Discussions on digital sovereignty—the capability to participate in the digital economy securely, independently and with self-determined controls—is often centered on a consistent set of questions: Where is my data stored? Who can access it? Will I have access to the latest capability? Below, we’ve answered these questions, and highlighted the commitments we’ve made and the technologies available in Switzerland.
Catrin Hinkel, CEO of Microsoft Switzerland, and Marc Holitscher, National Technology Officer, in a discussion about digital sovereignty in Switzerland
1: Why is digital sovereignty such an important topic right now?
Click here to load media
2: What does digital sovereignty mean in practice?
Click here to load media
3: What is Microsoft’s level of engagement in Switzerland?
Click here to load media
4: What about Microsoft’s comprehensive European commitments?
Click here to load media
5: How does Microsoft protect customer data?
Click here to load media
6: What about business continuity – what happens if something unexpected occurs?
Click here to load media
7: What about laws like the CLOUD act – can the U.S. government access European data?
Click here to load media
8: What does this mean in practical terms for Swiss companies?
Click here to load media
9: Our commitment to Switzerland
Click here to load media
Questions and answers on digital sovereignty
1. What are Microsoft’s sovereign cloud solutions in Switzerland?
Microsoft offers a comprehensive portfolio to meet the full spectrum of sovereignty needs in Switzerland and across Europe:
Sovereign Public Cloud: Full sovereignty features—including data residency, encryption controls, and regulated environment management—are available in all European regions, including Switzerland. No migration to separate datacenters is required.
Sovereign Private Cloud: For organizations needing maximum operational autonomy, Azure Local and Microsoft 365 Local enable workloads to run in customer controlled and on-premises hosted environments, with consistent management and security.
Key Capabilities: Data Guardian (Europe-based access approval and monitoring), External Key Management (customer-held encryption keys), and Regulated Environment Management (centralized sovereignty controls).
Open and Hybrid by Design: Azure Arc enables unified management across multi-cloud and on-premise environments, supporting hybrid and multi-vendor strategies.
Learn more: Comprehensive Sovereign Solutions
2. Where is data stored and who can access it?
For Swiss customers, data location and maximum control over where their data resides, how it is accessed and processed is non-negotiable. Microsoft provides multiple, layered safeguards:
Swiss cloud regions since 2019. We operate cloud regions near Zurich and Geneva so customers can keep data within national borders when needed, while also supporting disaster recovery regulatories.
EU Data Boundary means public‑sector and commercial customers in the EU/EFTA (including Switzerland) can store and process customer data, pseudonymized personal data, and professional services data including Microsoft 365, Dynamics 365, Power Platform, and most Azure services within the EU/EFTA regions. For some Azure services, customers follow documented configuration to obtain the professional services storage commitment. The EU Data Boundary now includes end-to-end AI data-processing in Europe.
Microsoft 365 Copilot expands in-country processing for Copilot Interactions to 15 countries by the end of 2026, including Switzerland.
No direct or unfettered government access. Microsoft reviews each government data request, discloses only when legally compelled, and limits any disclosure to specific accounts identified in a valid order. Our policies are detailed in our Government Requests for Customer Data Report.
We do not provide any government with encryption keys or the ability to break our encryption.
In addition to the EU Data Boundary, we provide European customers with multiple options for securing and encrypting their data. Our Confidential Compute offerings in Azure eliminate the ability of third parties—including Microsoft—to access customer data by ensuring data is processed within a trusted environment the customer alone controls. We enable customers to create a “lockbox” around their data across Azure, Dynamics 365, and Microsoft 365 by giving them the ability to review and approve before Microsoft accesses their data for customer and service support operations. We also enable customers to secure their data with encryption keys that they, not Microsoft, control with Azure Key Vault and Purview Customer Key. Our Microsoft Cloud for Sovereignty offers customers a range of other tools to secure data, protect against unauthorized access, and satisfy legal requirements.
European‑controlled operations. With Data Guardian, we will add an additional level of assurance by ensuring that only Microsoft personnel residing in Europe control remote access to these systems. Data Guardian adds additional human and technical oversight whenever engineers outside of Europe need access. All remote access by Microsoft engineers to the systems that store and process your data in Europe is approved and monitored by European resident personnel in real time and will be logged in a tamper-evident ledger.
For Microsoft 365 and select services, Customer Lockbox lets you review and approve engineer data‑access requests and audit related activities. For encryption keys, Azure Key Vault provides audit logs and insights so you can monitor key operations and set near real‑time alerts via Azure Monitor. Customers that require immutable, tamper‑proof audit trails for their own workloads can use Azure Confidential Ledger.
Defending Your Data commitment: We will challenge every government request for public sector or enterprise customer data where there is a lawful basis for doing so. We are committed to transparency regarding government data requests and publish regular, detailed reports on such requests.
