Digital sovereignty may sound like high-level politics, but it has long been a factor in every cloud strategy, every AI project and every instance of data processing – particularly amongst critical infrastructure providers and those bound by professional and official secrecy. The new international Technology Sovereignty Report shows that both states and companies are not seeking digital isolation, but rather the ability to act independently in the digital sphere. This raises the question: how much control does a state or a company need, and how much dependence is acceptable?
Digital sovereignty is no longer just a buzzword
Digital and technological sovereignty have, in a short space of time, evolved from an abstract guiding principle into a concrete issue of risk and governance. The Technology Sovereignty Report, published in June 2026 by the Human Technology Foundation and ITechLaw, examines why so-called ‘middle powers’ are reassessing their technological dependencies. The report was led by Charles Morgan and Eric Salobir; Nicole Beranek Zanon contributed to the Swiss perspective.
The starting point is clear: states, companies and public institutions are reliant on a small number of global providers in key areas such as cloud computing, artificial intelligence, data infrastructures, cyber security, semiconductors and digital platforms. These dependencies are not problematic in themselves. They become critical where they may impair a country’s ability to act in crises, in the face of geopolitical pressure, sanctions, service disruptions or unauthorised state access to data.
The report makes an important distinction here: technological sovereignty does not mean complete self-sufficiency. Complete economic, military and technological independence is neither realistic nor desirable for most states. What is crucial, rather, is to recognise structural dependencies, prioritise them and manage them in such a way that the state and the economy remain capable of acting even in stressful situations.
Three drivers: security, competitiveness and trust
The report describes digital sovereignty as a response to three interlinked developments: national security, economic security and the protection of fundamental democratic values.
Firstly, there is the issue of national security. Critical digital infrastructures can become strategic vulnerabilities in crisis situations. This is not just a matter of traditional espionage or cyber-attacks, but also of whether essential services, software updates, communication channels, satellite connections or cloud services remain available in an emergency. With modern systems, it is no longer solely a question of who supplies the hardware. Equally important is who can operate, maintain, patch, certify and further develop it.
Secondly, digital sovereignty is a matter of economic security. Anyone who relies on just a few providers for cloud infrastructure, platforms or foundation models is not merely a customer. They are often also dependent on those providers’ terms of access, interfaces, pricing models, data policies and innovation cycles. The report thus ties in with the debate on competitiveness: countries may have strong research capabilities yet still struggle to translate this research into scalable products, computing capacity and global value creation.
Thirdly, it is a matter of fundamental rights and trust. If citizens or businesses have to fear that data may be accessed via extraterritorial access regimes by foreign authorities without sufficient local oversight under the rule of law, trust in digital administration, cloud services and data-driven innovation suffers. The report sums this up succinctly: data residency does not automatically equate to data sovereignty.
Not isolation, but risk management
Most of the jurisdictions examined do not respond with blanket isolation, but instead pursue a different strategy: sensitive government data, critical infrastructure, defence, healthcare and high-risk AI are treated more strictly than ordinary commercial applications.
The instruments employed include multi-cloud strategies, the classification of particularly sensitive data, requirements for trusted cloud environments, stricter rules for cross-border data transfers, cybersecurity requirements, procurement rules, competition policy, and investment in computing capacity, AI, quantum research and critical infrastructure.
For businesses, this means that digital sovereignty is increasingly becoming an integral part of compliance, risk management, contract drafting, data protection, IT security and corporate governance.
Focus on Switzerland: Sovereignty as the state’s capacity to act
Switzerland interprets digital or technological sovereignty in a comparatively narrow and state-centred manner. The focus is not on general ‘sovereign’ action by the private sector, but on the question of whether the Confederation possesses sufficient control and capacity to act in the digital sphere to fulfil its public duties. The role of business, academia and society is addressed primarily through the ‘Digital Switzerland’ strategy.
This approach is consistent with Swiss digital policy. The ‘Digital Switzerland’ strategy serves as a tool for the Federal Council to set priorities for the digital transformation. It is updated annually and enshrines digital sovereignty as a strategic objective and key focus area.
