Digital sovereignty is no longer just a catchword for data protectionists and skeptics – it has become a strategic necessity for Swiss SMEs. In a world where data is the new oil, and geopolitical tensions between the US and Europe are growing, the question "Who owns my infrastructure?" becomes increasingly urgent.
In this article, I explain what digital sovereignty means, why it's critical for SMEs, and how you can take practical steps to maintain your independence – without having to abandon cloud technology in the process.
What does digital sovereignty actually mean?
Digital sovereignty has several layers, and the term is often interpreted too narrowly:
- Data sovereignty: You know where your data is physically stored and under which legal jurisdiction it falls.
- Technological control: You are not locked in to a single vendor and can switch your systems if necessary.
- Legal independence: Your data is not subject to unauthorized access through laws like the US Cloud Act.
- Operational resilience: You have backup and emergency strategies in case your primary provider fails or becomes unavailable.
This does not mean you cannot use the cloud. It means rather that you consciously decide where data lies and who has access to it.
The US Cloud Act and its impact on Switzerland
This is where it gets concrete: The US Cloud Act is an American law that allows US law enforcement to request data from American companies – regardless of where the data is physically stored. This means that if you store your data in a Microsoft data center in Switzerland, but the owner is an American company, the US government can, under certain circumstances, demand access.
For Swiss SMEs, particularly those in regulated industries (financial services, pharmaceuticals, energy), this is a significant risk. While GDPR and the new Swiss Data Protection Act (nLPD) offer protection, they cannot fully protect against US laws.
Practical example from consulting: A Swiss fintech wanted to store its customer data in Microsoft 365. After careful analysis, we realized that its customer data (highly sensitive) could be made accessible to US law enforcement under the Cloud Act. Solution: Critical customer data now runs on Swiss-hosted solutions, with Microsoft used only for less sensitive data.
The Swiss and European perspective
Switzerland is consciously positioning itself as a country that takes digital sovereignty seriously. The Swiss Federal Council updated the Digital Switzerland Strategy in 2026 and named digital sovereignty as one of its three focus areas. This is no accident – it's a response to growing geopolitical tensions and dependency on a few large tech corporations.
Concretely, this means: There are now real alternatives to hyperscaler-based solutions. Swiss data centers (e.g., Infomaniak, Green, Exoscale) offer cloud services that operate under Swiss legal jurisdiction. The FADP (Federal Act on Data Protection) provides a stable, predictable legal framework – in contrast to constantly changing US laws.
The practical strategy: Hybrid Cloud
I see a common misconception among many SMEs: They think that digital sovereignty means you must abandon the cloud or only use small local providers. This is false.
The practical reality for mid-sized enterprises looks like this:
- Critical data and workloads (e.g., financial data, trade secrets, customer data): Swiss or European infrastructure.
- Less sensitive applications (e.g., development, testing, non-critical tools): Can run on global cloud providers.
- Standard applications (e.g., collaboration like Microsoft 365, but only for non-critical data): Carefully evaluated, with clear data protection policies.
This hybrid strategy is not only more secure, but also more economical – you don't use the most expensive infrastructure everywhere, but allocate cleverly.
Five practical steps toward greater digital sovereignty
1. Data mapping: Where do my data live?
Before you can change anything, you need to know where your data currently resides. This is often surprising – many SMEs have no overview. Create a simple table: Which applications? Which data? Where physically stored? Under which legal jurisdiction? This takes one to two weeks and is the foundation for everything that follows.
2. Classification: What is critical, what is not?
Not all data are equal. Classify your data by criticality: Public, Internal, Confidential, Top Secret. This determines later where they are allowed to run.
3. Check vendor independence: Can I switch providers?
For critical systems, check: Could I switch providers if I wanted to? Or am I completely locked in? The lack of an exit plan is a classic sovereignty risk. A good provider should enable data migration without major obstacles.
4. Use open standards where appropriate
Where possible, use open standards instead of proprietary solutions. This makes it easier to switch providers. This doesn't mean you have to completely abandon Microsoft or similar – but for example with documents: Open formats like PDF or ODF instead of proprietary formats help with long-term archiving and control.
5. Establish governance: Clear rules for new systems
When you introduce a new tool – whether SaaS, cloud, or database – it should go through a governance process. Question: Is it GDPR-compliant? Is it under Swiss jurisdiction? Does it fit into my classification? A simple process prevents your IT from growing wild and losing control.
Microsoft 365, Salesforce and Co. – are these tools still justifiable?
A common question: Can I still use Microsoft 365 if sovereignty matters to me? The answer: Yes, but with conditions.
Microsoft has provided better protection with the "EU Data Boundary" (since February 2025) – data from Swiss companies is processed within Europe. For less critical data (e.g., internal collaboration, not customer data), this is acceptable. For highly sensitive data, I would not recommend Microsoft 365 alone.
The most important thing is awareness – consciously decide where which data lives, rather than just following the default settings.
Conclusion: Sovereignty is a continuous process
Digital sovereignty is not a state you achieve and then check off. It is a continuous process of monitoring, evaluation, and adaptation. The good news: You don't have to choose between innovation and control. With a thoughtfully planned hybrid cloud strategy, you can have both.
The key is to make conscious decisions – instead of simply following the large cloud provider that is currently selling most aggressively.
Strengthening Digital Sovereignty?
I help SMEs analyze their data dependencies and develop a resilient IT strategy – with clear control over critical data and systems, without sacrificing innovation.
Schedule a free initial consultation