Concrete Steps for the Legally Compliant Implementation of Cloud Projects in Switzerland.
Dr. Martin Eckert
Legal Partner
Hybrid cloud architecture complicates the mapping of data locations, access, responsibilities, and applicable law. Data sovereignty has become a key governance and risk management issue: It requires careful contracts, documented data flows, clear roles, effective technical and organizational measures (TOM), and ongoing review. The following article classifies key architectural models and outlines six steps for the legally compliant and cyber-resilient implementation of cloud projects in Switzerland.
Companies must structure data processing in such a way that data protection, information security, and regulatory requirements are demonstrably complied with. Data sovereignty is thus a legal compliance and security requirement: it reduces liability and sanction risks, supports incident response, and enables robust decisions regarding outsourcing, sub-processors, and international data transfers.
Data sovereignty means having legal (i.e., contractual and regulatory) and technical control over the storage location, access, and processing of data. This includes, in particular, data classification, authorization concepts, logging, encryption, contractual management of data processors and sub-processors, as well as the control of transfers to third countries and foreign access options.
I. Executive Summary
The following points are central to data sovereignty:
Legal certainty: The EU GDPR and EBA (European Banking Authority) requirements, as well as the Swiss Federal Act on Data Protection (FADP), Swiss Federal Act on Information Security (FAIS or ISA), and FINMA requirements, mandate contractually regulated, documented data flows, clear responsibilities, appropriate technical and organizational measures (TOM), and auditable evidence. Critical areas include data processing, sub-processor chains, data localization, and international data transfers.
Architectural decisions: On-premises, hybrid cloud, sovereign cloud, and open source differ in terms of control, auditability, exit capability, and costs. The choice must be based on a risk analysis and supported by a security and compliance framework (including responsibilities).
Governance and Roles: Sovereignty is established through binding guidelines, responsibilities, and controls. Executive management and the board of directors bear overall responsibility; the CISO and data protection function ensure implementation, monitoring, incident response, and regular audits.
Technology (Zero Trust and Encryption): Zero Trust and encryption are the minimum technical requirements for regulatory-compliant data processing in the cloud. Strong authentication, least privilege, end-to-end encryption, key management, and traceable logging are required.
II. Fundamentals of Data Sovereignty
Data is the foundation of value creation and, at the same time, the subject of legal rights and liability. Data sovereignty is therefore becoming a prerequisite for operating models that are technically resilient and legally sound. Demonstrable compliance, controlled data flows, and contractually secured outsourcing and transfer scenarios are essential.
What does data sovereignty mean?
Data sovereignty is the ability to control and verify data location, access, and processing at all times in a legally compliant manner.
Elements of data sovereignty
Before implementing technical solutions, protection needs, roles, and legal requirements must be defined, including processing arrangements and transfer requirements. The fundamentals for this are:
Control: Controllability of all data flows and access. Every access must be logged, monitored, and verifiable if required.
Compliance: Compliance with applicable regulations (EU GDPR, EBA, FADP, FINMA, ISA, cantonal rules, industry rules). In particular, clear legal bases, disclosure obligations, data processing agreements, control of sub-processors, transfer impact assessments where necessary, as well as documented technical and organizational measures (TOM) and evidence (i.e., certifications) are required.
Security: Protection against unauthorized access and structural dependence on third parties. Without security, there is no real control.
The goal is a technological setup that enables flexibility while ensuring regulatory compliance. It must be resilient against cyberattacks, data leaks, and internal threats.
III. Challenges for Data Sovereignty in the Hybrid Cloud
Hybrid cloud models, combined with sovereign cloud providers and automated compliance, are the most economically and regulatory viable approach for most large enterprises. Maturing cloud landscapes, outsourcing, and increasing security requirements heighten complexity and risk. The more data flows between on-premises environments, cloud platforms, and service providers, the more critical it is to have clear contracts, documented data flows, precise responsibilities, effective controls, and robust evidence.
This presents various challenges:
Dependence on service providers: Without exit and portability clauses, lock-in risks and uncontrolled data flows arise. Contracts must at least address sub-service providers, audit and information rights, data return and deletion, support services, and cooperation in the event of incidents and requests from authorities.
Legal requirements in the EU and Switzerland: Transparency, appropriate technical and organizational measures (TOM), and clear responsibilities are required. Critical areas include data processing, outsourcing under FINMA regulations, data classification, auditability and the ability to provide evidence, as well as transfers to third countries and foreign access.
Technical complexity: Interfaces and interoperability increase the attack surface. Data classification, role and authorization concepts, standardization, and continuous monitoring and logging are necessary.
