The wake-up call came in 2020

July 2020. The European Court of Justice invalidates the Privacy Shield. Overnight, millions of data transfers to the U.S. become unlawful.

"But we’re in Switzerland," you say. "That doesn’t affect us."

Wrong.

If you have EU customers, process EU data, or work with EU partners, then it affects you directly.

What is digital sovereignty, really?

The term is used excessively. Some people understand it as: host everything yourself, avoid the cloud, go back to your own server room.

That’s nonsense.

Digital sovereignty means: Consciously controlling who has access to your data—without crippling your business.

It’s not about self-sufficiency. It’s about deliberate dependency.

You can use the cloud. You should, in fact. But you should know:

- Where is your data physically stored?

- Who can access it—and under which legal framework?

- What happens if laws change?

These are not paranoid questions. These are business questions.

The problem with U.S. cloud providers

AWS, Azure, Google Cloud—all three are U.S. corporations. And this is where the Cloud Act comes into play.

The U.S. Cloud Act allows American authorities to access data—regardless of where it is physically stored. A data center in Frankfurt operated by Microsoft? U.S. authorities can still come knocking.

This is not theory. This is applicable law.

For you as a Swiss company, this means: if you use a U.S. cloud provider, you have a potential legal risk. Not today. Maybe not tomorrow. But at some point, an EU customer might ask. Or a supervisory authority.

The Schrems II trap

The Schrems II ruling tore a hole in the Standard Contractual Clauses (SCCs). These were the contractual clauses companies used to legitimize data transfers to the U.S.

The problem: SCCs alone are no longer enough. You need additional measures—encryption where only you hold the key, technical safeguards ensuring U.S. authorities cannot gain access.

Many companies carry on as before and hope no one takes a close look.

That works. Until it doesn’t.

(A company we know just lost due diligence for an M&A deal. The reason? Their cloud infrastructure was "not Schrems II compliant." The deal was dead.)

Four paths to sovereignty

Okay, enough problem description. What can you do?

Path 1: Swiss cloud

There are countless Swiss providers that deliver the same coverage and quality as Big Tech for most business use cases. Data remains in Switzerland. No U.S. Cloud Act.

The reality: a smaller feature scope than hyperscalers. More expensive per gigabyte. But: direct support, understandable contracts, real say in decisions.

An SME we supported switched. In this case, it led to short-term additional costs (because the U.S. marketing subsidy did not materialize). After the SME’s first EU customer explicitly asked for Swiss data residency, the issue resolved itself. Naturally, after a prior ToC assessment and business case.

Path 2: European cloud providers

OVHcloud, Scaleway, IONOS, Hetzner – European alternatives with an EU parent company. No U.S. Cloud Act, GDPR-compliant by design.

The reality: feature-wise not at the level of hyperscalers. Large data center capacities, which means at least the simplest use cases are covered.

For many Swiss companies, this is the pragmatic middle ground—especially if EU customers are the primary target group. A German parent company is often more trustworthy to EU customers than a U.S. provider with an EU data center.

Path 3: Hyperscalers with EU regions

You stay with hyperscalers, but exclusively in EU data centers. With additional contracts, additional encryption, additional guarantees—if possible, of course. Unfortunately, this is often only feasible for very large companies. Hyperscalers do not make additional contracts with SMEs…

But it is a compromise. The U.S. parent company remains a residual risk. Yet with the right technical measures, quite a lot can be set up.

Path 4: Hybrid

Critical data in Switzerland. Everything else with hyperscalers.

Customer data, patient records, financial data → Swiss cloud analytics

Marketing, public content → Hyperscaler data center in Europe

This is more complex. But it gives you the best of both worlds: sovereignty for sensitive data, scalability for the rest.

We go deeper into this topic in You chose the wrong MSP and now you are.

The five most common mistakes

1. "Sovereignty = host everything yourself"

Wrong. A server in the basement does not make you sovereign. It only makes you slow and vulnerable. Sovereignty means control, not self-sufficiency.

2. "Data in Switzerland = problem solved"

Wrong. If the cloud provider is a U.S. corporation, location does little to change the legal risk.

3. "We have contracts, so everything is legal"

Wrong. Contracts do not give you control and security. Technical measures do—if they are possible at all.

4. "This doesn’t affect us, we’re in Switzerland"

Wrong. As soon as you have EU customers or EU data, EU rules apply. Period.

5. "Set it up once, then done"

Wrong. The legal situation changes. NIS2 is here. New rulings are coming. The geopolitical landscape shifts. Sovereignty is a process, not a project.

More on this in our article Outsourcing saves money. Or does it?.

The point

Digital sovereignty is not a tech issue. It is a business issue, and it is risk management.

It’s not about avoiding clouds or hosting everything yourself. It’s about making conscious decisions. Knowing where your data is. Controlling who has access.

The companies that take this seriously win EU customers. They pass due diligence audits. They sleep better.

The others? They hope no one takes a close look.

(Spoiler: At some point, someone will take a close look.)