Swiss data protection officials have issued a warning for public bodies to avoid global cloud platforms lacking true end-to-end encryption, for security blind spot reasons, under the US CLOUD Act exposure, over concerns that foreign hyperscale’s undermine Switzerland’s data sovereignty solutions.
Swiss authorities say this data sovereignty in cloud warning marks a turning point in Europe’s evolving cloud strategy; governments increasingly believe that storing data domestically means little when foreign providers retain access to encryption keys.
Analysts note that this shift reflects a wider erosion of trust in Big Tech’s neutrality, especially when extraterritorial laws like the US CLOUD Act can compel access to sensitive information, even if hosted in a Swiss data center – tied to data sovereignty and AI.
Data Sovereignty VS Data Residency
The advisory from Privatim, the Conference of Swiss Data Protection Officers, cautions against using services, such as Microsoft 365, Google Cloud, or Amazon Web Services (AWS) for highly sensitive public-sector data. This aligns with longstanding fears about data sovereignty in cloud, which critics say remains poorly addressed by major providers.
When it comes to the implementation data sovereignty solutions, “most SaaS solutions do not yet offer true end-to-end encryption that would prevent the provider from accessing plaintext data.”
As a result, Privatim says, adopting such platforms “entails a significant loss of control” for authorities entrusted with safeguarding citizens’ rights — particularly when data encryption key management is handled by the cloud vendor rather than the customer.
Sanchit Vir Gogia of Greyhound Research explained that “when a cloud provider has any ability to decrypt customer data… the data is no longer truly sovereign,” highlighting a constitutional concern that further complicates the rise of cloud sovereign solutions across Europe.
Regulators also criticized the opacity of hyperscalers’ supply chains, often involving “long chains of external service providers,” complicating oversight and raising the likelihood of undetected access to sensitive information. The situation becomes even more complex when public authorities attempt to ensure proper database encryption key management within these fragmented ecosystems.
Even data sovereignty solutions in Switzerland remains vulnerable to foreign government demands under laws such as the US CLOUD Act, which applies to any company headquartered in the United States. These tensions are driving new discussions around data sovereignty solutions that prioritize technical independence over contractual guarantees.
Cost of True Sovereignty
Privatim’s recommendation to SaaS platforms should only be used for confidential government data if the public agency encrypts the data itself, and the cloud provider has no access to the decryption keys. This demand stems from strict data sovereignty laws that aim to eliminate any scenario in which external actors could compel access to protected information.
But achieving such sovereignty introduces new challenges. As analyst Prabhjyot Kaur noted, adopting strict client-side encryption would reduce collaboration features, limit the effectiveness of automated threat detection tools, and restrict emerging AI-powered capabilities such as copilots. It also forces agencies to satisfy rigorous data sovereignty requirements that extend far beyond where the data is physically hosted.
Agencies would also need to manage their own cryptographic infrastructure — a costly and complex undertaking requiring dedicated expertise. These concerns echo global conversations about indigenous data sovereignty, where communities and governments seek full control over how their information is accessed, processed, and governed.
Despite the trade-offs, experts say Switzerland’s stance data sovereignty laws signals a broader regulatory shift. Countries across Europe, including Germany, France, and Denmark, are moving toward models that emphasize technical rather than merely geographic sovereignty. “Data residency is no longer enough,” Kaur said.
This shift of data sovereignty requirements may open the door for sovereign cloud providers and European alternatives. Swiss-based Proton — which cannot access user data even under legal pressure — is already gaining traction as a local, compliant option.
Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Tech sections to stay informed and up-to-date with our daily articles.