Skip to main content
All posts

Switched Off at 5:21 PM

Why sovereign infrastructure stopped being a preference and became a duty of care.


On Friday evening, a US software product was switched off for every non-American on Earth, including the non-citizen employees of the company that built it.

At 5:21 PM Eastern, Anthropic received an export-control directive from the US government and, to comply, abruptly disabled its two most capable models, Fable 5 and Mythos 5, for all customers. Not throttled. Not deprecated with a migration window. Disabled. The company disagreed with the reasoning, apologised to its users, and said it was working to restore access. None of which mattered on Friday night to the people whose workflows had just stopped.

I want to be precise about what this is and is not. It is not a story about AI. It is not a story about one company, or one administration, or one political direction. It is a story about a structural fact that most of the German Mittelstand has been quietly betting against: a service you do not control can be removed from you by someone who is not your supplier and not your customer, for reasons that have nothing to do with you, between one afternoon and the next.


The dependency is not where you think it is

Most businesses assume their cloud risk is priced into the invoice. It is not. The invoice covers uptime and capacity. It does not cover jurisdiction.

Roughly 70% of the European cloud market still runs on three US hyperscalers. AWS, Azure and Google Cloud all operate European data centres and all offer "data residency." But residency is about where the bytes sit. Sovereignty is about whose law reaches them. A US-owned provider remains subject to US law (the CLOUD Act, FISA, export controls), regardless of which Frankfurt rack your data physically occupies. Microsoft's own legal officer in France told the French Senate, in effect, that the company cannot fully guarantee EU data is beyond the reach of a US data request. An "EU region" is a postcode. It is not a legal firewall.

So when you depend on a US platform, you are not buying a service. You are buying a service plus an option, written for free, held by a foreign government, that lets them turn it off. You did not negotiate that option. You cannot see its strike price. And on Friday we watched it get exercised.


You cannot insure against unpredictability

Here is the part that makes the usual risk analysis fail.

Normally you manage supplier risk by estimating intent: how likely is this to happen, what would trigger it, what's the warning time. That works when the counterparty is trying to be predictable, a rational actor protecting a commercial relationship.

It does not work against a strategy of calculated unpredictability: the doctrine, openly discussed across the political spectrum as a negotiating posture, that leverage comes from being hard to forecast. You do not have to share anyone's politics to take this seriously. The point of the posture is precisely that you cannot price it. The whole value of the lever, to the person holding it, is that you can't tell when it will be pulled. Tomorrow it might be a tariff. It might be an export rule. It might be a 5:21 PM letter. The honest planning assumption is not "this probably won't happen to me." It is "I have no defensible basis for estimating this, so I must remove the exposure instead of trying to insure it."

That is the entire argument for sovereign infrastructure, and it survives every change of government. A dependency you cannot model is a liability you cannot carry on behalf of a client.


Services are the choke point, not goods

Tariffs are slow, visible, and negotiated. They hit physical goods at a border, with notice, with appeals. They are loud.

Services are the opposite. They are switched, not taxed. There is no border, no shipment, no warning, just an API that returns 403 where it used to return 200. The leverage in a service economy is not the factory; it is the off-switch. And the more "managed" and convenient a service is, the more deeply it is wired into your operations, the more it functions as a choke point. Convenience and dependency are the same measurement read from two directions.

This is why "we'll deal with it if it happens" is not a plan for a software business. By the time it happens, the dependency is the product.


What you can actually swap in

The good news is that the alternatives are no longer a compromise. For most of the stack, there is a mature, European or self-hostable option that you fully control. A working map:

FunctionUS defaultSovereign / self-hostable alternative
Compute / IaaSAWS EC2, Azure VMsHetzner, IONOS, STACKIT (DE); OVHcloud, Scaleway (FR)
Object storage (S3)Amazon S3Garage (FR, EU-funded), SeaweedFS, or Hetzner Object Storage (managed)
Managed databaseRDS, Azure SQLSelf-hosted PostgreSQL; managed via Scaleway / Aiven (EU)
KubernetesEKS, AKSManaged k8s on OVHcloud / Scaleway; or self-hosted
Identity / SSOAzure AD, CognitoKeycloak, Authentik, Zitadel (CH)
Office / collaborationMicrosoft 365, WorkspaceNextcloud (DE), OnlyOffice
EmailMicrosoft / Googlemailbox.org, Posteo (DE)
Git / CIGitHubForgejo, GitLab (self-hosted)
AI inferenceOpenAI, US-hosted modelsMistral (FR), Aleph Alpha (DE), self-hosted open weights
ObservabilityDatadogSelf-hosted Grafana / Prometheus

A cautionary note on one of these, because it teaches the deeper lesson. Object storage is the textbook S3 swap, and for years the answer was MinIO. As of 2026 it isn't: MinIO archived its open-source repository, stopped maintaining the community edition, and now ships source-only under terms that carry real legal risk for commercial use. Nothing was switched off by a government: it was enclosed by a vendor. That is the same risk wearing different clothes. True sovereignty is not just which jurisdiction; it is no single party's goodwill required. Which is exactly why the better object-storage answer today is Garage, a lightweight, S3-compatible store built by a European non-profit and funded through the EU's Next Generation Internet programme. Owned by no one who can take it back.


Cost is responsibility

The objection is always cost, so let me meet it directly. Sovereign infrastructure usually does cost more, not always in euros (Hetzner is routinely cheaper than the hyperscalers), but reliably in effort. You take on the maintenance. You give up some of the one-click managed conveniences. You own the patching, the backups, the on-call. That is real, and pretending otherwise would be dishonest.

But that cost is not overhead. It is the premium on a thing you actually own. And the framing I'd ask you to sit with is this: the cheapest infrastructure is always the one someone else can switch off. It is cheap precisely because you have outsourced the risk along with the work, until the day the risk comes home, at which point it is not cheap at all, and you have no recourse.

For a company building software for the German Mittelstand, sovereignty is not a marketing aesthetic and it is not a political statement. It is a duty of care. When a client trusts you with the system their business runs on, "it works until a foreign government decides otherwise" is not a service level you should be willing to sign your name to. The extra cost of doing it properly is what that responsibility looks like on an invoice.

On Friday it took one letter and one timestamp. The next one won't send advance notice either.