3. Do sovereignty controls require migration or reduce functionality?
With Microsoft Sovereign Public Cloud, you enable sovereignty controls across existing European regions—no migration to separate datacenters required—while keeping the full innovation pace of the public cloud. Sovereign Private Cloud gives customers even more control, but certain limitations apply.
Key capabilities designed for sovereignty:
Data Guardian for European‑controlled operations and access approvals.
External Key Management so you can keep encryption keys in your own HSMs (on‑premises or with a trusted third party).
Regulated Environment Management to configure and monitor all sovereignty controls in one place.
4. What if full operational autonomy is required?
Some sectors need workloads to run in a physically controlled environment—including connected, hybrid, or disconnected scenarios.
Azure Local brings Azure services into your locations for in‑country, on‑premises, or partner‑operated datacenters.
Microsoft 365 Local provides a validated architecture to run productivity workloads like Exchange Server and SharePoint Server on Azure Local with consistent management via Azure tools. Microsoft 365 Local is now generally available, bringing core productivity workloads—Exchange Server, SharePoint Server, and Skype for Business Server—natively to Azure Local. Azure Local now supports increased maximum scale to hundreds of servers, external SAN storage, and the latest NVIDIA GPUs.
5. Can we move our data?
Sovereignty and data portability go hand in hand.
Open by design: Azure supports open standards, open‑source runtimes, and a broad partner ecosystem.
Microsoft’s cloud services are designed for openness and flexibility. Customers can export their data at any time using well-documented processes and widely supported, industry-standard formats. There are no proprietary barriers that prevent you from moving your data or workloads to other platforms. This commitment to portability ensures you retain full control and freedom of choice—without risk of vendor lock-in.
6. Does Microsoft support open-source solutions?
Open Source enables Microsoft products and services to bring choice, technology and community to our customers. Sovereignty requires openness, and open standards and open-source technologies can be used throughout our infrastructure. According to the Open-Source Contributor Index (OSCI), Microsoft ranks #2 globally with 5,079 active contributors to date, and 11,217 total community members, with Microsoft as a foundational pillar of open-source innovation.
VS Code, one of the world’s most popular developer tools with millions of users, is developed in Zurich’s Wollishofen.
Learn more: Microsoft Open Source
7. What about resilience, governance, and security oversight in Europe?
We have formalized commitments so customers can plan for the long term.
Digital Resilience Commitment. We commit to contest any order to suspend or cease cloud operations in Europe using all legal avenues available, including pursuing litigation in court. This commitment is legally binding on Microsoft Corporation and all subsidiaries. Our digital resiliency commitments have been embedded into all relevant government contracts.
We will store back-up copies of our code in a secure repository in Switzerland, and we will provide our European partners with the legal rights needed to access and use this code if needed for this purpose.
European board oversight. We have established a European board of directors, composed of European nationals, exclusively overseeing all datacenter operations in compliance with European law.
European Security Program. We are expanding AI‑powered threat intelligence sharing, capacity‑building, and partnerships (including with Europol) for governments across the EU, EFTA, the UK, and others—free of charge. We have also created a Deputy CISO role for Europe focused on evolving regulations such as DORA, NIS2, and the Cyber Resilience Act.
Global cybersecurity capabilities. Microsoft’s security platform analyzes over 84 trillion threat signals daily, one of the largest and most diverse threat intelligence datasets in the world, to help protect customers in Switzerland and globally from evolving cyber threats. In 2024, Microsoft blocks over 7,000 password attacks per second and tracks more than 1,500 threat actors worldwide.
Learn more: European Digital Commitments
8. How can transparency and verification be ensured by default?
Trust Center. Our Trust Center centralizes certifications, audit reports, data‑protection documentation (including the DPA), and product‑specific compliance content.
Customers have the right to conduct an audit, provided the necessary conditions are met.
Government Security Program. For governments, qualified authorities can review Microsoft source code in secure Transparency Centers (including in Ireland).
Biannual transparency reporting. We publish detailed, global reports on government requests for customer data and our responses.
We use industry-standard secure transport protocols like IPsec and TLS between datacenters and user devices. Data at rest benefits from double encryption, service-level encryption, and disk encryption. Azure Confidential Computing enables encryption even while data is being processed.
Microsoft commits to comply with all laws and regulations applicable to its providing of the products and services, including security breach notification law and data protection laws (including GDPR and Swiss data protection law).
9. What is the CLOUD Act?
The CLOUD Act clarifies the circumstances under which US law enforcement may seek access to data, regardless of where it is stored. Microsoft’s Law Enforcement and National Security team has published a CLOUD Act document that clearly explains, what the act does – and does not – allow, grounded in law and Microsoft’s transparency reporting. Here are some facts:
The CLOUD Act does NOT permit unfettered, bulk, or automatic government access to data. US law enforcement must meet strict legal requirements and obtain a warrant or court order subject to judicial approval. The law does not allow indiscriminate or bulk access to domestic or foreign data. To obtain a warrant or court order under US law, the government must prove to independent courts that there is reason to believe that evidence of crimes will be present in specified account data.
