Digital sovereignty requires freedom of choice.
In this interview, Harald Joos, Cloud Officer at the German Federal Pension Insurance Fund, explains why digital sovereignty means maintaining choice and control through flexible architectures and multi-cloud strategies.
Mr Joos, when people hear “German Pension Insurance”, they rarely think of cloud strategy. Why is digital infrastructure such a strategic issue for your organisation?
Harald Joos: Because our core mission depends on it. We are not talking about IT for its own sake. We are talking about services that millions of citizens rely on pension payments, rehabilitation processes, contribution statements, long-term entitlements, and a very extensive exchange of data with other institutions. If these systems fail, the consequences are immediately felt. That is why business continuity is a top priority. Digital infrastructure is strategically important as public services are essential today.
You often say you are not against hyperscalers, but against excessive dependence. What do you mean by that?
I mean that we should stop thinking in extremes. It would be unrealistic to believe that Europe can simply replace all major US cloud providers in the short term. At the same time, it would be irresponsible to build digital architecture in a way that leaves us with no alternatives. Sovereignty is not isolation. It is achieved by retaining the ability to choose, to switch, and to remain operational under different conditions. If one provider, a legal system or an operating model becomes the only option, then you lose room to manoeuvre. That is the real risk.
So, what does a practical sovereignty strategy look like?
It starts with architecture. If you develop software to be portable and cloud-native – using containers for example – you gain flexibility. Then you can decide case-by-case where a workload should run, in your own datacentre, in a German or European cloud environment, in a highly specialised environment of an international hyperscaler, or in a combination of several of these. That is what a multi-cloud strategy should achieve: options based on use case, risk and requirements. For me, the crucial question is not “Which cloud ideology do you support?”, but “Can you still act if circumstances change?”
How important is this specifically for the public sector?
It is extremely important. Public-sector organisations must meet very high expectations in terms of reliability, security and compliance. At the same time, they are under pressure from a structural skills shortage. In the coming years, a significant share of employees will retire, and many organisations will not be able to replace them one to one. That means we need to reduce the scope of routine infrastructure work that we carry out ourselves and focus our staff on the things that only we can do: governance, process design, service quality, critical applications, data protection and risk management. Cloud services can help with this, but only if we retain control over how and where they are used.
That sounds like a balance between efficiency and autonomy.
Exactly. Digital sovereignty isn’t some romantic notion of doing everything yourself. In fact, trying to manage everything on your own can weaken you rather than strengthen you. The aim is to make a conscious decision about which parts of the stack you operate yourself, which you outsource, and under what conditions. If a trusted provider operates the infrastructure more efficiently and securely, that can be a good decision. But you still need transparency, contractual clarity, technical portability and fallback options. Otherwise, convenience turns into dependency.
How do you decide where sensitive data and critical workloads should be hosted?
There is no one-size-fits-all answer. It depends on the sensitivity of the data, the criticality of the service, regulatory requirements, operational dependencies and economic considerations. Some use cases may require domestic hosting or very specific legal safeguards. Others can be handled in broader environments provided the risks are adequately mitigated. The key is that these decisions are based on structured criteria rather than assumptions. We need objective methods for assessing sovereignty characteristics, security features and operational resilience. That is why frameworks and assessment models are becoming increasingly important.
You have also advocated a cloud broker model for the social security system. What problem does this solve?
It’s about procurement and selection. If you carry out a single, very large procurement process and define the requirements in such a way that only the largest providers can meet them, you may well be exacerbating the very market imbalance that you are actually trying to overcome. Our idea was different: instead of procuring just one or two cloud offerings, we wanted a broker model that provides access to multiple clouds via a structured pathway. This includes major US providers, as they remain highly relevant for certain use cases, but also European offerings. This creates a direct pathway for the use of European solutions and avoids a procurement approach that inadvertently excludes them.
Where do open-source solutions fit into this picture?
Open source is important, but it shouldn’t be treated as just a buzzword. It’s not enough to simply publish code and assume that autonomy will follow automatically. What matters is whether there is a genuine product, a real user base, a sustainable ecosystem and a community that continuously improves it. When these elements come together, open source can become a powerful tool for flexibility, transparency and reduced lock-in. I see great potential in solutions that solve specific operational problems and can be introduced gradually. openDesk is an example of how this can work in practice.
Some claim that Europe is already lagging too far behind in the cloud sector. Are you optimistic?
Yes, I am. Not because the challenge is small, but because the technological landscape is changing so rapidly. The cloud is not the end of the story. We are already moving towards new waves of innovation, including AI-powered processes, automation and, in time, quantum technologies. Europe does not need to copy every move made by others. It can define its own strengths and its own operating models. However, this requires collaboration. We need less fragmentation, more interoperability and a greater willingness to scale up what works. If Europe collaborates more effectively across public institutions, research and industry, it can build a stronger position.
If you had to sum up your message to decision-makers in a single sentence, what would it be?
Stop treating digital sovereignty as an abstract debate and start integrating it into architecture, procurement and operating models. Ultimately, sovereignty is not a buzzword. It is the practical ability to continue delivering results, making decisions and moving forward as the environment changes.