Hürth, a slot car track and the questions that actually matter
Last week, weSystems attended the TechRiders Festival in Hürth as a sponsor and exhibitor. Two days, glorious sunshine, a slot car racing track, a team in motorsport polo shirts and conversations that will stay with us for a long time.
Not because we had the fastest cars. But because the people who stopped by our booth asked exactly the right questions. Questions you rarely hear in a sales meeting, yet every company should be asking when thinking about the future of their IT.
One of them keeps coming back: “How sovereign are we really, when we move our infrastructure to the cloud?”
It is the most honest question you can ask. And it deserves an honest answer.
What "digital sovereignty" actually means
The term is everywhere. Digital sovereignty. Data sovereignty. Technological independence. Every vendor, every consultancy, every government body uses it and means something slightly different by it.
At its core, it comes down to one question: Who controls my data, my processes and my infrastructure, and who could theoretically take that control away?
Digital sovereignty does not mean avoiding the cloud. It means making conscious decisions about which data lives where, under which legal framework, with which access controls, and whether those decisions can be reversed at any time. That sounds obvious. But it is not. In practice, many companies lose exactly this control, not through an attack, but through unconsidered choices when selecting their IT partners.
"Our servers are in Frankfurt." A statement that misleads.
We hear this sentence regularly. And we hear it most often from software companies that want to signal sovereignty to their customers. When pressed, it turns out the application runs on AWS. The Frankfurt location is real. The legal framework underneath it is not.
This is not a coincidence. It is a deliberate communication strategy. Companies talk about the location because location is tangible and builds trust. The provider underneath is something they prefer not to discuss, because that is where the truly critical question arises.
The location of a data center is entirely irrelevant under the CLOUD Act. The Clarifying Lawful Overseas Use of Data Act, a US law enacted in 2018, allows US authorities to compel American companies to hand over data regardless of where that data is physically stored. AWS is an American company. Microsoft is an American company. Google is an American company. Their data centers may be in Frankfurt, Amsterdam, or Dublin, but legal access follows corporate ownership, not geography.
This is not a conspiracy theory. It is enforceable law. And anyone who does not know this distinction, or chooses not to communicate it, is acting at best carelessly and at worst dishonestly.
Complete sovereignty is an illusion. Conscious sovereignty is a goal.
Many providers will not say this out loud, but complete digital sovereignty is simply not achievable for globally operating companies. Anyone running international locations, using global SaaS solutions or working with partners across multiple continents will inevitably encounter infrastructure that is not exclusively subject to European law. That is not a failure. That is the reality of global business models.
The more useful question is therefore not how to achieve 100% digital sovereignty. It is more useful to ask which data and processes are particularly worth protecting and how to ensure that exactly those remain under maximum control.
This requires no ideology. It requires clarity. And it starts with a step that a surprising number of companies skip entirely: the systematic classification of their own data and workloads, long before any conversation about specific infrastructure begins. Not every application, not every database, not every system deserves the same level of protection. Financial data, personal information and trade secrets carry different requirements than marketing content or publicly available documentation. Companies that do not make this distinction are not making conscious decisions. They are delegating those decisions to their infrastructure provider without realising it.
What actually matters beyond the server location
If the location of a data center alone is not enough, what does matter? The answer lies in three questions that should be asked of every provider before making a decision.
First, it is worth understanding which legal system the provider operates under. Not the data center, not the sales office, not the local subsidiary, but the parent company that ultimately controls the infrastructure. Is it subject to a legal framework that allows third-party access beyond the customer’s control?
Second, it is important to understand who has technical access to your systems, under what conditions and with what level of logging and accountability. Certifications such as BSI IT-Grundschutz, ISO 27001 or the BSI C5 catalogue are not marketing decoration. They are evidence that a provider has established processes and controls that hold up under external scrutiny.
Third, it is worth asking whether you can leave. Vendor lock-in is one of the most underestimated threats to digital sovereignty. A company that has maneuvered itself into proprietary formats and deeply entangled dependencies is no longer truly sovereign in its choices, even if the data technically belongs to it.
Pragmatism over dogma
There is no obligation to choose between “everything in the public cloud” and “everything on-premise.” Hybrid infrastructure approaches allow conscious control over what lives where. Critical core systems can run in sovereign, certified German cloud infrastructure. Scalable, less sensitive workloads can run on established hyperscaler platforms, provided the associated implications are understood and accepted.
What this requires is not a specific product. It requires a partner who does not talk around the complexity but works through it together, without an interest in pushing everything onto a single platform.
What we experience at weSystems every day
We build and operate IT infrastructure for mid-sized and larger companies. We run our own German cloud in certified German data centers. We are not a reseller passing on products and not a consultancy that writes concepts and then walks away.
What drives us is the conviction that companies deserve IT that works, reliably, securely and with real people on the other end who take responsibility. Digital sovereignty is not a sales argument for us. It is a mindset. The mindset of not making promises we cannot keep and instead helping our customers ask the right questions before they make decisions they will later regret.
Because in the end, it is just like motorsport. The best crew is not the loudest one. It is the one that makes sure the driver can focus entirely on the track, knowing that everything else is in good hands.
Sovereignty is not a product feature. It is a decision.
Digital sovereignty cannot be bought. It is the result of conscious decisions about which data lives where, who you work with and which legal framework you accept. It has limits, especially for companies operating globally. Naming those limits honestly is not a weakness. It is the prerequisite for an infrastructure strategy that works in the real world.
Anyone who has not yet asked these questions in a structured way should start now. Ideally with a partner who does not smooth them over, but works through them together.
Do you have questions about your cloud strategy or IT infrastructure, or do you simply want to understand what a dedicated German cloud could mean for your business? Get in touch. We listen, no ticket system, no hold music.
