ARTICLE
22 April 2026

Cloud Usage And Digital Sovereignty: Strategic Options For Swiss Authorities

BK
Bär & Karrer

Contributor

Bär & Karrer logo
Bär & Karrer is a leading Swiss law firm with more than 200 lawyers in Zurich, Geneva, Lugano, Zug, Basel and St. Moritz. Our core business is advising our clients on innovative and complex transactions and representing them in litigation, arbitration and regulatory proceedings. Our clients range from multinational corporations to private individuals in Switzerland and around the world. Most of our work has an international component. We have broad experience handling cross-border proceedings and transactions. Our extensive network consists of correspondent law firms which are all market leaders in their jurisdictions. Bär & Karrer was repeatedly awarded Switzerland Law Firm of the Year by the most important international legal ranking agencies in recent years.
Explore Firm Details
Bär & Karrer, a Swiss law firm, provides comprehensive legal and business solutions. Contact their Zurich office for expert assistance with legal advice, business inquiries, and professional services tailored to your needs.
Switzerland Government, Public Sector
Christian Kunz,Ferdinand Rombach, and Katharina Cardon
Your Author LinkedIn Connections
Christian Kunz’s articles from Bär & Karrer are most popular:
  • with readers working within the Retail & Leisure industries
Bär & Karrer are most popular:
  • within Insurance, Privacy and Intellectual Property topic(s)

Cloud services form an integral part of modern adminis trative work. At the same time, when federal, cantonal and municipal authorities outsource data processing, they must comply with data protection requirements, confi dentiality obligations such as official secrecy and infor mation security regulations, while ensuring long-term op erational capacity. In the public debate – which has gained additional momentum due to current political develop ments in the US – the focus is currently on the use of US cloud services by Swiss authorities in the context of digital sovereignty1.2 This debate was intensified by the resolu tion published in November 2025 by privatim, the Confer ence of Swiss Data Protection Commissioners, which can be read as a de facto ban on the use of hyperscalers in pub lic administration. This thrust is also already becoming concrete in procurement: for example, the FOPH’s tender for the SwissHDS infrastructure (February 2026) stipu lates that all infrastructure components must not be tech nically or legally dependent on external jurisdictions (e.g., the US CLOUD Act).

Digital sovereignty of Swiss authorities means neither self-sufficiency nor isolation, but rather the ability to manage and control the use of external digital services in dependently. This briefing categorises the arguments pre sented, highlights areas of tension and provides orienta tion for the use of the cloud in administration. The analy sis shows that there are no completely risk-free solutions: Every option – be it a US cloud service, a Swiss or European provider, an on-premises or open-source solution – re quires case-by-case trade-offs between functionality, se curity, sovereignty and operational costs.

A. KEY MESSAGES

  • Digital sovereignty means neither self-sufficiency nor isola tion, but rather the ability of public authorities to manage and control the use of external digital services inde pendently.
  • The US CLOUD Act does not establish a direct right of access by US authorities to data stored abroad. Production orders require a court order, reasonable suspicion and a concrete purpose of criminal prosecution. Additionally, constitutional safeguards limit their reach.
  • Production orders under the US CLOUD Act primarily serve the investigation of serious crimes (such as terrorism and cy bercrime). Ordinary administrative data such as project doc uments, statistics or personnel files are typically not the fo cus of US investigations.
  • Transparency reports from US hyperscalers confirm this: disclosures of content data from foreign enterprise custom ers to US law enforcement agencies are extremely rare (0.008% of all requests at Microsoft). No cases involving pub lic sector customers are known to date (as of April 2026).
  • EU/CH cloud providers also do not guarantee complete freedom from risk. Subprocessors, global supply chains or emergency failovers in third countries can indirectly trigger extraterritorial access rights. Furthermore, there are often operational limitations regarding portfolio, scalability, sup port and certification depth, which can result in additional integration and testing efforts.
  • Open-source and on-premises solutions shift the entire bur den of security and operational responsibility to the public authority and come with significant costs as well as specific cyber risks. Open-source projects are also subject to sanc tions-related risks and supply chain risks. While on-premises solutions offer physical control, they are limited in terms of scalability and reliability.
  • Consequently, every (cloud) project requires a risk analysis, regardless of whether a US, EU, or Swiss provider, or an open-source or on-premises solution, is chosen. On this ba sis, the public authority must make a risk-based decision as to whether the remaining residual risks are acceptable and the project can be approved.

