Digital Sovereignty for Swiss Companies - Between EU Regulation and Local Requirements

The Wake-Up Call Came in 2020

July 2020. The European Court of Justice overturns the Privacy Shield. Overnight, millions of data transfers to the USA become illegal.

"But we are in Switzerland," you say. "That doesn't affect us."

Wrong.

If you have EU customers, process EU data, or work with EU partners - it directly affects you.

What Is Digital Sovereignty Really?

The term is used inflationarily. Some understand it as: Hosting everything yourself, avoiding clouds, returning to your own server room.

That's nonsense.

Digital sovereignty means: Consciously controlling who has access to your data - without crippling your business.

It is not about autonomy. It's about conscious dependence.

You can use the cloud. You should even. But you should know:

- Where are your data physically located?

- Who can access it - and under what law?

- What happens if laws change?

These are not paranoid questions. These are business questions.

The Problem with US Cloud Providers

AWS, Azure, Google Cloud - all three are US corporations. And here comes the Cloud Act into play.

The US Cloud Act allows American authorities to access data - no matter where it is physically located. A data center in Frankfurt, operated by Microsoft? US authorities can still knock on the door.

This is not theory. This is applicable law.

For you as a Swiss company, this means: If you use a US cloud provider, you have a potential legal risk. Not today. Maybe not tomorrow. But someday an EU customer might ask. Or a regulatory authority.

The Schrems-II Trap

The Schrems-II ruling tore a hole in the Standard Contractual Clauses (SCCs). These were the contractual clauses that companies used to legitimize data transfers to the USA.

The problem: SCCs alone are no longer sufficient. You need additional measures - encryption where only you have the key, technical guarantees that US authorities do not get access.

Many companies continue as before and hope that nobody looks closely.

That works. Until it doesn't work anymore.

(A company we know just lost due diligence for an M&A deal. The reason? Their cloud infrastructure was "not Schrems-II compliant." The deal was dead.)

Four Ways to Sovereignty

Okay, enough problem description. What can you do?

Way 1: Swiss Cloud

There are countless Swiss providers that deliver the same coverage and quality for most company use cases as Big Tech. Data remains in Switzerland. No US Cloud Act.

The reality: Smaller feature scope than the hyperscalers. More expensive per gigabyte. But: Direct support, understandable contracts, real say.

An SME we accompanied has switched. It led to short-term additional costs in this case (Since the US marketing subsidy did not come). After the SME's first EU customer explicitly asked for Swiss data storage, the issue was resolved. Of course, following a prior ToC assessment and business case.

Way 2: European Cloud Providers

OVHcloud, Scaleway, IONOS, Hetzner – European alternatives with EU parent company. No US Cloud Act, GDPR compliant by design.

The reality: Feature-wise not on the level of the hyperscalers. Large data center capacities, which means at least the simplest use cases are covered.

For many Swiss companies, the pragmatic middle way – especially when EU customers are the primary target group. A German parent company is often more trustworthy for EU customers than a US provider with EU data centers.

Way 3: Hyperscalers with EU Regions

You stay with the hyperscalers, but exclusively in EU data centers. With additional contracts, additional encryption, additional guarantees - if possible, of course. Unfortunately, this often succeeds only the very large companies. Hyperscalers do not make additional contracts with SMEs...

It is a compromise. The US parent company remains a residual risk. But with the right technical measures, much can be set up.

Way 4: Hybrid

Critical data in Switzerland. Everything else with the hyperscalers.

Customer data, patient records, financial data → Swiss cloud analytics

Marketing, public content → Data center of a hyperscaler in Europe

This is more complex. But it gives you the best of both worlds: sovereignty for the sensitive, scaling for the rest.

The Five Most Common Mistakes

1. "Sovereignty = host everything yourself"

Wrong. A server in the basement doesn't make you sovereign. It just makes you slow and vulnerable. Sovereignty means control, not autonomy.

2. "Data in Switzerland = problem solved"

Wrong. If the cloud provider is a US corporation, the location changes little about the legal risk.

3. "We have contracts, so everything is legal"

Wrong. Contracts don't give you control and security. Technical measures are what do, if at all possible.

4. "This doesn't affect us, we are in Switzerland"

Wrong. As soon as you have EU customers or EU data, EU rules apply. Period.

5. "Set it up once, then finish"

Wrong. The legal situation changes. NIS2 is here. New judgments come. The geopolitical situation shifts. Sovereignty is a process, not a project.

The Point

Digital sovereignty is not a tech topic. It is a business topic and it is risk management.

It's not about avoiding clouds or hosting everything yourself. It's about making conscious decisions. Knowing where your data is. Controlling who has access.

The companies that take this seriously win EU clients. They pass due diligence checks. They sleep better.

The others? They hope that no one looks closely.

(Spoiler: Eventually, someone does look closely.)