Switzerland bans foreign SaaS providers and cloud services for cybersecurity and privacy concerns amid discourse about European digital sovereignty.
On November 24, 2025, Privatim, Switzerland’s Conference of Data Protection Officers shared a resolution on outsourcing data processing to the cloud. The publication is making headlines for essentially banning the use of public hyperscale clouds and Software-as-a-Service (SaaS) by public bodies processing or holding personal data. Noting the widespread use of cloud-based software, specifically naming Microsoft 365, the resolution argues that “before outsourcing personal data to cloud services, authorities must analyze the specific risks in each individual case, regardless of the sensitivity of the data, and reduce these risks to an acceptable level using appropriate measures”. Here are their five critical reasons to avoid outsourcing data to these services:
- The end-to-end encryption offered by most SaaS solutions is not enough to protect plaintext data from being accessed by the software provider.
- Software providers may operate internationally and not provide enough transparency for Swiss authorities looking to confirm compliance around data protection and security regulations. Additionally, these providers can unilaterally change contract terms without notifying Swiss authorities.
- SaaS applications do not allow for data protection control, and as such, the public can only react to violations of data rights and attempt to mitigate the depth of breaches by not sharing sensitive data.
- It is legally unclear if data with specific statutory confidentiality requirements can even be outsourced to third party cloud service providers.
- US software providers may be obligated to give customer data (stored wherever in the world, including the data stored in Swiss data centers) to US authorities through the 2018 CLOUD Act - which does not include an allowance for rules around international legal assistance.
The resolution concludes by suggesting there is only one secure way of using SaaS products: “The use of international SaaS solutions for particularly sensitive personal data or data subject to legal confidentiality obligations by public bodies is only possible if the data is encrypted by the responsible body itself and the cloud provider has no access to the key.”
Switzerland has a reputation for higher standards concerning cybersecurity and data protection, so the DPO resolution does not seem so surprising. In March, the country mandated reporting of cyberattacks on critical infrastructure operators within 24 hours of detection. Their 2020 Federal Act on Data Protection (FADP) was also amended this year to support privacy by design and privacy by default. It’s also true that Microsoft 365 has had encryption issues in the past. Furthermore, Switzerland is not the only country trying to move away from foreign - specifically American - SaaS providers.
The Netherlands made motions to distance themselves from US cloud technology in March 2025. The Dutch parliament shared a plan to make their own cloud services so they wouldn’t be as reliant on American technology. State Secretary for Digitalization Zsolt Szabó described the current state as “risky”: “When considering which data we process in-house and which in the public cloud, risky strategic dependencies and market concentrations must be taken into account”.
These conversations are happening in part of a much larger discourse on European digital sovereignty, which may be somewhat inspired by US President Trump’s tariff policies. US Companies Amazon, Microsoft, and Google together control almost 70% of the cloud market in Europe. The former French Minister of Industry and Energy, Agnès Pannier-Runacher, described the reliance on US technology as a “soft drug”. In Germany, a survey of 1,500 Information Technology (IT) decision makers found that 84.4% called for the use of European solutions in the public sector and critical infrastructure, but 40% of respondents felt highly reliant on non-European providers.
Clearly, these discussions have already inspired some changes. Since 2023, the Amazon Web Service (AWS) has been developing “a new independent cloud for Europe, designed to help public sector organizations and customers in highly regulated industries meet their evolving sovereignty and compliance needs.” The AWS European Sovereign Cloud is set to launch by the end of 2025, which is rapidly approaching.
Of course, not everyone is excited about Europe’s move to distinguish themselves from American cloud computing. Gaia-X, a Europe-specific “federated system linking many cloud service providers and users together”, was intended to improve digital sovereignty but received a mixed response. As it stands, there are not a lot of full-service alternatives to US cloud providers. On top of that, SaaS providers like Microsoft have shown at least some willingness to work with European standards, even announcing digital commitments in 2025, declaring plans to “continue to protect the privacy of European data” and to “help strengthen Europe’s economic competitiveness, including for open source.”
The Swiss push for different cloud services are bringing attention to the cybersecurity and privacy risks of depending on SaaS, particularly in non-American countries. Widespread dependency on a few providers has already caused havoc before, like the AWS outage in October hitting social media platforms and banks alike. In any case, there will likely be more changes to European digital sovereignty to watch for in the new year as December comes to a close.