B. US CLOUD ACT: SCOPE, LIMITATIONS, AND PRACTICAL RELEVANCE FOR SWISS AUTHORITIES

I. LEGAL CLASSIFICATION: SIGNIFICANCE OF THE CLOUD ACT

The CLOUD Act, which entered into force in March 2018, clarifies the Stored Communications Act (SCA) and specifies that US au thorities, in investigations related to serious crimes such as ter rorism, violent crime, child sexual exploitation and cybercrime, may demand the production of communications data stored or processed by a provider subject to the CLOUD Act on the basis of a warrant, a subpoena or a court order, even if such data is stored on servers outside the United States. The purpose of the CLOUD Act is therefore to support investigations into serious crimes.

The personal scope of the CLOUD Act is broad: it covers all pro viders of electronic communication services or remote computing services that are based in the United States, have a branch there, or conduct business in the United States.

The key factor determining applicability is the US legal interpre tation of "possession, custody or control." Under this interpreta tion, de facto or de jure control over data by a provider is suffi cient, even if the data is stored in data centres in Switzerland or Europe. The CLOUD Act therefore establishes extraterritorial dis closure obligations that may potentially conflict with Swiss legal safeguards (such as administrative and judicial assistance).

Since the CLOUD Act is at the forefront of the current discussion, this briefing focuses on the CLOUD Act. This must be distinguished from Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows US intelligence agencies to conduct program based collection of foreign intelligence data. Unlike the CLOUD Act, no individual court order is required. The authority to access data is based on a programmatic framework approved by the Foreign Intelligence Surveillance Court, which requires US providers to cooperate.

II. NO FREE PASS: THE CONSTITUTIONAL LIMITS OF THE CLOUD ACT

Despite the risks of a production order, a blanket questioning or a general ban on the use of US cloud services by Swiss authorities is not appropriate. When assessing the risks, the decisive factor is not merely the theoretical scope of US laws, but the existing legal safeguards that limit and control requests for data stored by Swiss authorities, as well as the practical likelihood that US authorities will actually access this data.

In this context, the formal disclosure orders under the CLOUD Act are counterbalanced by various constitutional safeguards and procedural guarantees that limit and structure such requests. For instance, data may only be disclosed based on a US court order if it is relevant to an ongoing criminal investigation in the United States. For such an order to be issued, there must be probable cause for a specific criminal offence, and the requested data must specifically contribute to the investigation or prosecution of that offence. A general, blanket, or merely interest-driven data re quest does not meet the requirements of the CLOUD Act. 

Furthermore, the CLOUD Act does not stipulate that data must be automatically disclosed. Rather, the text of the law expressly pro vides for the possibility of challenging or modifying a court order if a provider falling within the scope of the CLOUD Act has reason able grounds to believe that disclosure would violate the law of another country. This so-called comity analysis requires that, in the event of such objections, a US court can examine whether a disclosure obligation conflicts with the laws of the relevant for eign jurisdiction and, if certain conditions are met, modify or even vacate the order. In practice, this means that orders that do not meet legal requirements are not automatically enforced but are subject to a review process, thereby significantly limiting the the oretical scope of the CLOUD Act due to constitutional safeguards.

After all, the CLOUD Act does not generally prevent cloud provid ers from informing affected customers about the disclosure of their data. In certain cases, however, an administrative or court order may restrict or temporarily prohibit such notification (gag orders), though such measures must be justified and limited in scope and duration.

III. TRANSPARENCY REPORTS FROM US CLOUD PROVIDERS: DATA DISCLOSURES AS A RARE EXCEPTION

The practical experience gathered since 2018 with such requests is also decisive. The transparency reports of major US cloud pro viders show that actual data disclosures involving enterprise cus tomers are rare.

