Digital Sovereignty: four decisions that can’t wait 

Digital sovereignty and data security were high on the agenda for most Swiss companies in 2025. In 2026, it’s all about concrete decisions: where do we need absolute control, and where do we accept dependencies because we benefit from innovation? 

23 December 2025, Text Lukas Hebeisen, Head of Cloud, Swisscom &Tanja Dujic, Marketing Manager, Swisscom; Image: Swisscom 
  4 min

In conversations with IT leaders, I’ve been hearing the same question for two years now: How much sovereignty do we really need – and where does overregulation begin?

My answer is always the same: sovereignty is not a question of all or nothing. It’s a question of conscious decisions. It helps to recognise that Swiss companies today are operating in a tension that simply didn’t exist five years ago. On the one hand: American hyperscalers with very high innovation speed. On the other: European regulations and geopolitical uncertainty that turn every cloud decision into a strategic one. 

The US Cloud Act of 2018 gives US authorities the right to request data from US companies – even if that data is stored on servers in Switzerland. In practice this happens rarely and only in the case of concrete suspicions of criminal activity. But the legal risk exists, and for many compliance officers, that is enough. 

In Switzerland, the requirements were tightened in November 2025 at the conference of the Swiss data protection officers(opens in new tab) “privatim”: public authorities should only use international SaaS services for sensitive data if end-to-end encryption is in place and the provider has no access to the keys. Many common US services do not fulfil this requirement. 

For the moment, these rules apply only to the public sector. But regulated industries – banks, insurers, healthcare – tend to align themselves with the standards set by government bodies. 

Public Cloud, Private Cloud, hybrid solutions and more: Swisscom offers companies a comprehensive and versatile range of cloud-based IT services.

Four decisions that need to be taken now 

From projects with companies in different industries, I see four decisions that IT leaders and executive boards need to make today. 

Actively manage lock-in 

No company is completely independent – nor does it have to be. The question is: how much dependency is acceptable for your business model? 
A dominant hyperscaler brings speed, an ecosystem and innovation. But it also brings dependency in terms of pricing, technology and jurisdiction. Multi-cloud architectures create options to switch, but also increase complexity and governance effort. 
The key is not to avoid lock-in altogether. The key is to decide consciously where you accept it – and where you don’t. 

Create a data map 

Many companies only have a rough idea of where their critical data actually resides. Cloud contracts were signed years ago, data volumes have grown, and the overview has been lost. 
Without a clean data map, any discussion about sovereignty remains abstract.

  • Which data is business-critical?
  • Which is personal data?
  • Which is particularly sensitive under regulation?
  • Where is it stored, processed and replicated – and under which jurisdiction? 


This transparency is the prerequisite for every further decision.  

‘Sovereignty does not come from the location of a data center alone.’

Lukas Hebeisen, Head of  Cloud, Swisscom

Rethink your cloud architecture 

The question is no longer “cloud, yes or no?”. It is: how do you combine a sovereign foundation with global cloud capabilities? 
In practice, one pattern is emerging: critical workloads and sensitive data run on sovereign platforms in Switzerland. Development, innovation and less sensitive applications make use of public cloud services. Everything is governed by a unified security and governance model. 
Sovereignty does not arise from the location of a data centre alone. It arises from architecture, processes and clear responsibilities. 

Ensure exit capability 

58 percent of Swiss companies name dependency on hyperscalers as their biggest concern. But how many of them have a functioning exit plan? 

Exit capability does not mean switching providers tomorrow. It means being able to do so if necessary – without putting operations at risk. That requires documented interfaces, portable data formats and tested migration paths. 

Governance: who is accountable? 

Digital sovereignty is not just an IT topic. It concerns business strategy, risk management, compliance, security and operations alike. 

The decisive question is: who in your organisation is truly responsible today – and also has the mandate to stop decisions when sovereignty is at risk? 
If accountability is diffuse, others will end up making the decisions for you: providers, business units or short-term project goals. 

Questions I ask leadership teams

  • Which three digital dependencies worry you the most? 
  • Do you know where your most critical data is processed today? 
  • Where do you consciously accept lock-in – and where would an exit scenario be mandatory?
  • Which workloads do you have to keep in Switzerland, and why? 
  • Who internally is the person who is allowed to say “stop”? 


If you don’t have clear answers to several of these questions, a conversation is worthwhile. 

Cloud & AI: Swiss trends, risk, strategies

Discover how cloud and AI are shaping digital transformation in Switzerland, what risks are involved, and why clear strategies are crucial.

More interesting articles