News & Events Data sovereignty in uncertain times: The Swiss advantage 

It’s not just prudent to wonder about the future of cloud data sovereignty, but urgent. Since the 2024 U.S. election, trust in U.S.-based cloud providers has come into serious question. For example, President Trump dismissed three members of the Privacy and Civil Liberties Oversight Board. In response, the EU Parliament has expressed concern over transatlantic data and the future of the EU-U.S. Data Privacy Framework. It was the first warning sign of many.

As a whole, European governments are increasingly concerned about the status of their U.S. cloud providers.

Recently, Dutch parliamentarians passed eight motions urging their government to abandon American-made technology for local alternatives. Coincidentally, many European companies are considering—or have already begun—a move away from Amazon, Google, and other major U.S. cloud service providers.

Regulated industries (banking, healthcare, etc.) face considerable uncertainty. According to ISACA, by the end of 2025, 40 percent of major enterprises will mandate data-sovereignty controls from their cloud service providers to adhere to data protection and privacy regulatory requirements.

Why?

They want assurances that their data sovereignty is as strong as possible.

The same goes for the Swiss banking and financial sector, which has introduced regulatory frameworks, such as FINMA Circular 2023/01, which contains mandatory notification requirements for data breaches involving client-identifying data (CID).

These developments have put the spotlight on two areas of cloud risk in 2025.

The first is data confidentiality.

The World Economic Forum’s 2025 Global Cybersecurity Outlook warns of an increased risk of foreign access to sensitive data. These attacks, directed at both companies and government entities, are increasingly perpetrated by nation-state actors. Common targets include:

• Healthcare
• Financial services
• Energy utilities
• Infrastructure

The second is data availability.

In this new climate, actors may use service restrictions as political leverage. In some instances, the U.S. administration has weaponized cloud access, making cross-border data transfers even more difficult. Here, service continuity depends on both commercial considerations and alignment with U.S. strategic interests.

Those strategic interests have undergone significant shifts. Take the passage of the U.S. CLOUD Act (Clarifying Lawful Overseas Use of Data Act). The CLOUD Act gives U.S. authorities the right to compel American cloud providers to turn over customer data—even if that data is physically stored outside the United States.

This means that a European organization’s data housed in, say, a data center in Frankfurt or Dublin could still be legally accessed by U.S. authorities if managed by a U.S.-headquartered cloud provider like Amazon, Google, or Microsoft. No notification is required to the EU entity whose data is being requested.

This has opened the door to potential “data hostage” scenarios, which threaten to jeopardize EU privacy protections. This is also how U.S. governmental bodies decide to unilaterally remove data, as they were accused of doing with data on kidnapped Ukrainian children.

The implications are severe. Not only does this undermine GDPR principles, but it places organizations in direct conflict between U.S. legal demands and European data protection laws. Organizations must now consider the possibility that their data could become inaccessible or compromised due to political decisions.

Switzerland’s political neutrality dates back centuries (see: Treaty of Paris in 1815). The country has created a stable environment where data repositories operate free from geopolitical pressures.

For example, Switzerland is not bound to any intelligence-sharing agreements that may affect data sovereignty. The country’s Federal Act on Data Protection (FADP) is recognized as one of the most comprehensive—and thorough—data protection standards.

Located in the heart of Europe, Switzerland is well positioned to serve European markets, while avoiding some of the EU’s more restrictive regulatory requirements. Even the country’s climate and physical attributes lend well to data center cooling and energy efficiency.

• Finally, such strong commitment to data security is embedded within Swiss culture itself. Such commitment has helped Switzerland earn a reputation for neutrality and trustworthiness, while attracting some of the world’s leading privacy-first services.

Navigating these shifting sands means first knowing where your organization stands. If you’re considering cloud migration, you might also include data classification and cost-benefit analysis in your process. However, as first steps, we recommend two important actions.

1. Conduct a Data Sovereignty Assessment

Assess your cloud data sovereignty risk using a structured approach, as detailed in the following hypothetical framework.

2. Evaluate Your Current Data Providers

Your data providers should be willing and able to provide specific answers to the following questions:

Jurisdictional control	What’s your legal response process when receiving foreign government data requests? How many government data requests did you receive in the past 12 months, and from which jurisdictions? If ordered by the U.S. government under the CLOUD Act to provide data, what is your documented process? Can you contractually guarantee you will notify us before responding to any government data request? What independent third-party audits verify your compliance with data sovereignty requirements?
Technical implementation	Where exactly is our data physically stored, processed, and backed up? Who has administrative access to our data, and in which countries are they located? What encryption methods do you implement, and who controls the encryption keys? Do you offer true customer-managed encryption keys with zero provider access? What technical measures prevent unauthorized cross-border data transfers?
Business continuity	How would you respond if your parent company was ordered to disconnect services to non-US entities? What contractual force majeure provisions protect us from geopolitical service interruptions? Do you have documented contingency plans for political sanctions affecting service delivery? What is your SLA guarantee if international political tensions impact your ability to provide service? Can you provide examples of how you’ve maintained service during previous geopolitical disruptions?

The return of the Trump administration has created a seismic shift in how European organizations must approach their cloud strategy. Organizations would be wise to shore up their regulatory compliance and operational resilience against these geopolitical uncertainties.

By most estimations, this uncertainty will continue.

Swiss-based cloud infrastructure provides a strategic advantage through superior data sovereignty protections. This infrastructure is foundational to the b+s Private Cloud Contact Center, which enables even highly regulated companies to deploy tailor-made solutions. This includes:  

• Dedicated Infrastructure Architecture: Private, isolated environments with fully dedicated resources. Ensures complete separation from other tenants and guarantees performance even during peak demand.
• European Data Residency: Our private cloud is hosted in Europe, ensuring data remains within European jurisdictions.
• Integration Framework: The platform seamlessly integrates with major enterprise applications, including Salesforce, Microsoft Dynamics, ServiceNow, Oracle Service Cloud, and SAP.
• Comprehensive Security Standards: The b+s Private Cloud meets the highest industry standards, including C5, GDPR, ISO 270001, and more.

• Access Control Mechanisms: Use SSL technology with high-level encryption to protect your data against accidental or intentional manipulation, partial or complete loss or destruction, or unauthorized access by third parties.
• EU-U.S. Data Privacy Framework Compliance: We cooperate and comply with EU data protection authorities (DPAs) regarding unresolved complaints about data handling, providing an additional layer of oversight.

In the face of unprecedented uncertainty, you need the right combination of technical capability and legal protection. We’re already helping organizations navigate new concerns about data sovereignty—even within the most highly regulated industries.