Private-Sector Innovation

Mansfeld-Südharz, Germany - October 4, 2025

Keeping the profit motive while sharing the IP

The conventional wisdom says the public sector should set the goal and the private sector should build the tool, preferably at arm’s length and behind a nondisclosure agreement. That model works well for roads and railways, but it collapses in cyber space where the half-life of any tool is measured in months and where the attacker gets a copy of the manual the moment it ships. The Cyber Resilience Alliance was therefore conceived with the opposite polarity: private-sector innovation is not a supplier relationship; it is a substrate that the county co-owns, co-steers and can replicate without asking permission. The trick is to align return on capital with return on continuity, so that every euro a vendor earns also buys one more hour of uptime for the local waterworks. What follows is not a manifesto but a ledger: how we turned three product road-maps into public capability while keeping both the investors and the auditors asleep at night.

The first rule is to separate the invention from the instantiation. CypSec retains ownership of the core code base—fuzzing engine, deception grid, policy compiler—because that is where the venture capital sits and because venture capital expects liquidation preference. But the Alliance receives a perpetual, royalty-free, irrevocable licence to instantiate, modify and redistribute any version that has been tested inside the county perimeter. The legal clause is boringly called “Local Sovereign Instance Right,” yet its effect is radical: it gives the public body the same freedom a Linux distributor has with the kernel. If tomorrow the vendor decides to sunset a module or to triple the licence fee, the county can fork the last stable build, maintain it with local talent, and stay compliant without writing a purchase order. The investors are comfortable because the clause is geographically bounded: the Alliance may deploy inside the Federal Republic and inside any EU member state that joins the consortium, but it may not sell the fork on the open market. That limitation preserves the commercial channel for the vendor while creating a protected commons for the public mission, a compromise that satisfied both the venture fund and the county’s lawyers who still remember the trauma of vendor lock-in during the Windows XP end-of-life.

The second mechanism is milestone-based IP escrow. Every feature that is earmarked for public-critical infrastructure—say, a post-quantum key-management layer—enters a three-stage gate: prototype, hardening, sovereignty review. At each gate 25 % of the source code is deposited with a neutral escrow agent (in our case the regional chamber of commerce, which has century-old experience guarding trade secrets for local machine-tool makers). Once the final gate is cleared, the county receives a complete, buildable tarball plus a cryptographic hash that proves completeness. If the vendor ever abandons the product or is acquired by a geopolitical competitor, the escrow triggers automatically and the Alliance can maintain the feature without negotiating bankruptcy courts or export-control hearings. The first asset to enter escrow was the deception-grid orchestrator, a 210 000-line Rust project that now runs the county’s shared SOC. The escrow event never fired, but its presence alone reduced the annual maintenance quote by 18 % because the vendor knows that price-gouging would simply activate the public fork. Sovereignty, it turns out, is cheaper than monopoly.

The third instrument is open-capital formation. Instead of waiting for Berlin to appropriate funds, the Alliance issues tokenised revenue-participation notes that local SMEs can buy with a minimum ticket of 5 000 €. The notes carry no equity dilution; they simply entitle the holder to a pro-rata share of the membership fees that the Alliance collects from federation participants. The coupon is capped at 6 % per annum and the principal is repaid from operating surplus after year five. The twist is that every euro invested must be matched by an in-kind contribution: free training hours, lab space, or mentorship to local apprentices. The result is a capital stack that is 40 % cash and 60 % community labour, turning the innovation project into a local employment scheme that also happens to produce zero-day detection signatures. Last year a family-owned plastics moulding shop subscribed 25 000 € and threw in 500 hours of CNC workshop time that we used to mill aluminium heat-sinks for the edge-gateway fleet. The shop now earns a 4.2 % coupon, the apprentices learned to mill IP65 enclosures, and the Alliance obtained a component that is proudly stamped “Made in Sandersleben” when we show it to Brussels auditors.

"We did not privatise risk; we socialised innovation and let the vendors keep the upside—provided the county keeps the lights on."

The fourth layer is rotational engineering staff. Every quarter, two engineers from each vendor parent rotate into the Alliance technical office for eight weeks, paid by their home company but reporting to the county CIO for the duration. The rotation is not goodwill; it is contractually baked into the joint-venture articles because public-sector staff need to smell the codebase if they are expected to maintain it during a crisis. Conversely, county IT employees spend the same eight weeks inside the vendor HQ, learning how product decisions are made and which Slack channels to haunt when a zero-day drops at 2 a.m. The exchange creates a bilingual workforce: people who speak both Python and procurement, who can read a balance sheet and a BPF trace, and who carry institutional memory back to the public side once the rotation ends. After eighteen months, 30 % of the county’s permanent cyber staff carry vendor badges in their desk drawer, not as souvenirs but as credentials that let them open pull requests without going through a sales representative. That is how sovereignty is really built: by sharing neurons, not just source code.

The final safeguard is the sovereignty dividend: any intellectual property that is wholly or co-funded by public grants is automatically licensed back to the public sector under the EU’s “government-purpose rights” clause, but with a usage ceiling set at 125 % of the original grant value. The ceiling prevents the public sector from competing commercially while still allowing unlimited deployment for civic ends. A practical example: the Alliance spent 1.2 M€ of county and EU money hardening the post-quantum VPN core; the vendor retained commercial rights, but the county can deploy the module across every municipal utility until the cumulative deployment value reaches 1.5 M€ (125 % of 1.2 M€), at which point a new royalty-free licence must be negotiated. The meter currently stands at 0.8 M€, meaning we can still stretch the existing licence across three more wastewater plants before any further talks. The clause gives vendors a predictable revenue horizon and gives the public side a predictable sovereignty horizon, a compromise that kept both the venture capitalists and the auditors asleep during the last annual review.

What emerges from these five layers is a circular economy of innovation: private capital finances risky R&D, public grants de-risk the final mile, local SMEs supply labour and machining, and the county obtains a sovereign instance that can survive bankruptcy, acquisition or geopolitical whim. The vendors, in return, receive a reference deployment that shortens their enterprise sales cycle anywhere in the EU, because nothing persuades a sceptical CISO like a live plant that has survived both Conti ransomware and a BSI audit. The profit motive is intact, but it points in the same direction as the public mission: the more resilient the county becomes, the more credible the vendor’s product becomes, and the more both sides earn—one in euros, the other in continuity. That alignment is the real innovation; the code is just along for the ride.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.