7 July 2026

Digital Resilience in Practice: Seven Insights from the Claranet Webinar ‘From Myth to Masterplan’

Hardly any other term has shaped the IT debate in 2026 as much as that of digital sovereignty. What this actually means in business practice remained unclear for longer than necessary. Claranet took this as an opportunity to organise a three-hour webinar on 11 June 2026 entitled ‘From Myth to Masterplan’. Experts from the eco Association, valantic, KOBIL, INFORM and Claranet examined the topic from seven different perspectives.

The regulatory backdrop lends the issue additional urgency: the Act on the Federal Office for Information Security and on Information Security in Organisations (BSI Act – BSIG), which was amended to implement the NIS 2 Directive, has been in force since the start of December 2025; the KRITIS Framework Act since March 2026; and DORA since the start of 2025. The EU AI Act and the EU Data Act are shaping the current year. One of the key messages of the day was: sovereignty does not end with the server location. It extends throughout the entire technology stack, from cloud architecture through data and SAP applications to the workplace. In business practice, this translates into a term that is easier to grasp: digital resilience. Below you will find the seven key takeaways from the day. The full event video is embedded below; it is freely accessible and requires no registration.

1. Sovereignty as freedom of choice, not as protectionism

Andreas Weiss and Michael Hase from the eco Association and EuroCloud Germany opened the webinar by asking whether cloud sovereignty was reality or fantasy. Their answer left little room for myths: sovereignty means ensuring control, creating transparency and reducing dependencies, but never protectionism. Anyone who ignores all dependencies can “very easily feel sovereign”, said Hase, citing the image of the king on the small asteroid from *The Little Prince*. Sovereignty without resilience remains a theoretical construct.

This thesis was supported by the EuroCloud study “Digital Resilience made in Europe”, for which over 250 companies were surveyed in the summer of 2025. 57 per cent of respondents stated that they felt unsettled in their infrastructure strategy by current US foreign policy. The proportion of those for whom sovereignty and resilience are “crucial” rose from 28 per cent to 38 per cent over a twelve-month period. Notably, there are no signs of a shift away from the public cloud. Planned multi-public-cloud setups increased from 14 to 22 per cent.

“Sovereignty means ensuring control, creating transparency and reducing dependencies. It does not mean cutting oneself off from the international technology landscape.”

Michael Hase, Manager, EuroCloud Germany

2. From myth to masterplan: a five-step process

Fabian Dörk, Director of Cloud Services at Claranet, provided the methodological framework for the day. In his view, three figures mark the starting point of the debate: Five per cent of global AI computing capacity is in EU hands; 80 per cent of European corporate spending on software goes to US providers; and 90 per cent of global high-end chip production below five nanometres comes from Taiwan. Against this backdrop, Dörk shifts the concept of sovereignty from a question of location to one of action. Sovereignty, he argues, is not a question of location, but of the power to shape the future. It is not a state of being, but a capability that must be developed.

The master plan presented is divided into five steps:

  • Analysis of the threat landscape
  • Determination of the individual risk profile
  • Assessment of the existing IT landscape
  • Definition of objectives, including a gap analysis; for cloud solutions, for example, based on the EU Cloud Sovereignty Framework and its Sovereignty Effectiveness Assurance Levels (SEAL 1 to SEAL 4) across the dimensions of strategic sovereignty, legal sovereignty, data and AI sovereignty, Operational Sovereignty, Supply Chain Sovereignty, Technological Sovereignty, Security and Compliance Sovereignty
  • and, finally, the derivation of concrete measures.

A start-up and a KRITIS operator would face the same list of risks in this context. However, the likelihood of these risks occurring and their potential for damage vary considerably. Dörk therefore advises considering the individual risk profile in order to select an economically viable level of sovereignty. Cloud offerings can be categorised according to the SEAL framework: ranging from standard public cloud services through sovereign hyperscaler options such as the AWS European Sovereign Cloud (generally available from January 2026, Frankfurt region) and the Delos Cloud, right through to providers wholly owned and managed by the EU.

