Munich Makes Digital Sovereignty Measurable With Its Own Score

alternative_right writes: The city of Munich has developed its own measurement instrument to assess the digital sovereignty of its IT infrastructure. The so-called Digital Sovereignty Score (SDS) visually resembles the Nutri-Score and identifies IT systems based on their independence from individual providers and 'foreign' legal spheres. The Technical University of Munich was involved in the development.

In September and October 2025, the IT Department already conducted a first comprehensive test. Out of a total of 2780 municipal application services, 194 particularly critical ones were selected and evaluated based on five categories. The analysis already showed a high degree of digital sovereignty: 66% of the 194 evaluated services reached the highest levels (SDS 1 and 2), only 5% reached the critical level 4, and 21% reached the most critical level 5. The SDS evaluates not only technical dependencies but also legal and organizational risks.

good

[johnjones]

why dont we all ask our local giv to apply the same score...

Re:

[Anonymous Coward]

Instead of increasing control, it hands more power to a few mega-platforms (the only ones that can afford compliance

Yeah, as demonstrated by switching to the offline LibreOffice and giving The Document Foundation all that power, while eschewing the faster and more secure M$ Office 365.(*) (**)

(* = yeah, this is meant to be ironic. A lost art on /. and not understood or appreciated by many these days.)

(** = and I do understand that there are many more systems needed, over and above a simple suite of office applications.)

Those caveats stated, it should maybe also be noted that Munich is not some small town in some tech

Re:This is f**d up

[korgitser]

Everything is inherently global to some extent. But global systems only work if every actor has good will. Everyone should have learned that lesson by now.

And even within a system of good will, there's still basic facts about sovreignity, like if a country cannot feed itself, it's not independent. When it needs food the most is also when everyone else needs it most, and it will therefore starve. In this real world of ours that sadly has a severe lack of good will, you are going to bend over to someone you really don't want to be bending over to, just to stay alive.

Now as to data and such. With the US showing it's true colours more and more in the recent times, the threat becomes real that if your infrastructure is based on US tech, hosted by US companies, and maybe even hosted within US borders, they might just take all of that hostage, and you will be bending over again.

Compliance on the other hand is not so much an issue of affordability, but of giving a fuck. If you are big enough to serve government contracts, you can afford to comply to their requirements. Even more, the government itself will pay for the compliance, because in the end it's just part of the pricing calculation. But let's compare Google, who cannot be arsed to comply with the EU requirement to keep all EU data within EU borders, and Microsoft, who can be arsed. Guess which company has all the business.

Interoperability, on the other hand, is not really the name of the game of the status quo, is it. Every vendor is working to get you locked in to their platform. It takes policy and budget and will to steer clear of that. Funny thing is, interoperability is cheaper, because you can just use off-the-shelf components to build your stack. But building a vendor lock-in platform takes investment, and that's a mega-platform game.

Lastly, there's always the magic word of efficiency at play, isn't it. Well here's the problem with efficiency. Efficiency is brittle. If you optimize for efficiency, there's no room for a safety margin. The 2008 economic crisis was caused by efficiency. Nvidia melting connectors are caused by efficiency. Covid supply chain issues were caused by efficiency. It's just a catchall word to argue against anything that might be important, but what it really argues for is that spending as little money as possible is the most important thing. And it isn't. Money is just something you use to achieve what is actually important. If you spent the money, however little, but didn't get what you need, the money was wasted. If you want to make sure you will not be bending over when the shit hits the fan, you will need to pay your way.

Re:This is f**d up

[Bert64]

Global isn't the problem, it's central control by a foreign entity which is the issue.

Linux is global, and even tho Linus lives in the US and is thus beholden to US law any changes forced by the government would be noticeable, and foreign users could create a fork that's free of further US influence.
The same can't be said of commercial operations - even when a US based company has an EU division, they are ultimately answerable to the US based bosses and thus by extension to the US government. Sure they may store data on servers physically in the EU, but that doesn't do much good if the people managing those servers answer to foreigners.

Re:

[Big Hairy Gorilla]

tl;dr

independence is important and has a cost

MBA groupthink got us here.

Re:

[mccalli]

Everything you just mentioned is physical. They're made of computers and wire, and all of those computers have a physical location and wthe wire goes through holes in the ground. Remember the internet was created to link multiple geographical sites to allow things to continue if one were hit by a nuclear strike.

Just because we're used to dealing with the abstractions doesn't mean the underlying isn't real. It's a long time since this terminology was in use, but even 'the internet' used to be 'an internet

Re:

[Sloppy]

"Digital sovereignty" is just a new buzzword that means exactly the same thing as the older, utterly uncontroversial "minimize external/proprietary dependencies" which has whacked every. single. person. here upside the head, at some point in their life.

If your production system can go down because of what someone else does, or has done unto them, that's a problem. Do your customers want to hear "sorry, the site was down for a few hours because AWS was down" or would you prefer them hear "Of course the syste

Well done, now start the race

[aRTeeNLCH]

Good job! Now let's hope others follow suit.

Reading some of the other comments, it sounds like the trolls are out or people don't get the idea.

Essentially, in how far can you take your ball and go home, or rather, go play with different people. For office 365 you have exactly one source, but for office, there are now many options. And so on and so forth. Having your data locked into a specific solution without an easy way out sets you up for abuse, see Broadcom. There's a clear need for exit strategies, but most haven't realised this.

Re: Well done, now start the race

[bazorg]

For office 365 you have exactly one source

I'll disagree with that, not out of typical Slashdot pedantry, but because MS appears to have a different business setup in China, likely to be related to sovereignty.
Their Azure presence is linked to a Chinese company that is NOT Microsoft. This suggests to me that if the customer base required it, MS could have a fully EU-based operation disconnected from the other Azure regions.

Sounds like an excellent idea to me.

[whitroth]

I mean, unless you really don't care if all of your document or personal information are somewhere in the world, where they're being scanned for a) criminal purposes, b) local law enforcement, or c) political information by a country that doesn't like you.

You know, like when 47 didn't like members of his regime, or "friends" of his being indicted by the ICC, and he told M$ to shut down the ICC M$ software.

SaaS is one of the most critical and vulnerable things that Needs to Go.

SDS How-to

[manu0601]

Thas seems nice, but where is SDS methodology published?