarus.news | Fact-checking: May 2026