Sovereignty is not a question of location, but of the power to shape the architecture.”

Fabian Dörk, Director of Cloud Services at Claranet

3. Sovereign identity: Germany’s solution for local authorities and regulated sectors

Robert Roth from KOBIL used the example of the city of Worms to demonstrate to the audience what a sovereign identity and service platform of German origin looks like in practice. The model was the KOBIL Super App for the city of Istanbul, which today has around five million active users and bundles hundreds of municipal services into a single application. The Worms version combines administration, mobility, ticketing and payment services in a single app, featuring banking-grade security, its own identity solution, qualified digital signatures and integrated payment. The Kubernetes infrastructure is operated on AWS servers in Germany, with open API interfaces and a low-code layer capable of integrating new services without a traditional release cycle.

The key takeaway from the presentation for the debate on sovereignty: there are already German providers with banking-grade security expertise who are closing precisely the gap that exists in many local authority and government digitalisation projects. Secure digital identity is achievable without personal data ending up in US data centres. And, under certain conditions, US hyperscalers can certainly be part of the solution. Roth pointed out that data sharing in the Worms app always takes place at the user end, and that this ensures sovereignty where it ultimately needs to apply: namely, in the data processing itself.

4. When the cloud region is no longer an option: lessons from the drone attack in the Middle East

The presentation by Dr Torsten Fahle, Head of Performance Cloud at INFORM, was particularly dramatic. The Aachen-based company is a ‘hidden champion’ amongst German SMEs, whose software organises ground operations at around 200 airports worldwide. Fahle took the participants back to 1 March 2026. On that day, drones struck two of the three AWS data centres in a region in the Middle East. The standard services S3, DynamoDB, EC2, Lambda and CloudWatch had failed, and the SaaS solution of a major INFORM customer in Dubai was suddenly unavailable. On the second day, AWS recommended activating disaster recovery plans and rerouting traffic away from the region. Three months later, in June, AWS had still not announced a date for the restoration of the destroyed data centres.

The uncomfortable lesson from the incident was that the national data sovereignty required by the customer during the setup of the INFORM solution led, in this unforeseen scenario, to a complete loss of technical control. The backups were stored in one of the affected data centres. Replication to the sole remaining, undamaged data centre had also failed. Fahle’s assessment was nuanced: the cloud and sovereignty were not mutually exclusive. In this setup, the hyperscaler had been part of the risk, but at the same time also part of the solution. Long before the incident, INFORM had, for reasons of sovereignty, consistently relied on Kubernetes as an abstraction layer, service wrappers to shield cloud-native features and, wherever possible, open technologies such as PostgreSQL rather than proprietary services. As a clear consequence of the incident, multi-region disaster recovery is now offered not as an additional option but as the default, which must be explicitly deselected.

Data sovereignty and technical resilience can be at odds with one another. The trade-off must be carefully considered."

Dr Torsten Fahle, INFORM

5. Resilience does not come from a certificate on the wall: A plea for NIS-2 and effectiveness

Thomas Lang, Partner and Managing Director at valantic, opened his presentation with a real-life night-time scenario from his day-to-day consultancy work. At 03:14, an IT manager’s phone rings. On the other end was an on-call staff member with a trembling voice: all systems were encrypted, the SAP system was down, and production had come to a standstill. The affected company had been audited several times and was ISO-certified, having passed all audits. Nevertheless, it took eleven days for operations to resume. In an emergency, according to Lang’s sober assessment, nobody asks whether everything is compliant and filed away. The only question is whether the company was able to function.
That night, three vulnerabilities emerged that no previous audit had detected.

  • Firstly, there was no decision-maker. The only person authorised to halt production was on a cruise in the South Seas.
  • Secondly, there was a lack of prioritisation. A business impact analysis in which 60 out of 160 processes are classified as top priority is of no use in an emergency.
  • Thirdly, there was a lack of practice. Contingency plans were filed away, but had never been rehearsed.

