Sovereign cloud for Swiss SMEs: a useful promise or yet another IT project?
Introduction
The cloud has become a standard working infrastructure for Swiss SMEs: email, backups, accounting, collaboration, document management, business applications and website hosting. For many companies, it is no longer realistic to run everything on in-house servers. The cloud offers flexibility, remote access and considerable adaptability. But it also raises an increasingly pressing question: where is the data stored, who processes it, under what legal framework, and with what safeguards?
The issue is now back in the spotlight because digital sovereignty is no longer solely a matter of concern for national governments. In Switzerland, the Confederation is pressing ahead with the Swiss Government Cloud project, whilst several cantons wish to coordinate their efforts regarding digital sovereignty. Even though the announced federal infrastructure is not intended for the private sector, the message is clear: control over data and infrastructure is becoming a strategic issue.
Against this backdrop, so-called ‘sovereign’ alternatives are seeking to establish themselves in the face of major international providers, particularly those from the US. The brief for this article mentions Nubevia, a French provider presented as a solution enabling SMEs to reduce their dependence on American cloud giants. For a Swiss company, the interest is not merely political or symbolic. It relates to compliance with the Federal Data Protection Act, operational security, business continuity, contractual control and the ability to switch providers without being locked into a closed ecosystem.
For an SME, the key question is therefore not whether the sovereign cloud is ‘better’ in principle. Rather, it is a matter of assessing, in a pragmatic way, which data warrants enhanced protection, which applications must remain easily reversible, and what level of technological dependence the company is prepared to accept. A trust firm, a medical company, an engineering firm, an industrial enterprise or a self-employed professional handling client data will not have the same priorities, but all have a vested interest in clarifying their cloud strategy.
What are we talking about?
The ‘sovereign cloud’ generally refers to a hosting or digital services solution designed to provide greater control over data, infrastructure and applicable rules. In practice, this covers several aspects: data location, applicable law, provider identity, technical governance, administrator access, encryption, reversibility, contractual documentation and auditability. The term can be used quite broadly, which is why it is always important to look beyond the marketing label.
For a Swiss SME, the ‘sovereign cloud’ does not necessarily mean that everything must be hosted in Switzerland. Above all, it means that the company understands where its data is processed, by whom, through which subcontractors, and under what safeguards. A solution offered by a local provider – whether Swiss or European – may be of interest if it allows for greater control over these parameters. Conversely, an international provider may offer highly effective tools, but with a contractual and technical chain that is more complex to analyse.
There are many parties involved. First, there is the user company, which remains responsible for its choices and the use it makes of the data. Then there is the cloud provider, which makes the infrastructure or applications available. There may be technical subcontractors, data centres, IT integrators, security consultants, trustees or legal advisers. In an SME, these decisions are often taken jointly by senior management, the external IT manager, the finance department and, in some cases, human resources.
The mechanism appears simple: instead of storing data and software on in-house servers, the company accesses them via a remote infrastructure. But this apparent simplicity masks some important choices. An outsourced backup, payroll software, a file-sharing platform or a complete production environment do not all carry the same risks. The more sensitive or critical the data, the more important it becomes to seek specific assurances regarding security, availability, location and the ability to retrieve the data in a usable format.
What the facts show
The research report first highlights an institutional trend in Switzerland. In May 2024, the Federal Council requested a budget allocation of 246.9 million francs to create the Swiss Government Cloud, abbreviated to SGC. According to reports by PME.ch, this sovereign cloud service is intended for the federal administration and is designed to meet the growing digital needs of the public sector through high-performance, reliable and secure infrastructure.
One point is crucial for private companies: the SGC is not intended to provide services to them. Cantons, cities and municipalities will be able to use this infrastructure, but the private sector will not be served through this channel. For SMEs, this means that the federal initiative does not directly address the issue of their own hosting arrangements. It does, however, demonstrate that digital sovereignty is becoming a sufficiently important issue to warrant a dedicated infrastructure at the public sector level.
The report also mentions a regional initiative. In May 2023, the French-speaking cantons and Ticino decided to take concerted action to promote their digital sovereignty. According to ICTjournal, this approach involves, in particular, the idea of developing public-private partnerships with local stakeholders. This direction is of interest to SMEs, as it may help foster a more structured ecosystem centred on sovereign services and stakeholders capable of supporting medium-sized organisations.
On the supplier side, the report cites Infomaniak as an example of a Swiss company offering sovereign cloud solutions, with a focus on data control, compliance with local laws and security requirements. The article’s brief also highlights Nubevia, a French provider, as a sovereign alternative aiming to offer SMEs an option distinct from the major US cloud providers. These points demonstrate that the market is not limited to a single approach: Swiss, European or specialised offerings can coexist.
Finally, the Swiss legal framework plays an important role. The report points out that the Federal Data Protection Act imposes high standards regarding the processing and storage of personal data, in a manner comparable to the European GDPR. For SMEs, this framework reinforces the importance of choosing solutions that are compatible with their data protection obligations.
Practical implications for an SME or a self-employed person
The first implication is organisational: choosing a cloud service should no longer be treated as a mere IT decision. For an SME, it directly affects risk management. Accounting software, client files, employment contracts, payslips, medical data or technical drawings may all constitute sensitive information. If such data is poorly organised or scattered across multiple cloud services, the business loses visibility and increases the risk of error.
A sovereign cloud can help regain control, provided the approach is structured. An SME might, for example, decide that its day-to-day administrative documents remain in a standard collaborative service, whilst employees’ sensitive data, contractual archives or critical backups are placed in an environment offering stronger safeguards. The aim is not necessarily to migrate everything, but to apply the right level of protection in the right place.
