International Collaboration

Mansfeld-Südharz, Germany - October 30, 2025

A federated data model that keeps every bit on German soil while still lighting up SOCs from Lisbon to Ljubljana

The most fragile component of any international partnership is not the fibre but the legal envelope around the photons. When we began sketching the threat-intelligence federation that the Cyber Resilience Alliance wants to activate next year, the first question was not “how fast can we push STIX objects?” but “how do we move indicators without moving people?” The answer had to satisfy three masters at once: the German Federal Data Protection Act, the forthcoming NIS2 implementing acts, and the economic reality that a five-person SOC in rural Portugal cannot afford counsel to interpret 27 national derogations. What we ended up with is less a pipeline than a lattice: every node keeps its raw logs, only anonymised technical artefacts travel, and the transport itself is a zero-knowledge relay that never learns who is talking to whom. The result is threat intelligence that arrives faster than email yet carries less personal data than a phone book.

The architecture starts with a hardened TAXII server planted inside each member region—initially Saxony-Anhalt, South-Tyrol and Zeeland, with Brno and Bari joining in Q2 2026. Each server is a single-tenant Kubernetes pod running inside a sovereign cloud that is physically located in the respective jurisdiction: German data stays in the Leipzig uplink, Italian data in the CINECA facility in Bologna, Dutch data in the Flevoland neutral data hotel. The pod is sealed with a FIPS-140-3 hardware security module that generates its own signing key on first boot; the private half never leaves the HSM, and the public half is uploaded to a consortium directory that is itself a Merkle tree stored on an immutable ledger anchored in the county courthouse. This choreography means that even if a court order compels one operator to hand over server images, the request terminates at the jurisdictional border—no foreign subpoena can reconstruct the global graph because no single node ever possesses it.

Data minimisation is enforced at the source. Before a log line is eligible for export, it passes through a three-stage anonymiser that strips IPv4 and IPv6 addresses down to /24 or /56 prefixes, replaces email local-parts with one-way BLAKE3 hashes salted by the tenant secret, and truncates timestamps to the hour. The remaining fields—protocol, port, file hash, user-agent, TLS JA3 fingerprint—are technically anonymous but still technically useful: a Suricata rule generated from the truncated telemetry will fire on the exact same malware family whether the victim was a dentist in Dessau or a mayor in Brno. The anonymiser is itself packaged as a eBPF probe so it executes in kernel space before the log is even written to disk, eliminating the risk that an administrator might accidentally copy the raw file to a USB stick. Because the probe is signed with the same HSM key that anchors the TAXII server, any tampering with the code breaks the signature chain and isolates the node from the federation within seconds.

The second safeguard is a purpose-built routing protocol we call “STIX-over-LoRa” as a joke, although it actually rides on standard HTTPS. Instead of pushing indicators to a central broker, each node broadcasts a Bloom filter of the hashes it is willing to share; neighbouring nodes match the filter against their own threat library and request only the objects they lack. The exchange is therefore pull-based and reciprocal: you only receive what you asked for, and you only asked for what you deemed relevant. That design choice removes the legal headache of “purpose limitation” because the receiving SOC itself defines the purpose at the moment of the pull. Logs of the pull request are stored locally, time-stamped and signed, creating an audit trail that satisfies both the BSI’s cloud-audit guidelines and the Dutch Personal Data Authority’s incident-report template without ever revealing the content of the shared indicator.

"We do not move data across borders; we move mathematical ghosts that point at danger without pointing at people."

To keep the lattice honest, we embedded a zero-knowledge proof called a “consistency receipt.” Every hour each TAXII server computes a recursive hash of all new STIX bundles it has emitted, then submits the hash to a smart-contract running on an Ethereum side-chain that is validated by all consortium nodes. If a single node later retroactively deletes or modifies an indicator, the Merkle root will not match the receipt, and the smart contract automatically publishes a revocation notice to every peer. The beauty of the mechanism is that it guarantees integrity without disclosing what was shared, so even the validator nodes learn nothing about the underlying threat. The side-chain itself is gas-funded by a consortium pool seeded with 50 000 € of converted membership fees, enough to cover a decade of hash submissions at current gas prices; if ether spikes, the contract can be migrated to a rollup without breaking the receipt chain.

Finally, the human layer is governed by a lightweight data-processing agreement that is shorter than most NDAs—four pages, 1 800 words—because every clause refers back to the technical controls instead of re-inventing them. The DPA explicitly states that no personal data leaves the originating jurisdiction; that any accidentally received personal data must be deleted within 24 hours; and that each node maintains a 365-day local audit log that can be inspected by the regional data-protection authority without prior notice. Those three obligations are enforced through the same HSM-backed signatures: if a node fails to purge, the signature chain breaks and the node is automatically delisted from the bloom broadcast, a technical sanction that is faster and more effective than any court proceeding. In six months of pilot operation we have seen three accidental leaks of personal data—two IP addresses and one email address—each of which was erased and re-hashed within the 24-hour window, generating a revocation receipt that is now part of the consortium’s shared compliance library.

The net result is a federation that shares threat intelligence at continental speed while remaining atomically local in legal terms. A ransomware binary hash observed in Bitterfeld appears in the Suricata ruleset of a Portuguese water utility 92 seconds later, yet the only data that crossed the border was a 64-byte BLAKE3 digest that reveals nothing about the German dentist who triggered the alert. That is the kind of collaboration Europe was promised when the Digital Decade strategy was announced, but it has been missing until now because the legal scaffolding was always an after-thought. By hard-wiring data protection into the routing layer, we have turned sovereignty from a constraint into a feature: the more jurisdictions join, the stronger the privacy guarantees become, because every new node adds another shard to the cryptographic lattice. When twenty regions are live next year, the lattice will be dense enough that no single member can reconstruct the global picture even if it wanted to, a practical realisation of the EU’s mantra that unity should never come at the expense of diversity.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.