At Microsoft3, in the first half of 2025 (as in previous years4), fewer than 0.7% of global requests from law enforcement agen cies involved enterprise customer data at all. In most cases, these requests were rejected, withdrawn or redirected in such a way that the authorities had to request the information directly from the customer. To the extent that corporate customer data was disclosed, the majority consisted of non-content data (e.g., basic subscriber information or IP logs), while content data was dis closed in only a minority of cases. Cross-border disclosures of con tent data remained rare: Microsoft provided content data to US authorities in five cases involving non-US enterprise customers whose data was stored outside the US. Only one of these cases involved a customer based in the EU, who was a contractor for the US government. 

When viewed in relation to the total number of requests received by Microsoft since the CLOUD Act came into force, the rarity of requests based on the CLOUD Act becomes even more apparent: disclosures of content data from foreign enterprise customers to US law enforcement agencies accounted for only 0.008% of all global requests.5 According to Microsoft, none of these rare cases involved government agencies or state institutions.6

Amazon Web Services (AWS) states that, since records began, it has not disclosed any data from corporate customers or govern ment agencies located outside the US in response to CLOUD Act orders,7 and follows a practice whereby requests are – where pos sible – first addressed to the customer itself. This practice reflects the fact that a duty to disclose exists only when there is a legally valid, binding order, and not automatically in response to every request for disclosure. Furthermore, AWS explicitly clarifies that neither the US government nor any other government is granted unrestricted or automatic access to customer data – including data stored in the cloud.8

IV. MINIMAL IMPACT OF CLOUD ACT ORDERS ON TYPICAL ADMINISTRATIVE DATA

The CLOUD Act does not generally limit the categories of data that can be requested – potentially, it covers all data stored by a pro vider subject to the CLOUD Act, regardless of its location. How ever, as mentioned, the stated purpose of the law is to enable access to electronic communications in the context of investiga tions into serious crimes, specifically terrorism, violent crime, child sexual exploitation and cybercrime. In practice, court-au thorised production orders in US criminal proceedings typically focus on communication content (emails, chats, messages), com munication metadata, and identity data, as these have the great est evidentiary value for criminal investigations. Communication data is typically relevant for uncovering collusion or planning of crimes, and identity data is used to link accounts to real individu als. Technical system data, internal documents or personnel files, by contrast, are likely to be of interest only in specific investiga tive contexts and are significantly less frequently affected.

Swiss authorities, on the other hand, primarily store administra tive data: internal documents, correspondence, project files, sta tistics or personnel files. These types of data are typically not of interest for investigations into terrorism, violent crime or cybercrime and are therefore significantly less exposed than, for example, the communication data of private users. 

V. DIFFERENTIATED RISK ASSESSMENT INSTEAD OF BLANKET EXCLUSION

Against this backdrop, the risk of actual disclosure of content data to US law enforcement agencies is significantly lower than what a purely theoretical analysis of the CLOUD Act would suggest. Re quests from US authorities cannot be ruled out – and this possi bility must be considered in the risk assessment. However, con crete figures and established processes show that requests by US authorities for content stored outside the US by cloud services are rare and heavily regulated in real-world scenarios. This puts the practical relevance of the theoretical disclosure obligations into perspective, particularly regarding the use of cloud services by public authorities.

This does not mean that a low statistical risk constitutes an ac ceptable risk per se. Particularly in the public sector, even a single incident – such as the disclosure of intelligence-related infor mation or documents sensitive to foreign policy – can have signif icant constitutional and political consequences. What is decisive, therefore, is not merely the probability of occurrence, but the in terplay between probability of occurrence and the potential ex tent of damage. The protection needs analysis, to be conducted by the government agency, serves this purpose precisely: it de termines the required level of protection for the information in question. Data subject to official secrecy has heightened confi dentiality requirements. The results must be documented in a transparent manner in an information security and data protec tion (ISDP) concept. The protection needs analysis therefore en sures that data requiring a higher level of protection – regardless of the statistical rarity of an access attempt – is afforded an ap propriate level of protection. In individual cases, this may also in volve the use of additional technical protective measures or the decision not to outsource data to the cloud. A data protection im pact assessment (DPIA) must also be conducted on a regular ba sis. It assesses the risks of data processing from the perspective of the data subjects, supplements the ISDP concept, and may trig ger a prior review by the data protection supervisory authority.

