News

Comment on the article "US Clouds and Swiss Data Sovereignty"

The latest Netzwoche article highlights how large US cloud providers can pose a strategic risk to public authorities and companies in Switzerland. In an interview with Dominika Blonski, data protection officer for the canton of Zurich, it becomes clear that US laws such as the Cloud Act can have an impact on data, even if it is physically stored in Switzerland. This applies in particular to sensitive personal data and the use of cloud services provided by large hyperscalers.

What is at the heart of the debate?

  • The US Cloud Act allows US authorities to access data from US providers worldwide, even without formal administrative assistance channels.  
  • Even with local data centers, the law does not change the fundamental applicability of US law for companies and public authorities.  
  • The discussion has shifted from pure cloud outsourcing to the risks of AI services and personal data.  

The problem is not new, but it is becoming increasingly pressing: Swiss decision-makers are under pressure to reconcile the efficiency and innovative power of large clouds with the protection of fundamental rights and legal control. At the same time, there is often a lack of clear strategies on how digital sovereignty can be systematically implemented.

Why this is relevant for Swiss companies

Dependence on US clouds is not just a theoretical risk. For many companies, Microsoft Azure, AWS, or Google Cloud are part of their standard IT equipment. These services offer advantages in terms of scalability and functionality, but at the same time , they can be subject to data access outside Swiss jurisdiction.  

A key point of criticism is that promises such as "data remains local" or "data boundary models" do not automatically protect against access if the cloud provider itself is subject to US law.

Swiss perspectives on digital sovereignty

Parallel to the Netzwoche debate, politicians and administrations are increasingly addressing issues of digital self-determination. The Digital Switzerland 2026 strategy emphasizes the importance of digital sovereignty as a government objective, for example in the context of e-government standards. Federal agencies have also issued guidelines on dealing with digital sovereignty in order to systematically address dependencies.  

For companies, this means:

  • Sovereignty is not just a legal issue, but a strategic decision for architecture, data storage, and partner selection.
  • Clear criteria are needed for risk analyses of cloud providers, especially when it comes to sensitive data and AI integrations.
  • A blanket rejection of international clouds is not automatically effective, but blind trust is risky.

Critical assessment

The arguments against US clouds are important, but they should not be generalized:

  • Not all US providers pose the same level of risk. Differences exist depending on contract terms, encryption models, and additional services.
  • Swiss companies face the challenge of balancing competitiveness and risk control. Completely local solutions can be expensive and technically demanding.
  • Data protection risks arise not only from cloud locations, but also from internal IT operations, inadequate encryption, or a lack of governance processes.

Conclusion

The Netzwoche debate highlights a real but complex tension between efficiency, innovation, and digital self-determination. For Swiss companies, this means strategically reviewing which data and applications are operated in which cloud environment. Digital sovereignty is not a state, but a process: it requires conscious architectural decisions, continuous risk analysis, and a clear definition of protection requirements.

Classification from ORIA's perspective

Digital sovereignty is not an ideological counter-model to international clouds, but rather a question of control, accountability, and legal clarity. This is precisely where ORIA comes in.

ORIA was developed for organizations that want to operate their data and workloads in Switzerland without sacrificing professional cloud architectures. The decisive factors are not only the location of the data centers, but also who is responsible for their operation, access, and decision-making authority. Swiss law, Swiss operators, and clear governance are key elements in this regard.

ORIA deliberately does not position itself as a replacement for all hyperscaler scenarios. Rather, it is about a differentiated cloud strategy in which sensitive data, critical applications, and regulatory-relevant workloads can be operated confidently.

Call to action

  • Companies and organizations should now examine which data and applications actually need to be operated independently.
  • A cloud strategy without legal and geopolitical risk analysis falls short.
  • Dialogue between IT, legal, and management is crucial.

Anyone interested in exploring the question of how digital sovereignty can be implemented in practice will find further information and concrete architectural approaches from a Swiss perspective at oria.ch.