The Swiss government has decided to switch to Microsoft 365 as the standard office suite for the federal administration, but only after certain conditions were met. The confederation’s government laid out specific requirements, including the jurisdiction of data being in Switzerland, compliance with local rules and regulations, and the assurance that no third party can have any unauthorized access to the data or software.
The migration to Microsoft 365 will start in the second half of 2023 and is scheduled to be completed by the end of 2025. During this transition period, federal government employees are not permitted to save sensitive data or confidential documents on the Microsoft cloud. Instead, they will continue to manage and store emails, calendars, and documents in the government’s own data centers.
The government is also studying alternatives to Microsoft 365 on the medium- and long-term to ensure an exit strategy to reduce dependency on the US-based software and maintain digital sovereignty.
What are the Swiss government’s conditions?
The federal government has the following key requirements in order to adopt Microsoft 365:
- Data jurisdiction: data should be hosted in Switzerland or in the European Union (EU) or the European Economic Area (EEA), and should not be processed or stored in other countries.
- Compliance: the service should be compliant with the Swiss Data Protection Act, the Swiss Federal Act on Data Protection (FADP), the Swiss Ordinance on Protection against Cyber Risks, and the General Data Protection Regulation (GDPR) of the EU.
- Restricted third party access: data can only be transferred to third parties by agreement. Surrendering any data to US law enforcement agencies can only be done in the case of a crime and by referring the law enforcer to the Swiss government.
- Technical measures: tools in place for encryption, ongoing monitoring of processes and security incidents, compliance checks and contractual safeguards.
Is the public cloud a good option for the private sector and small businesses?
The private sector and especially small businesses don’t typically have the same concerns or stringent requirements as the federal government, and for such entities, the public cloud is generally considered a viable and cost-effective solution.
However, for industries and sectors that store and process highly sensitive and confidential information such as in financial and legal services, healthcare, and industrial manufacturing, private companies in Switzerland are advised to use on-premise or managed private cloud solutions.
Cautionary tale
Microsoft Corp. v. United States was a legal case in which the US government sought access to an email account stored on Microsoft’s servers in Ireland as part of a drug-trafficking investigation. Microsoft complied with the request for data stored in the US, but refused to provide data stored in servers located outside the US. The case went to court, with the US government arguing that the warrant had extraterritorial reach and Microsoft arguing that it did not. After several appeals, the case was settled in 2019 following the passage of the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which clarified that US warrants have extraterritorial reach. The case had significant implications for data privacy and the reach of US law enforcement outside the US.
The private cloud alternative
When using public cloud services there can be little control over how resources are shared or data is moved around. With a managed private cloud model, businesses can take advantage of a secure and isolated hosting space in the jurisdiction of their choice. The management of the private cloud infrastructure is typically handled by a trusted third-party service provider, which offers services such as provisioning, monitoring, and maintenance of the underlying hardware and software.
In Switzerland, which is known for its strong stance on privacy, there are many local providers of managed private cloud. The model of hosting in Switzerland by Swiss-owned IT companies with clear Swiss legal jurisdiction is preferred by a lot of organizations that deal with sensitive and highly confidential data.