According to Lang, NIS-2 – which has been in force in Germany since 6 December 2025 under the BSIG – is not aimed at introducing new security controls, but at ensuring that existing ones are effective. Section 30 of the BSIG requires risk management, backups, supply chain security and multi-factor authentication. Section 32 of the BSIG sets out the 24- and 72-hour reporting obligations. Section 38 of the BSIG stipulates the personal liability of the management. His argument was accordingly: being ‘audit-ready’ does not mean being ‘crisis-ready’. Who is authorised to make decisions in the first hour – and whether that person has had the necessary training – is more important in an emergency than any certificate on the wall.

valantic: Folie "Die Brücke von der Pflicht zur Wirkung

It is not a question of whether an incident will affect you, but when. Practise so that you know you are capable of taking action.”

Thomas Lang, valantic

6. SAP Security: Attackers remain undetected for dangerously long periods

Patric Walldorf, Director of Cyber Security at Claranet, picked up on this straight away. Whilst most companies now monitor their networks, email traffic, end devices and identity management effectively, the SAP system remains a blind spot in many organisations. The reasons for this are structural. Standard SIEM platforms are generally unable to receive SAP logs at all. Even when they can, the Security Operations Centre lacks the SAP expertise to interpret them. And there is no correlation logic to link individual events to attack patterns.

The result: attacks sometimes go undetected for months, with the potential damage growing daily. Furthermore, a security audit paints a alarming picture, particularly in mature SAP landscapes: too many privileged technical users, some of whose passwords have not been changed for years; interfaces from old projects that were never decommissioned; configurations that have never been reviewed. The business risks arising from such situations are obvious. Walldorf also highlights a very personal risk:

BSIG’s directors’ liability also applies if the security vulnerability lies within the SAP system.

His proposed solution: a threat detection component at the SAP application layer, connected to a SOC with dedicated SAP expertise, which operates independently of specific SAP modules and regardless of whether the system is run in the organisation’s own data centre, in the public cloud or via RISE with SAP.

7. Workplace sovereignty: the chapter in which the myth remains visible

Philipp Schlenkermann, Director of Workplace Services at Claranet, brought the day to a close. Around 85 per cent of all companies use Microsoft 365. Dependencies in the workplace extend deep into the tech stack: hardware, operating systems, the Entra ID identity platform, Microsoft Teams as a collaboration tool, and Intune for end-point management. If Entra ID were to fail, not only would Microsoft 365 be affected, but also many systems linked to it, including SAP. What use is a running SAP system if nobody can log in anymore?

There are signs of change. Schleswig-Holstein is migrating 30,000 workstations to Linux and LibreOffice. The Bundestag is planning a major move away from Microsoft and explicitly refers to Delos as a bridging technology. The Schwarz Group, comprising Lidl and Kaufland, has signalled its intention to move away from Microsoft, whilst Bavaria has, for the time being, cancelled a Microsoft deal that was thought to be a certainty. The Delos Cloud, an SAP subsidiary using the Microsoft stack, is a viable alternative, but it has two limitations that are relevant to many. It is only available to public authorities and public sector clients. And it currently only covers Office 365, not the full Microsoft 365 suite. Intune, for example, is missing and will only be added later. Open-source alternatives such as NextCloud, ownCloud, Mattermost, Open Exchange and LibreOffice have caught up significantly in recent years. However, they do not cover the usual range of functions, their ecosystem of third-party providers and service providers is smaller, and they can easily lead to acceptance issues amongst end users, which in the medium term encourages shadow IT.

Schlenkermann’s recommendation therefore remained pragmatic. No hasty exit, no relapse into a fragmented ‘best-of-breed’ world. Instead, three courses of action:

  • monitor market developments and the responses provided by the vendors themselves;
  • assess, as an ongoing process, not as a one-off exercise;
  • and be prepared.

