Data Sovereignty: A current Swiss Imperative in the Digital Age

In Switzerland, the topic of data sovereignty is currently being intensely debated in public. The head of the Swiss Armed Forces, Thomas Süssli, has recently publicly criticized the fact that central government IT systems, including Microsoft Cloud Solutions such as Microsoft 365, are unsuitable for sensitive data and has argued in favor of infrastructures under full domestic control. His argument is that, under existing regulations, a large portion of classified military data cannot be securely processed in the Microsoft Cloud. Therefore, a private or alternative cloud solution with full control must be urgently examined. He also calls for an exit strategy from existing cloud services and the development of independent, self-controlled systems.

In parallel, Privatim, the Conference of Swiss Data Protection Authorities, has adopted a resolution that effectively places strong restrictions on the use of international SaaS cloud services, including Microsoft, AWS, or Google, by public authorities for particularly sensitive or confidential data. Privatim emphasizes that many cloud providers do not offer genuine end-to-end encryption in which only the data controller holds the keys and the provider has no access. Without this level of technical sovereignty, authorities would face a significant loss of control.

These debates have garnered significant media attention because they extend far beyond military or government IT: discussions regarding digital independence, cloud-exit strategies, and national data sovereignty are increasingly shaping public opinion and the political agenda in Switzerland.

Why is Data Sovereignty so Important?

1. Protection of Sensitive Data and Citizens’ Rights

Data sovereignty means that a state, an organization, or an individual retains full control over where and how data is stored and processed. When data is stored in cloud systems operated by providers subject to foreign legal jurisdictions, access by authorities in those countries cannot be ruled out, even if the data is physically located in Switzerland. This is particularly emphasized in connection with the US Cloud Act, which allows US authorities, under certain conditions, to access data even if it is stored outside the United States.

2. Legal and Political Independence

A sovereign approach to data strengthens the legal independence of public institutions and protects them from extraterritorial interference. Authorities must be able to ensure that no foreign legislation overrides their decisions on data access and that confidential information is not disclosed without control. Data sovereignty thus becomes a fundamental pillar of state credibility and trustworthiness.

3. A Foundation of Trust for Business and Innovation

Companies often choose technology partners based on efficiency and cost. However, if this results in a loss of control over their data, risks arise for trade secrets, compliance, and reputation. Swiss companies, especially those in sensitive sectors such as healthcare, finance, or research, therefore have a strong interest in sovereign data platforms.

What companies can do: Strategies for genuine Data Sovereignty

1. Full Control Over Encryption and Key Management

The strongest protection exists when only the data controller holds the keys. This means:
• Implementing end-to-end encryption where only the company possesses the keys.
• Ensuring that cloud providers have no technical ability to access decrypted data.

2. Use of Sovereign or Local Cloud Providers

Companies can turn to Swiss or European cloud providers that:
• Are subject to local data protection standards.
• Operate their services with a high level of transparency and clearly defined data ownership.
Examples include specialized providers like Managed and Private Clouds that operate with strong data protection principles.

3. Hybrid or Multi-Cloud Strategies

Not all data needs to be treated the same way. Sensitive or regulated data can be kept on-premises or in private clouds, while less critical data can be processed in scalable external clouds, under clearly defined contractual and technical safeguards.

4. Strengthening Internal Governance

Companies should define internal policies and responsibilities so that data classification, risk assessment, and technology selection decisions are carried out in a more transparent and controlled manner.

5. Technical and Legal Due Diligence

Before implementing cloud services, careful examination of the legal framework, data flow processes, access rights, and security architecture is essential. This allows risks to be systematically minimized.

Final Thoughts

Data sovereignty has become a strategic necessity for Switzerland. As digital dependencies and regulatory pressures increase, organizations must actively decide how and where their data is processed. Those that invest early in sovereign data strategies strengthen trust, reduce risk, and secure long-term independence and competitiveness.