Step 1: know your dependencies

Together with you, we conduct a thorough inventory of your IT landscape. We don’t limit our focus to business-critical applications – instead, we ensure that tools like SolarWinds or CrowdStrike aren’t overlooked. Both commercial and open-source software are included in our review – because vulnerabilities like those found in Log4j or libxz can pose significant risks.

We help you build software bills of materials (SBOMs), in line with upcoming requirements from both U.S. regulations and the European Cyber Resilience Act.

For your Software-as-a-Service providers, we don’t just note the service name – we also document the location of the cloud and its underlying infrastructure providers. Within your network, we identify DNS services, domain registrars, internet and email providers – including their subcontractors.

We also record the hardware used across your infrastructure – from client devices to servers. In manufacturing environments, we include operational technology (OT), and in companies developing software, we also inventory engineering technology (ET). Finally, we catalog dependencies on service providers and consultants. We then check this information with your procurement records to identify and close any gaps in your supply chain.

Within just a few days, we can jointly build a reliable 80% snapshot, which can then be refined step by step. We also analyze corporate structures and country-specific dependencies to give you a clear understanding of your digital sovereignty status.

This is your first step towards transparency, control, and a resilient digital infrastructure.

Step 2: Manage emergencies

So what happens after the initial assessment?

First, the report gives you immediate insight into concentrated risks – those critical dependencies where a failure or malfunction could significantly impact your business.

Next, we work with you to model potential future threats. We start with seemingly straightforward questions: How seriously do your suppliers take cybersecurity? But the scenarios quickly become more complex:
Could China take over Taiwan – and what would that mean for the supply of semiconductors to the EU?
What happens if BRICS+ countries turn away from the West, and Indian IT providers stop offering services to European companies?
Could a U.S. administration use the dominance of tech giants to enforce geopolitical goals?

Together, we prioritize the most relevant and high-impact scenarios. Based on these, we develop contingency plans:
What do we do if the Microsoft Cloud is unavailable for an extended period?
What if we can’t procure new hardware?
What if a key service provider suddenly terminates the relationship due to external pressures?

You benefit from our practical experience – we know which elements of contingency planning have proven effective in real-world situations.

Once you have robust plans in place for your most critical risks, you’ve successfully completed the second step toward digital sovereignty.

Step 3: Divide et Impera

As with all contingency plans, one rule applies here too: if it’s not practiced, it won’t work when it counts. That’s why we regularly test the emergency plans together with you. During each exercise, we take note of any gaps in functionality or quality within your fallback systems. This helps us measure how far the sovereign alternative still lags behind your original system—or whether it may already be on par.

Sovereign solutions like openDesk, the secure workplace developed by the Center for Digital Sovereignty, are becoming a viable alternative at the desktop level. On the server side, Linux-based options are widely available. We incorporate and evaluate these solutions during our emergency drills. This marks your next step toward achieving digital sovereignty.

Step by step, we develop plans with you to roll out the proven fallback solutions department by department—not just for emergencies, but in everyday operations. We integrate the new architectures into your existing security and monitoring systems, and we support you with ongoing maintenance.

Finally, we perform high-quality security audits. Only when there is reliable protection against known threats—such as cybercrime and state-sponsored espionage—can we consider this part of the journey complete.

Over time, we’ll gradually build up your digital sovereignty, together and sustainably.