Specifically, the latter refers to a contingency operating model, a backup that is not hosted by the hyperscaler and offers alternative recovery targets, and a classification of services according to their actual criticality. For example, it is essential to have a fallback plan in place to cover scenarios such as an Entra ID outage.

Withdrawing from the service is not currently advisable and would only be possible in part. There are currently no EU alternatives with a comparable range of functions. But being prepared is essential.”

Philipp Schlenkermann, Director of Workplace Services at Claranet

From Myth to Masterplan: Sovereignty in Practice

Full webinar recording from 11 June 2026

Contents of this webinar recording. Clicking on the timestamp link will take you directly to the relevant presentation on YouTube:

  • Cloud Sovereignty – Reality or Fantasy? (EuroCloud Germany_eco) from 00:05:06
  • Sovereign Cloud Strategies in Practice (Claranet) from 00:34:57
  • Performance, Resilience and Security with the Public Cloud (Use Case KOBIL) from 00:51:40
  • Aviation in the Cloud – Digital Capability to Act in a Crisis (INFORM use case) from 01:06:38
  • NIS-2 & Co. – Legal requirements & risk management (valantic) from 01:38:16
  • SAP Security: Between Flying Blind and Personal Liability (Claranet) from 02:11:00
  • Workplace strategies for future-proof IT (Claranet) from 02:34:30

From myth to masterplan: what links the seven perspectives

Anyone looking for the common thread running through the seven presentations will not find it in a definitive platform recommendation. It lies in a shared perspective: digital sovereignty and digital resilience do not end with choosing the right cloud. They encompass the entire technology stack, from workload classification through data sovereignty and SAP security to workplace strategy and disaster recovery planning.

They stand or fall on transparency, informed decisions, effective processes, clear responsibilities and a culture of continuous, workload-based assessment.

A national data sovereignty requirement may limit technical resilience, so the trade-off must be made consciously. Compliance issues such as BSIG (NIS-2), DORA, the EU AI Act, the EU Data Act and the KRITIS umbrella law will be a reality for businesses of all sizes by 2026, but being audit-ready does not mean being crisis-ready. SAP security remains a blind spot and the most common operational risk with measurable financial consequences. And when it comes to the workplace, a complete withdrawal is not realistic for the majority of companies. Nevertheless, preparing for a potential outage is essential.

The closing remark from the opening presentation rounds off the picture: in business practice, autonomy translates into resilience and the ability to act. It is not a state of being, but a capability that must be developed. The event video above provides the technical details from each of the 30-minute presentations, including a question-and-answer session.


Digital resilience at a glance

Digital resilience describes an organisation’s ability to maintain or rapidly restore IT-supported business processes even in the face of disruptions, attacks or regulatory intervention. Unlike digital sovereignty, which describes control over data, technology and operations, resilience focuses on the ability to function under pressure. It rests on three pillars: security, availability and recovery. It is enshrined in legislation under Section 30 of the BSIG (NIS-2 Article 21), Articles 6 to 16 of DORA and the KRITIS Framework Act. With the entry into force of these regulations, it has moved beyond being merely an audit topic and has become an operational obligation, across all sectors and for organisations of virtually all sizes.


Frequently Asked Questions

What distinguishes digital resilience from digital sovereignty?

Sovereignty describes control over data, technology and operations. Resilience describes the ability to function under pressure – that is, the ability to maintain or rapidly restore IT-supported business processes even in the event of disruptions, attacks or regulatory intervention. The two terms overlap, but are not identical. Sovereignty without resilience remains theoretical.

How can SAP security be retrofitted without a complete re-platforming?

Through threat detection components that extract SAP logs at the application layer and connect them to a SOC with SAP expertise. This works regardless of the SAP module and independently of the deployment model, whether in your own data centre, in the public cloud or with RISE with SAP.

Where do you start with a limited budget and staff?

With an as-is analysis: determine your individual risk profile, identify critical applications and take stock of dependencies. This is not a step that ties up a lot of staff or capital. But it forms the basis for making an informed decision on the next steps that make economic sense for your organisation.