In its cloud policy, the Federal Administration has been pursuing a hybrid multi-cloud strategy since 11 December 2020. This allows for the use of internal and external cloud services from various providers. The approach avoids a one-sided dependence on a single provider, whilst at the same time not relying on complete technological self-sufficiency. This is precisely the Swiss approach: openness and performance are to be maintained, whilst critical dependencies are identified and managed.
AI as a litmus test for Swiss sovereignty
Switzerland possesses strong research and technological expertise through ETH Zurich, the ETH AI Centre and initiatives such as the ‘Apertus’ foundation model. At the same time, many productive AI applications in practice continue to run on non-Swiss cloud infrastructures and non-Swiss base models. Public funding for AI is channelled through general research and innovation instruments, rather than via a specific programme for ‘sovereign AI’.
This is crucial for businesses: Swiss AI expertise does not automatically equate to operational sovereignty. Anyone deploying AI systems in sensitive areas must assess what data is being processed, where models are hosted, which providers have access, which sub-processors are involved, and whether contractual, technical and organisational safeguards are sufficient.
Data protection, copyright and state access to data
From a legal perspective, the Swiss section of the report highlights several specific features. The revised Data Protection Act distinguishes between personal data, personal data requiring special protection and high-risk profiling, but does not contain a general obligation regarding data localisation. Cross-border disclosures are governed by Article 16 of the Data Protection Act (DSG) and require an adequate level of data protection or appropriate safeguards; exceptions must be interpreted narrowly.
Switzerland also takes a cautious approach to copyright law. There is no general ‘fair use’ principle and no specific text-and-data-mining exception, except in the context of scientific research. The limitations on copyright are exhaustively set out in Articles 19–27 of the Copyright Act (URG). According to the report, there is as yet no relevant Swiss case law regarding the training of AI models using copyright-protected content.
With regard to state access to data, the report emphasises the obstacles posed by the rule of law. Access without consent is only permitted on the basis of specific legal provisions and subject to strict safeguards. Under the Telecommunications Surveillance Act (BÜPF), authorities may only obtain data from telecommunications and cloud service providers in cases of serious criminal offences with prior judicial authorisation. An indiscriminate ‘collect all’ model or access without judicial oversight is not provided for. International cooperation takes place via the Budapest Convention and mutual legal assistance treaties. Foreign authorities cannot directly compel Swiss providers; direct extraterritorial enforcement – such as under the US CLOUD Act – is therefore not possible against Swiss providers.
What companies should now consider
For Swiss companies, digital sovereignty is not purely a government project. Even though the term is used in a state-centred manner in the Swiss context, the operational risks directly affect private organisations. Particularly affected are financial service providers, the healthcare sector, insurance companies, critical infrastructure operators, SaaS providers, cloud customers, suppliers to public authorities and companies with large data sets.
In practice, a risk-based approach is recommended. Companies should classify their critical data sets, map cloud and AI dependencies, review supplier and sub-supplier chains, secure exit scenarios contractually, assess encryption and key control, and explore multi-vendor or multi-cloud options for business-critical systems.
Boards of directors and senior management should not treat digital dependencies as a purely technical procurement issue. The report explicitly points out that, in the Swiss context, a lack of risk management can also have implications under liability law.
Conclusion
The Technology Sovereignty Report shows that digital sovereignty does not mean isolation, but rather the ability to act effectively. For Switzerland and its businesses, this means that openness towards international technologies remains important, but must not lead to blind dependence.
The state and businesses must know which digital infrastructures are critical, which data is particularly worthy of protection, and which legal, technical and organisational measures are required to maintain control.
Upcoming reforms – particularly regarding AI regulation, the further definition of digital sovereignty and cyber security – will bring these issues into even sharper focus. Now is the right time for businesses not to dismiss digital sovereignty as a political buzzword, but to embed it as an integral part of data protection, IT security, contract drafting and corporate governance.
Sources