Can public transport better protect itself against cyberattacks while simultaneously increasing its digital sovereignty? Yes, this is possible, and it is even advisable to link both goals. But before implementation, a thorough analysis of sovereignty requirements is essential.
In February 2026, a massive DDoS attack blocked railway information and booking systems. The Federal Office for Information Security described it as an unusually large-scale attack. The good news: the trains kept running, and no one was harmed. But of course, transport operators are faced with the question of how they can prevent attacks on particularly safety-critical applications and systems. Anyone who can influence train control systems could, in an extreme case, set switches and endanger the lives of passengers. It is clear that many of our projects with customers from the public transport sector revolve around two goals: greater security and greater digital sovereignty.
Just over 10 years ago, a majority of the currently 593 transport companies moved individual areas of their IT to the cloud—such as their office or SAP systems. However, when it came to anything related to rail and infrastructure-critical IT, transport companies exercised restraint: they typically continue to manage these on their own servers when dispatching, controlling, or switching trains. But this high degree of sovereignty comes at a considerable cost: they also have to defend their servers against cyberattacks themselves—which is not part of the companies' core competencies. Smaller transport operators in particular, do not feel confident in this area.
Now that European cloud offerings provide the highest level of sovereignty for security-critical applications, the industry is determining which workloads can be used in which cloud environments. Naturally, it is trying to balance the issues of sovereignty, security, and cost-effectiveness; however, this is not straightforward. There are areas in which monetary arguments take a back seat: whenever passenger welfare is at stake, there is no question that railways must insist on the maximum level of self-determination and security—even if this comes at the cost of higher expenses and reduced scope of services.
The fact that we are currently so focused on sovereignty across all industries is linked to the geopolitical disruptions of recent times. At the latest summit on European digital sovereignty, it became clear that a high degree of self-determination is also crucial for the competitiveness of companies and strengthens resilience against cyberattacks. Even before that, the admission by the chief legal officer of Microsoft France that his company could not guarantee that EU data would be secure before being transferred to the United States had unsettled the business world. The realization has grown that Europe must free itself from dependencies—this applies not only to the field of technology, but also to energy, raw materials, and security. For this reason, transport companies are now classifying their workloads, assigning security levels, and only then deciding which infrastructure is the right one. Because the concept of digital sovereignty is multifaceted and not every application requires the same level of protection. In principle, three levels can be distinguished.
1. Data sovereignty: This is about where data is stored and which legal framework governs it. Thanks to the GDPR, Europe is well positioned here—personal data is stored and processed in the EU. For many applications in the transport sector, such as the retrospective analysis of journeys or capacity analyses, this level of protection is sufficient.
2. Operational sovereignty: It goes one step further and describes, for example, how much transparency and control a company has over the operational processes of its IT provider. Who has access to the data center? Who administers the systems? Can services be restricted or shut down without warning—for example, due to geopolitical decisions? For dispatching and planning systems in rail transport, meaning everything that happens before a train departs, operational sovereignty is essential.
3. Technological sovereignty: This is the most demanding level. The company must be able to control the entire tech stack—from hardware to the operating system to the application. If necessary, it must be able to switch quickly to another vendor without jeopardizing operations. For everything that happens while a train is running—train control, interlockings, signaling technology—this level is non-negotiable.
These three levels can best be illustrated along the operational process of a train journey: Before the journey: This level encompasses capacity planning, rotation planning, timetable creation, and dispatching. This is where operational processes are organized—systems that must not fail, but which do not directly affect life and limb. Operational sovereignty is the benchmark. During the journey: This concerns train control, signaling technology, signaling systems, and switch operations—and thus the highest safety level. Malicious interference with these systems could cost human lives. Economic arguments therefore take a back seat. Technological sovereignty is a must. After the journey: Here, operational data is analyzed, punctuality is evaluated, and processes are optimized. In most cases, data sovereignty suffices—the data must be protected, but the operational pressure is lower.
Public transport is not the first industry to grapple with these questions. There are proven solutions for different levels of sovereignty. The digital health ID, which gives millions of statutory insured individuals access to electronic patient records, runs on the BSI-certified Open Sovereign Cloud. T-Systems thereby guarantees the healthcare industry data and technology sovereignty while maintaining scalability. The warning app NINA can simultaneously notify millions of users in emergencies. As a critical system for national security, we operate it on a private cloud; here we had to ensure operational sovereignty. At Deutsche Telekom, too, we have assigned our workloads to different levels of sovereignty and built a hybrid cloud strategy on this basis.
How can transport operators achieve the highest level of security and sovereignty?
1. Clustering: First, determine which systems require which level of sovereignty—from office IT to signal boxes
2. Workload analysis: Evaluate data sensitivity, availability requirements, and the regulatory environment for each application
3. Migration: Assign software to the appropriate sovereignty level: the spectrum ranges from hyperscaler offerings to sovereign cloud versions through to private cloud.
The result is not a monolithic approach, but a hybrid cloud model that balances sovereignty, security, and economic efficiency. It's not only the public transport sector that has the opportunity to make Germany and Europe more independent. For this purpose, we provide T Cloud, a sovereign, highly available, and secure cloud environment to industries with sensitive sovereignty requirements. T Cloud ensures that sensitive infrastructure and operational data remains within national and European boundaries—a decisive factor for critical infrastructures such as the rail network.
1 Europe's path to digital sovereignty, Bitkom, November 2025
2 Number of cyber incidents against critical infrastructure increased, Zeit, January 2025
3 Threat situation of Critical Infrastructures, BSI, June 2025
4 The future of Cloud in 2029, Gartner, May 2025