In contrast, a blanket ban on the use of US cloud services does not do justice to this assessment: risks vary considerably depending on the data category, protection requirements and security measures in place, and technical, contractual and legal hurdles further reduce the likelihood that data will actually have to be dis closed in response to requests from US authorities. The fact that these hurdles cannot eliminate all risks completely does not argue against the use of US cloud services as such, but rather in favour of a differentiated, risk-based decision by the authority on a case by-case basis.

C. Alternatives to US Cloud Services: Opportunities, Limitations and Specific Risks

The discussion is increasingly turning to other procurement op tions, ranging from cloud offerings from European and Swiss pro viders to open-source solutions and on-premises infrastructures. Since each of these options carries its own legal, technical and operational risks, they should not be treated across the board as lower-risk alternatives to the use of US cloud services. Here, too, operational suitability and risk profile must be carefully assessed.

I. CLOUD OFFERINGS FROM EU/SWISS PROVIDERS

1. Remaining extraterritorial disclosure obligations

The use of cloud offerings from EU/CH providers reduces the risk of a production order under the CLOUD Act, provided the pro vider is not subject to the CLOUD Act. Nevertheless, even such models are not free from risks regarding access from third coun tries. For example, foreign group companies, the use of sub pro cessors based in third countries or the involvement of global sup pliers – such as through global content delivery network (CDN) or domain name system (DNS) chains, 24/7 support, or emergency failover in non-EU/CH regions – can indirectly trigger extraterrito rial access rights or disclosure obligations.

A current example of this is the OVHcloud case: In late September 2025, the Ontario Superior Court of Justice upheld a production order against OVHcloud’s French parent company to transfer cus tomer data stored in Europe to the Royal Canadian Mounted Po lice. The basis for this was the company’s presumed “virtual pres ence” in Canada through its subsidiary there. The case demon strates that even such a corporate presence in a third country can trigger extraterritorial production orders, even if local law con flicts with this.

Furthermore, the EU Regulation on European Production and Preservation Orders for Electronic Evidence (E-Evidence Regula tion) provides that, under certain conditions, authorities of EU member states will be able to issue cross-border production or ders directly to service providers in other member states.

Regardless of this, access by authorities via international admin istrative and judicial assistance (e.g., based on the Second Addi tional Protocol to the Budapest Convention) remains possible. Such requests are not made directly through the cloud provider but are addressed to the competent domestic authority and are subject to the procedural requirements of administrative and ju dicial assistance (including the Swiss Federal Act on International Mutual Assistance in Criminal Matters).

2. Increased integration effort due to limited portfolio and platform maturity

In addition, EU/CH providers face de facto and operational risks compared to US hyperscalers. The service and application portfo lio is often less broad or mature, particularly in the areas of AI and analytics functions, as well as platform and managed services, which can lead to additional and increased integration efforts or functional limitations. Interfaces and integrations are often less standardised, making migrations, automations and the operation of complex architectures – which are necessary in modern admin istrative work – more time-consuming, costly and prone to errors.

3. Limited scalability, support depth and certification coverage

In addition, the pace of innovation and release cycles is slower. Scalability and resilience also tend to be limited: EU/CH providers have fewer regions and availability zones as well as lower global network coverage, which results in higher latencies, tighter ca pacity limits and greater dependence on individual data centres.

In day-to-day operations, limitations are observed in incident re sponse management and 24/7 support, for example regarding re sponse times, escalation paths or language coverage. Certifica tions and compliance evidence also cover industry-specific frame works less frequently. While larger, established cloud providers regularly hold recognised certifications such as ISO 27001 or SOC 2 Type II and proactively extend these to meet additional sector specific requirements, smaller providers often lack not only the corresponding formal evidence but also the internal governance structures that would enable a reliable assessment of actual com pliance with such frameworks.

4. Increased audit and validation effort due to the shift effect

This gap results in the testing and validation burden effectively shifting to the procuring authority, which must then ensure com pliance with regulatory and security requirements itself through due diligence reviews, contractual audit rights and individual ap proval procedures. For authorities that already operate with lim ited personnel and technical resources in the areas of IT security, data protection law and procurement, this represents an addi tional burden. This burden is particularly acute when multiple smaller providers must be reviewed and monitored simultane ously, as each provider requires individual risk analyses, custom ised contract clauses and ongoing control mechanisms, without the synergy effects typically achieved when working with a certi fied large-scale provider.