The CLOUD Act does NOT ignore foreign law. The law specifically recognizes a provider’s right to bring a challenge based on conflicts with foreign law and the international principle of comity. The concept of comity, or deference to foreign law, is based on principles of courtesy, reciprocity, and mutual respect for the sovereignty of nations. Microsoft is committed to challenging any US requests that fail to respect digital sovereignty and conflict with foreign laws.
CLOUD Act requests for foreign enterprise data are NOT common—and indeed are exceptionally rare. Microsoft’s transparency reports show that disclosures of foreign enterprise content data to US law enforcement constitute a mere 0.008% of the total number of demands that Microsoft has received eachaf year since the CLOUD Act was enacted, representing fewer than one out of every 10,000 demands.
The CLOUD Act does NOT permit the US to conduct economic espionage or access trade secrets of foreign companies. The US has a long-standing position of opposing any use of law enforcement or intelligence authorities to support the theft of intellectual property, including trade secrets or other confidential business information. Under US law, theft of trade secrets is subject to criminal prosecution with penalties of up to ten years in prison.
The CLOUD Act does NOT override technical controls like end-to-end encryption that protect digital sovereignty. Microsoft offers advanced encryption, data residency options, and customer-controlled encryption keys that provide customers with control of their data. Features like Azure Confidential Compute ensure that Microsoft is incapable of accessing data without customer assistance and consent. Microsoft does not provide any government with the ability to break our encryption.
Extraterritorial law enforcement access to data is NOT unique to the US. Many countries have laws and precedents that authorize their access to data stored in other jurisdictions. The Budapest Convention on Cybercrime and the UN Convention Against Cybercrime require parties to adopt laws to compel access to electronic records without regard to their location. This principle is also reflected in the EU e-Evidence Regulation, the laws of numerous EU Member States, Canadian law, UK law, and elsewhere.
The reach of the CLOUD Act is NOT limited to US companies. The law applies to any company that has “minimum” contacts with the US economy. Foreign cloud providers with any US presence, including those simply offering services over the internet in the US, may be subject to the CLOUD Act and required to turn over data to US authorities – regardless of where that data is stored. Eliminating exposure to US law would require relying on companies with no ties to the US economy, which would likely lack the global resources and expertise necessary to build and maintain world-class technology services.
10. How is Microsoft investing in Switzerland?
We are scaling to meet Swiss demand while supporting skills, innovation, and sustainability.
USD 400 million investment (announced June 2, 2025) to expand AI and cloud infrastructure in Switzerland, including advanced GPUs.
Serving 50,000+ customers, including those across regulated sectors such as finance and healthcare.
Helping skill 1 million people by 2027 in AI and digital competencies.
Renewable energy. To date, all electricity consumption in Switzerland has been covered by renewable energy purchases.
Our 36-year presence has created a thriving ecosystem. 4,600+ Swiss partner companies employ tens of thousands of professionals.
For every CHF Microsoft generates, our partner ecosystem creates 8+ CHF of additional value.
We operate the Spatial AI Lab in Zurich, partner with ETH Zurich (including a collaboration on AI Red-Teaming), EPFL, Switzerland Innovation Parks, and Deep Tech Nation, representing real Swiss jobs, Swiss expertise, and Swiss innovation capacity that strengthen economic competitiveness.
Read more: Switzerland’s Digital Future: Microsoft’s Commitment
Learn more
Sovereign Cloud Capabilities (November 2025) → Microsoft strengthens sovereign cloud capabilities with new services | Microsoft Azure Blog
European Digital Commitments → https://blogs.microsoft.com/on-the-issues/2025/04/30/european-digital-commitments/
Sovereign solutions for Europe → https://blogs.microsoft.com/blog/2025/06/16/announcing-comprehensive-sovereign-solutions-empowering-european-organizations/
EU Data Boundary (completion) → https://blogs.microsoft.com/on-the-issues/2025/02/26/microsoft-completes-landmark-eu-data-boundary-offering-enhanced-data-residency-and-transparency
Government Requests for Customer Data Report → https://www.microsoft.com/en-us/corporate-responsibility/reports/government-requests/customer-data
Switzerland investment (June 2, 2025) → https://news.microsoft.com/de-ch/2025/06/02/microsoft-deepens-switzerlands-digital-future-with-strategic-investment-in-cloud-and-ai-infrastructure-startups-skilling-and-innovation/
Defending your Data → https://blogs.microsoft.com/on-the-issues/2020/11/19/defending-your-data-edpb-gdpr/
Advance European Commerce and Culture → Unlocking data to advance European commerce and culture – Microsoft On the Issues
European Security Program → Microsoft launches new European Security Program – Microsoft On the Issues