Menu
English

Open Circle AG – Zurich
Freilagerstrasse 32
8047 Zürich

Open Circle AG – Bern
Lagerhausweg 30
3018 Bern

English
Back
Back
Back
Blog

Digital sovereignty – why?

Digital sovereignty has evolved from a theoretical concept to a strategic imperative for businesses. At a high-profile panel discussion in Zurich, Adrienne Fichter (political scientist and investigative journalist), Stefan Escher (CEO of Open Circle) and Tobias Brunner (partner and product manager at VSHN) analysed the concrete implications for companies when control over critical data, systems and business processes lies externally. We have summarised the most important findings of this expert panel for you.

Table of content

The most important facts in brief

  • Digital sovereignty means that companies can control their data, systems and processes themselves at all times.
  • Three points are critical: confidentiality (who has access), availability (who can shut it down) and control (how to avoid lock-in).
  • International legal situations such as the US Cloud Act or executive orders show that data access is not always in your hands.
  • Dependence on individual providers leads to risks such as kill switches or high barriers to switching.
  • Companies need strategies to build alternatives, negotiate contracts wisely and prepare exit scenarios.

1. Confidentiality / (Un)lawful access

Confidentiality is the foundation of digital sovereignty. The key question is: Do other people have access to the data? And if so, on what basis?

The reality is more complex than many companies believe. Access to data does not only mean hacker attacks or insider leaks, but also legally legitimate access by authorities, which is often opaque to companies. The US Cloud Act of 2018, for example, stipulates that American law enforcement agencies can access data from US companies – regardless of whether the servers are physically located in Ireland, Frankfurt or Zurich.

But that’s not all: legal bases such as FISA Section 702 or Executive Order 12333 expand the possibilities for covert access by intelligence services. These laws allow US authorities to request data from non-US persons directly from providers such as Microsoft, Google or Amazon without a court order. Even if the data is physically located in data centres in Frankfurt or Zurich, the US parent companies can be compelled to hand it over.

One well-known case is the so-called Microsoft Ireland case: in 2013, US authorities demanded that Microsoft grant them access to emails stored in a data centre in Dublin. This led to years of legal wrangling until the Cloud Act of 2018 established the obligation to disclose information worldwide. Which end customers were specifically affected remains secret – because access under FISA 702 or the Cloud Act is subject to strict confidentiality, so that affected companies are not usually informed.

This can have far-reaching consequences for companies: trade secrets, research data, financial information or confidential contract documents can be disclosed in the course of such access without the affected company knowing about it or being able to defend itself. This is particularly critical for regulated industries such as financial services, healthcare or public administration. But even for international corporations, the outflow of strategic data can create immediate competitive disadvantages if sensitive information falls into the wrong hands.

Confidentiality is therefore not just an IT issue. It is geopolitical, legal and organisational. Companies need to be aware that any external access – whether lawful or not – weakens digital sovereignty.

2. Availability / Kill Switch

The second pillar of digital sovereignty is availability. It answers the question: In an emergency, do we have access to our systems at all times, or can an external provider lock us out?

The danger is real. The so-called kill switch scenario means that a provider can withdraw access at the touch of a button. This may be for technical reasons, such as a security breach or a breach of contract. But it can also have political causes: an executive order from Washington is enough to exclude companies outside the US from certain services.

One example is the sanctions against Russia: after the attack on Ukraine, major US tech companies such as Microsoft, Amazon and Apple suspended or severely restricted their services in Russia. From one day to the next, companies and organisations in Russia no longer had access to important cloud services, software licences or updates – a de facto kill switch.

Imagine that your company’s entire collaboration runs on a single cloud platform. If the provider decides to block you for political or commercial reasons, all documents, emails and chats become inaccessible at a stroke. Even attempting to counteract this via support or legal action takes time – time that is not available in an acute crisis situation.

This risk does not only affect large corporations. Small and medium-sized enterprises that place their IT entirely in the hands of an international provider are also dependent on the goodwill of that provider. Those who do not have a plan B risk complete standstill in an emergency.

Digital sovereignty means arming yourself against this dependency: through decentralised solutions, backups and clear exit strategies.

3. Control / Lock-in

The third risk is more subtle, but no less dangerous: loss of control due to lock-in effects.

Lock-in means that a company is trapped in a system from which it can only escape at high cost or with significant losses. Providers deliberately create this dependency, for example through proprietary interfaces, exclusive functions or complicated contract terms.

The result: a lack of freedom of choice. You cannot simply switch, even if the price increases or the service deteriorates. In practice, this means that companies could theoretically evaluate other solutions, but in fact remain tied to the existing platform.

An example: OneDrive is inextricably linked to Microsoft and can only be operated via its infrastructure. It is not possible to switch from your OneDrive to a cloud provider of your choice.

This dependency has direct consequences:

  • Cost control: Price increases must be accepted because switching would be more expensive.
  • Innovation: New tools cannot be integrated if interfaces are missing.
  • Ability to act: Problems cannot be solved internally, but only addressed through lengthy escalations with the provider.

In the worst case, lock-in not only blocks IT, but also strategic development. Digital sovereignty therefore means designing systems in such a way that it is possible to exit or switch at any time without the company falling into crisis.

Recommendations for businesses: How can you become digitally sovereign?

  1. Consider sovereign alternatives: Rely on open standards and open source solutions. Examples such as OPEN CIRCLE Nextcloud show that collaborative work can also function without dependence on international corporations. Providers such as OpenDesk or Open Circle develop sovereign workplaces based on open source and German/Swiss hosting that can be operated independently of a provider.
  2. Negotiate contracts wisely: If your company continues to rely on Microsoft or other large providers, then do so together with partners or in industry associations if possible. This will allow you to achieve better terms and reduce dependencies.
  3. Develop exit strategies: Digital sovereignty requires contingency plans. Make regular backups, maintain business continuity management (BCM) and ensure that you can restart the systems yourself in an emergency.

Conclusion: Digital sovereignty determines the ability to act

AI tools, cloud services and digital platforms have become indispensable. But without sovereignty, your company remains dependent on the terms and conditions of international providers, political decisions, local legal frameworks and systems that you do not control.

What you can do: create clear guidelines, choose trustworthy and sovereign tools, train your team and have an exit strategy ready. This will allow you to take advantage of the opportunities offered by digitalisation without losing your freedom of action.

Präsentationen der Keynote-Speaker

Adrienne Fichter – Digitale Souveränität - Quo vadis? pdf • 1.81 MB Stefan Escher – OPEN CIRCLE Nextcloud pdf • 1.59 MB Tobias Brunner – VSHN Managed Nextcloud pdf • 6.64 MB

Author

Daniela Siebertz

Daniela Siebertz

Head of Growth

This might interest you

Person sitzt am Notebook und gibt zweiten Faktor über Smartphone ein 03. July 2025 Google’s two-factor authentication: how secure is it and what alternatives are there? Everything you need to know about Google's 2FA: strengths, weaknesses and alternative methods. To the article IT security & access, IT infrastructure, Workplace solutions
30. October 2024 Successful event on cyber security at the ComedyHaus A look back at our most recent event shows that cybersecurity is not a one-off measure, but an ongoing process. To the article IT security & access, IT infrastructure
27. November 2023 RFID and NFC: how to use it and protect your data How invisible chips make our everyday lives easier – from contactless payment to smart logistics. To the article IT security & access, Workplace solutions
Get advice