In practice, this often leads either to a reduction in the depth of the review, which increases the risk of undetected compliance de ficiencies, or to significant delays in procurement procedures be cause the necessary internal approval processes exceed available capacity. Finally, smaller providers are more heavily impacted by price fluctuations, market consolidation and insolvency risks, which must be considered in long-term planning. 

II. OPEN-SOURCE SOLUTIONS

1. Operational and Legal Risks Associated with Self-Managed Operations

The administration’s own open-source solutions enable a high de gree of control over operations, architecture and key manage ment. They can therefore contribute to greater operational inde pendence and protection against disclosure requests under the CLOUD Act. However, such requests cannot be completely ruled out even with open-source solutions, for example, if operations are conducted via the infrastructure of a provider subject to the CLOUD Act. Regardless, self-managed operation requires a per manent staff of sufficiently qualified specialists, clearly defined security and operational processes, and reliable 24/7 operation.

In addition to operational risks, there are also specific legal and factual risks: These include security vulnerabilities resulting from delayed updates, misconfigurations in complex software stacks, insufficient monitoring (e.g., lack of vulnerability monitoring, in adequate dependency tracking) and compliance risks due to a lack of licence management, particularly in connection with copyleft licences. Added to this are liability and warranty issues, as open-source software is regularly provided “as is,” which as signs corresponding responsibility to the authorities. The author ity bears full operational responsibility in this regard: system fail ures, compliance violations or security incidents resulting from in sufficient documentation of architecture and dependencies, con centration of expertise in individual personnel or delayed patch deployment are entirely at its own expense.

Independent operation also entails significant costs: in addition to ongoing personnel costs for specialised staff, there are ex penses for infrastructure, security audits, licence compliance and continuous development. The total cost of ownership for open source solutions is often underestimated, as these costs arise not from licence fees but from operational and maintenance ex penses.

2. Sanctions, Supply Chain and Cyber Risks

There are also sanctions-related risks associated with the (fur ther) development and, indirectly, the use of open-source soft ware. The most significant current operators of open-source soft ware hosting platforms are based in the US or listed on US stock exchanges. As such, they are subject to the US sanctions regime, which may require them to restrict access for sanctioned devel opers to avoid violations of the US sanctions regime. If a Swiss public authority obtains open-source software from such hosting platforms, changes to the sanctions regime – such as expansions of sanctions lists or the inclusion of new countries and organisa tions – can pose significant risks to operation, maintenance and further development. The example of the Linux kernel demon strates that such risks are not merely theoretical: In October 2024, eleven Russian kernel developers were removed from their roles for compliance reasons, illustrating the operational depend ence of large open-source projects on the sanctions status of in dividual developers. 

In addition, specific cyber risks exist: Because of its publicly view able codebase, open-source software can be specifically targeted for vulnerabilities. There is also the risk of supply chain attacks, in which malicious code is injected via compromised dependencies or manipulated contributions—as illustrated by the backdoor dis covered in March 2024 in the xz-utils library, which had been suc cessfully embedded in the code by the still-unknown actor “Jia Tan” but was detected in time before it could spread widely.

Similar considerations apply to open-source hardware, the use of which is also associated with availability and supply chain risks.

III. ON-PREMISES SOLUTIONS

1. Limitations in Scaling, Resilience and Hardware Dependencies

On-premises solutions, in which the systems are fully under the authority’s control (in the authority’s own server room, in the au thority’s own data centre, or at a colocation provider with exclu sive authority access), strengthen physical control over infrastruc ture and data. However, this is offset by specific operational, legal and economic risks. For example, scaling is often limited in the event of short-term increased demand, the risk of failure is higher compared to large cloud infrastructures, and there are depend encies on hardware supply chains.

