The Swiss government has decided to switch to Microsoft 365 as the standard office suite for the federal administration, but only after certain conditions were met. The confederation’s government laid out specific requirements, including the jurisdiction of data being in Switzerland, compliance with local rules and regulations, and the assurance that no third party can have any unauthorized access to the data or software.
The migration to Microsoft 365 will start in the second half of 2023 and is scheduled to be completed by the end of 2025. During this transition period, federal government employees are not permitted to save sensitive data or confidential documents on the Microsoft cloud. Instead, they will continue to manage and store emails, calendars, and documents in the government’s own data centers.
The government is also studying alternatives to Microsoft 365 on the medium- and long-term to ensure an exit strategy to reduce dependency on the US-based software and maintain digital sovereignty.
The federal government has the following key requirements in order to adopt Microsoft 365:
The private sector and especially small businesses don’t typically have the same concerns or stringent requirements as the federal government, and for such entities, the public cloud is generally considered a viable and cost-effective solution.
However, for industries and sectors that store and process highly sensitive and confidential information such as in financial and legal services, healthcare, and industrial manufacturing, private companies in Switzerland are advised to use on-premise or managed private cloud solutions.
Cautionary tale
Microsoft Corp. v. United States was a legal case in which the US government sought access to an email account stored on Microsoft’s servers in Ireland as part of a drug-trafficking investigation. Microsoft complied with the request for data stored in the US, but refused to provide data stored in servers located outside the US. The case went to court, with the US government arguing that the warrant had extraterritorial reach and Microsoft arguing that it did not. After several appeals, the case was settled in 2019 following the passage of the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which clarified that US warrants have extraterritorial reach. The case had significant implications for data privacy and the reach of US law enforcement outside the US.
When using public cloud services there can be little control over how resources are shared or data is moved around. With a managed private cloud model, businesses can take advantage of a secure and isolated hosting space in the jurisdiction of their choice. The management of the private cloud infrastructure is typically handled by a trusted third-party service provider, which offers services such as provisioning, monitoring, and maintenance of the underlying hardware and software.
In Switzerland, which is known for its strong stance on privacy, there are many local providers of managed private cloud. The model of hosting in Switzerland by Swiss-owned IT companies with clear Swiss legal jurisdiction is preferred by a lot of organizations that deal with sensitive and highly confidential data.