For a self-employed person, the challenges are often more immediate. A consultant, therapist, architect or IT service provider may store client information on a laptop, a file-sharing app or an email service. A sovereign cloud solution can simplify backups, facilitate secure access to documents and provide better traceability. However, it does not replace basic best practices: strong passwords, access management, separation of personal and professional data, control over sharing, and the removal of obsolete access rights.
From a contractual perspective, an SME must also consider its relationship with its provider. Where is the data hosted? Does the provider use subcontractors? How is data returned at the end of the contract? What happens in the event of an incident or disruption? These are practical questions, particularly when a business relies on the cloud for invoicing, production, payroll management or communicating with its customers.
Finally, choosing a sovereign alternative can reduce certain technological dependencies. Large cloud ecosystems are often highly integrated: convenient for day-to-day use, but sometimes difficult to leave. An SME wishing to retain flexibility should prioritise open formats where possible, document its procedures and ensure that its entire workflow does not depend on a single supplier without a realistic exit strategy.
Points to watch out for and uncertainties
The first point to bear in mind is the terminology. ‘Sovereign’ is not a sufficient guarantee in itself. Two offerings may use the same term whilst being based on very different architectures, outsourcing arrangements and contractual terms. Before making a decision, an SME should seek precise answers rather than settling for a marketing pitch. The location of data, support, administrator access, backups, encryption mechanisms and availability commitments must be fully understood.
The research report also highlights uncertainty regarding the costs of adoption. Migrating to a sovereign solution may require time, expertise and, in some cases, a change in internal working practices. It is necessary to carry out a data inventory, prepare users, test applications, verify backups and manage the transition. The cost is therefore not limited to the subscription fee. It includes change management, integration with existing tools and the ability to maintain the environment over the long term.
Functional availability is another consideration. Some SMEs use highly advanced tools from major international providers: automation, business integrations, dashboards, collaborative tools, artificial intelligence services or connectors with specialised software. A sovereign alternative may be perfectly suited to certain uses, but may not immediately cover all the expected functionalities. It is therefore necessary to compare requirements on a case-by-case basis, rather than reasoning solely on principle.
Interoperability also deserves particular attention. A business rarely starts with a completely blank IT system. It already has an email system, accounting software, an ERP system, HR tools, backups and, in some cases, specific applications. The sovereign cloud must be able to integrate seamlessly into this existing infrastructure. If integration is not properly planned, the company risks creating duplication, process disruptions or grey areas in the management of access rights.
Finally, the regulatory framework is evolving. The report highlights the importance of the Data Protection Act and data protection requirements. However, practical implementation will always depend on the nature of the data, the sector of activity, international data flows and the contracts in place. An SME operating in several countries or processing particularly sensitive data should avoid making hasty decisions and should seek validation of its analysis from specialists.
What to do in practice
The first step is to carry out a simple mapping of data and cloud usage. An SME can start by listing the tools it uses: email, storage, payroll, accounting, CRM, backup, project management, web hosting and business applications. For each tool, it is necessary to identify the types of data involved, the people who access it, the provider, the contractual location of the service and the level of criticality. This exercise often highlights forgotten subscriptions or poorly managed sharing practices.
Next, it is useful to classify the data by sensitivity. Not all information requires the same treatment. Public marketing materials do not carry the same value as an HR file, a tax return, a customer database or confidential technical documentation. This classification helps to determine where a sovereign cloud offers tangible value. It also prevents the launch of a migration that is too broad, costly and difficult to manage.
An SME should then approach suppliers in a structured manner. It is prudent to ask where the data is hosted, which laws govern the contract, who has technical access to the data, how backups are carried out, which subcontractors are involved, and how the data can be retrieved. It is also important to check the available documentation, support commitments and integration options with existing tools.
Before a full migration, a pilot project is often preferable. The company can test a sovereign solution within a limited scope: backing up critical documents, storing sensitive files, setting up a collaborative environment for a team, or hosting a non-mission-critical application. This pilot allows the company to assess performance, usability, access control and the quality of support without putting the entire business under pressure.
Finally, it is recommended to involve specialists from various disciplines. The IT manager or IT service provider assesses the architecture and security. Senior management weighs up the risks and costs. HR and the accounts department identify sensitive data. A trust company or specialist adviser can help ensure that technical choices align with obligations regarding data protection, document retention and business continuity. For sensitive cases, case-by-case legal or tax validation remains essential.
Key takeaways
The sovereign cloud is not just a trend reserved for large public administrations. For a Swiss SME, it can become a risk management tool, provided it is approached pragmatically. Public initiatives, such as the Swiss Government Cloud, underscore the importance of the issue, even though this infrastructure will not be open to the private sector. Companies must therefore develop their own strategy using the solutions available on the market.
- Start by taking stock of your current cloud services: storage, email, accounting, payroll, CRM, backups and business applications. Without this overview, it is difficult to assess the actual risks.
- Classify your data according to its sensitivity. HR files, customer data, accounting records, contracts and confidential documents may warrant higher levels of security than routine communication content.
- Do not rely solely on the term ‘sovereign’. Ask for specific details regarding hosting, subcontractors, administrator access, data recovery and security commitments.
- Compare Swiss, European or specialised providers based on your actual needs. Providers such as Infomaniak are mentioned in the report for the Swiss market, whilst the brief highlights Nubevia as a French alternative to the major US cloud providers.
- Plan a pilot before a large-scale migration. Testing a backup, a document repository or a small team allows you to verify integration, usability and support without disrupting the whole organisation.
- Have sensitive decisions validated by professionals. Requirements relating to the FADP, contracts, staff data or international data flows must be assessed on a case-by-case basis.
In summary, digital sovereignty is not a binary choice between a global cloud and a local cloud. It is a balance between security, compliance, efficiency, costs and independence. An SME that documents its choices, retains control over its critical data and plans an exit strategy will be better equipped, regardless of the provider chosen.
