Digital sovereignty in Switzerland: What companies need to know

Digital sovereignty is not a new topic in Switzerland, but it is being reassessed due to the current situation.
International tensions, increasing geopolitical uncertainties, and legal frameworks such as the US CLOUD Act are causing Swiss companies to take a closer look:

Where is our data really located?
Who could access it in an emergency?
And what happens when political conditions change?

International cloud providers, including the US company Microsoft, are coming into particular focus. The discussion has now progressed to the point where some companies are exploring alternatives. Microsoft has responded with a recent statement outlining its specific assessment and implementation of digital sovereignty in Switzerland.

What does digital sovereignty mean?

Digital sovereignty describes the ability of companies and organizations to exercise autonomous control over their data and digital processes. This includes, among other things:

Data location Where is data stored?

Access Control: Who has access to sensitive information?

Technological independence: – Can the company decide for itself which tools and services to use, without restrictions from external providers?

This capability is essential, especially for sensitive sectors such as healthcare, public administration, and financial institutions. Only those who retain control over their data can meet regulatory requirements while simultaneously maintaining the trust of customers and partners.

Why is digital sovereignty so relevant right now?

The discussion about digital sovereignty is not new. In Switzerland, it has been ongoing for years, particularly in regulated sectors. What is new, however, is the intensity and breadth of the demand.

More and more customers are asking specific questions about data control.
Legal frameworks and international legal norms, such as the US CLOUD Act, are coming more into focus.
Companies want to combine innovation and agility with security.

Microsoft takes a stand: What does this mean exactly?

With a detailed blog post on the Microsoft News page The company recently outlined how digital sovereignty will be implemented in Switzerland. Several videos were also released, explaining the key points.

Where is data stored and who can access it?

For Swiss customers, the storage location of their data and maximum control over where the data is located, how it is accessed, and how it is processed are of paramount importance. Microsoft offers several multi-layered security measures:

Swiss cloud regions since 2019

Microsoft operates cloud regions near Zurich and Geneva so that customers can store their data within national borders if needed, while also meeting disaster recovery requirements.

EU data limit...

…means that public and private sector customers in the EU/EFTA (including Switzerland) can store and process their data within the EU/EFTA regions. This includes customer data, pseudonymized personal data, and professional services data, including Microsoft 365, Dynamics 365, Power Platform, and most Azure services.

No backdoors in the encryption

Microsoft does not provide any government with encryption keys or the ability to disable Microsoft's encryption.

No direct or unimpeded access by authorities

Microsoft reviews every governmental data request, only discloses data when legally required, and limits any disclosure to specific accounts identified in a valid order.

Customer-managed encryption keys

The encryption is managed solely by the customer, so Microsoft itself has no access to decrypted data.

Data Guardian principle

Support access from abroad is only permitted under EU supervision.

Control and approve access

For Microsoft 365 and selected services, Customer Lockbox allows you to review and approve data access requests from technicians, as well as control related activities.

Microsoft 365 Copilot...

…expands the in-country processing of Copilot interactions to 15 countries by the end of 2026 – including Switzerland.

Microsoft 365 Local and Azure Local

This solution offers the possibility to run Microsoft services on local hardware in the company's own data center, instead of in the public cloud. This is a particularly reliable way for companies with high data control requirements to maintain sovereignty over their own data.

Defending Your Data Commitment

We will contest any official request for data from public sector or corporate clients if there is a legal basis for doing so. We are committed to transparency regarding official data requests.

Our classification

Digital sovereignty is a strategic design challenge.

Who today:

Critical data properly classified,
Realistically assessed dependencies
integrates regulatory requirements early on and
deliberately designed its cloud architecture,

can operate in an innovative, safe and compliant manner.

We would be happy to support you in developing a solution that is optimally tailored to your company – whether on-site, from the redIT Private Cloud in Swiss data centers or via the public cloud.