Europe’s reliance on major US IT providers has sparked debate over digital sovereignty, legal risks from laws like the CLOUD Act, and the effectiveness of alternatives such as open-source solutions. The article argues that while concerns about government data access are often overstated, more immediate threats like cyberattacks deserve greater attention and investment.
Since theoutbreak of the war in Ukraine and Donald Trump's return to office, the debateon digital sovereignty has once again come to the forefront of publicawareness. The topic got another boost after the recent disruption of AWS andAzure. It made painfully clear how dependent Europe is on large US technologycompanies. It raises two key questions: On the one hand, there is concern thatpolitical decisions made by the US, such as targeted trade sanctions, couldseverely affect entire countries by forcing US IT providers to suspend theirservices. On the other hand, there is the claim that US authorities couldaccess data stored abroad through US providers at any time.
The two issuesmust be considered separately: economic dependence affects political interests,while lawful access follows clear legal procedures such as the US CLOUD Act.The discussion about digital sovereignty is often conducted using buzzwordsthat do not clearly distinguish between economic policy risks and legal accessoptions. In fact, these are two separate issues.
Economicdependence on US IT providers is most evident in the “lock-in” effect, wheretechnical incompatibilities, organizational complexity or prohibitive costsmake switching providers difficult, or where viable alternatives simply do notexist. Microsoft Office is a common example. But this risk is not unique to USfirms; similar dependencies can arise with European providers, meaningSwitzerland must also scrutinize EU-based IT services.
Both theUS, in the wake of the tax dispute, and the EU have already used economicleverage for political purposes. The withdrawal of stock market equivalence bythe EU or the exclusion of Switzerland from the EU’s Horizon research programmewere political rather than legal measures. An exclusive focus on open-sourcesolutions is insufficient: while mature projects like Linux demonstrateviability at scale, many specialized solutions lack enterprise-grade support,integration depth, or operational maturity. Moreover, open-source itself doesnot eliminate geopolitical dependencies. Major projects rely on contributionsand governance structures that may reflect foreign interests. Ultimately,infrastructure planning must include clearly defined emergency and migrationscenarios to safeguard operational sovereignty, but such planning remainslargely neglected. The recent outages of hyperscalers have painfullydemonstrated this fact and shown that many service providers rely on the majorproviders, which can quickly lead to a domino effect.
Legally,the US CLOUD Act is the most relevant law for government access. Enacted in2018 to amend the Stored Communications Act, it authorises US authorities toobtain electronic data from US service providers, even if stored overseas, forcriminal or terrorist investigations with any US nexus. Disclosure requires acourt order (warrant or subpoena), dispelling the myth that the US presidentcan simply call a tech CEO to demand data. While the CLOUD Act circumventstraditional mutual-legal-assistance treaties (MLATs), the US Department ofJustice still recommends MLATs whenever feasible. European and Swiss criminalprocedures contain analogous mechanisms: data disclosures to third partiesoccur without prior notice to the accused, who may only challenge themretrospectively.
There isalso FISA, which by contrast, governsnational-security intelligence and permits broad surveillance after ForeignIntelligence Surveillance Court approval. Both frameworks allow providers topursue legal remedies.
The EU hasintroduced a somewhat similar regime, the EU e-evidence regulation, enabling lawenforcement agencies to compel data disclosure from IT providers in the EU,even if servers are abroad. All such procedures are confined to criminalcontexts; random data requests remain unlawful. For most individuals, thelikelihood of becoming subject to a CLOUD Act order is low.
BothSwitzerland and the EU have granted adequacy decisions under the Data PrivacyFramework (DPF), approving transfers to certified US companies. The CLOUD Act’sextraterritorial reach was explicitly considered in these assessments, sincethe US parent company receives and processes any data-request orders beforepassing data to authorities. However, the DPF relies on a US executive orderand can be revoked at presidential discretion. Ongoing litigation in the EUchallenges its legality: A lower ECJ instance judgment upheld the adequacydecision, but appeals may yet overturn it.
Concernover US government access dominates the discourse, yet hyperscaler statisticsshow business customers face an extremely low probability of such orders, andproviders can legally resist them. By contrast, cyberattacks strike far morefrequently, without warning or legal recourse, but attract far less publicscrutiny. When Swiss cantons adopted Microsoft 365, fears of US data accesssparked fierce debate; by contrast, Sweden’s Miljödata ransomware incident, paralysing200 municipalities, generated only muted, expert-level reaction. Switzerlandcould face a similar crisis tomorrow. In managing cybersecurity risks, it isworth rethinking the prioritization of risks and not just reacting togeopolitically charged worst-case scenarios, but investing resources andattention where the probability of occurrence and potential for damage arehighest. Yet for critical infrastructure and sensitive sectors, government,legal, healthcare, even rare government access risks may be unacceptable. Thegoal is not to dismiss geopolitical concerns, but to address themproportionally while closing more immediate security gaps.
We are pleased to share some highlights from our most recent event.
We are pleased to share some highlights from our most recent event.