2. Sole responsibility for security and operations without task sharing

In addition, there is an increased need for qualified specialists to operate an on-premises solution. The government agency must meet and demonstrate compliance with all operational and secu rity requirements – including protection against cyber risks – on its own. Unlike the Shared Responsibility Model, in which cloud providers and customers share responsibilities and the provider assumes key security and operational tasks, with on-premises so lutions, the agency bears sole responsibility for availability and re covery, data integrity and traceability, archiving and retention ob ligations, as well as data protection and information security overall. This includes technical and organisational security measures, access controls, role-based and segregation concepts, as well as emergency and recovery processes.

In addition, there are significant investment and operating costs, as well as additional challenges in procurement and operation, such as those related to renewal cycles, vendor lock-in, and maintenance and support contracts.

D. Conclusion: Risk-based case-by-case decision making as the key to legally compliant cloud usage

The above analysis shows that the CLOUD Act does not constitute a general obstacle to the use of US cloud services by Swiss author ities: Actual figures and established procedures demonstrate that requests by US authorities for content data stored outside the United States are rare in practice and subject to significant legal restrictions. Nevertheless, the public-law context in particular calls for a nuanced assessment: Since even a single incident can have significant constitutional and political consequences, it is not merely the probability of occurrence that matters, but its in teraction with the potential extent of damage – which argues for a risk-based, case-by-case decision by the authority, not for a blanket exclusion of US cloud services.

Every (cloud) project therefore depends on a risk decision by the relevant authority, which must be based on its own, well-founded risk analysis. Every cloud solution – whether from a US, Swiss or European provider – is, just like proprietary open-source and on premises solutions, fraught with specific legal, factual and opera tional challenges. The authority must systematically identify the specific risks, considering the protection requirements of the in formation in question, assess the extent to which they are mitiga ble, and, as part of an informed decision, determine whether the remaining residual risks are acceptable and the project can be ap proved.

The risk analysis may reveal that for certain projects – such as those involving intelligence-sensitive information or documents of foreign policy sensitivity – a hybrid approach is the more suita ble solution. In such cases, for example, a public cloud service is specifically combined with an on-premises or open-source solu tion to meet different protection requirements.

This conclusion is also based on a contemporary understanding of digital sovereignty: digital sovereignty for Swiss authorities means neither self-sufficiency nor isolation, but rather the con scious ability to manage and control the use of external digital services independently. Relationships with external service pro viders are standard practice in modern administration and do not constitute a loss of sovereignty provided they are transparent, clearly defined and effectively manageable. A future-proof cloud strategy for the public sector will therefore not fail due to the question of whether cloud services may be used, but rather on whether the authorities create the institutional, technical and le gal prerequisites to shape this use independently, in a risk-based manner, and in accordance with the requirements of the rule of law.

Footnotes

1 The Federal Council defines digital sovereignty as the ability to exercise control and take action necessary for the fulfillment of state functions in the digital sphere (report “Digital Sovereignty of Switzerland” dated November 26, 2025, p. 6).

2 The question of whether cloud usage complies with official secrecy (Art. 320 SCC) and data pro tection obligations has been largely clarified: cloud providers may be engaged as auxiliary persons of the authority in the fulfilment of public duties, provided that they are carefully se lected, instructed and supervised. They are thereby themselves subject to official secrecy. From a data protection perspective, outsourcing to a cloud provider constitutes commissioned pro cessing and is permissible subject to the conditions set out in Art. 9 FADP. These two aspects are not discussed further in the present briefing.

3 https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/docu ments/presentations/CSR/MSFT-GRR-Enterprise-One-Pager-H1-2025.pdf

4 https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/docu ments/presentations/CSR/MSFT-GRR-Enterprise-One-Pager-H2-2024.pdf 

5 https://news.microsoft.com/source/emea/2026/02/how-microsoft-is-addressing-digital-sover eignty-in-switzerland/

6 https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/docu ments/presentations/CSR/CLOUD-Act-What-it-is-and-is-not.pdf

7 https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/whitepapers/com pliance/Amazon_AWS_Information_Request_Report_H2_2025.pdf

8 https://aws.amazon.com/compliance/cloud-act/

Download Briefing DE

Download Briefing FR

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Christian Kunz
Christian Kunz
Photo of Ferdinand Rombach
Ferdinand Rombach
Photo of Katharina Cardon
Katharina Cardon
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More