A robust interplay of governance, security architecture, and compliance is crucial to ensuring data sovereignty in hybrid and cloud-based environments in the long term. A legal and technical cloud security assessment provides transparency regarding data flows, access concepts, architectural models, and regulatory risks, thereby forming the foundation for secure, sovereign, and compliant operating models.
IV. A Comparison of Five Architectural Models for Data Sovereignty
There is no one-size-fits-all approach to data sovereignty. The appropriate architecture model depends on protection requirements, budget, regulatory exposure, and existing IT infrastructure.
The following models illustrate how differently companies may prioritize control, compliance, security, and operational capability:
On-premises solutions: High level of control and clear accountability. Suitable for high protection requirements or regulatory mandates regarding data localization. However, this requires equally documented TOM, access controls, and auditability.
Hybrid cloud strategies: A balance between agility and control. This requires that data flows be documented, TOM be implemented, and responsibilities be defined. Every interface must be treated as a risk point: security measures, monitoring, regular testing, and audits are mandatory.
Sovereign cloud providers: Cloud services with local jurisdiction, provided that the operator, sub-processors, and data locations are within the relevant legal jurisdiction. The operator structure, access from abroad, encryption and key control, audit evidence, as well as exit and portability must be reviewed.
Open-source and community solutions: Ideal for organizations that prioritize independence and transparency. They can be used without restriction in Germany, Austria, and Switzerland—the decisive factor is the hosting and operating location.
Joint Approach: Zero-Trust and Encryption: A central element of any sovereign IT architecture. Recommended for implementing the principles of Privacy by Design. From a CISO’s perspective, Zero-Trust is not a “nice-to-have” but a “must-have.” Every access must be authenticated, authorized, and encrypted—regardless of location or device.
V. 6 Steps to Data Sovereignity
Data sovereignty arises when key control dimensions interact systematically. Successful architecture requires a clear framework, automated processes, and organization-wide adoption.
These six steps help with implementation:
Establish and document governance: Define roles and responsibilities as well as decision-making processes; create or supplement guidelines (data classification, access management, retention, data localization).
Categorize data: Classify data assets based on GDPR categories and the FADP risk assessment (as well as other requirements).
Evaluation and contracts: Conduct due diligence regarding jurisdiction, subcontractor chains, data locations, certifications, and audit reports (e.g., ISO 27001, SOC 2, ISAE). Contracts must specifically ensure rights to information, audit, and instruction; the engagement of subcontractors; the use of AI; and cooperation in the event of incidents.
Define an exit strategy: Contractually regulate data repatriation, data portability, format standards, transition support, deletion, and evidence. Deadlines, costs, and dependencies must be tested in advance.
Automate compliance: Automatically record and regularly review controls, evidence, and reporting processes.
Strengthen awareness: Continuously train employees on data protection, access policies, and governance.
Conclusion: Managing data sovereignty as an ongoing transformation process
Data sovereignty is an ongoing transformation process. Regulatory requirements establish clear guidelines but leave sufficient room for flexibility. A well-orchestrated interplay of governance, foundational technological architecture, and organizational expertise is crucial.
The path to true data sovereignty lies in modernized security architectures, transparent governance, and robust compliance processes. Many organizations face the challenge of integrating technical, regulatory, and organizational requirements into a unified governance model. Where these requirements converge, a robust classification of data flows, architectural models, access concepts, and regulatory risks is required.
VI. MME’s Services to strengthen your Data Sovereignty
Legal Cloud Security Assessment: We verify whether your IT operating models are legally compliant - in close collaboration with technical partners. A legal cloud security assessment provides transparency regarding data locations, access, responsibilities, and transfer risks, and forms the basis for audit-ready decisions. The goal is to establish operating models with traceable controls and robust compliance.
Contractual assurance of Zero Trust architectures as the foundation of sovereignty We design contractual Zero Trust models with strong authentication, least privilege, logging, and key management. This makes access traceable and operationalizes TOM in accordance with GDPR, FADP, EBA, ISA and FINMA requirements, while ensuring contractual safeguards
Contractual assurance of highly secure infrastructure solutions and sovereign operating environments Establishment of on-premises, hybrid, or sovereign environments with data classification, isolated data zones, encryption, and controlled interfaces. We also address the sensitive contractual requirements regarding data localization, access from abroad, AI deployment, and sub-processor control.
Specific compliance reviews in line with regulatory requirements Legal assessments regarding data classification, TOM, order processing, sub-processor chains, international data transfers, key management, and governance. The results include prioritized measures, clear evidence, and audit-ready documentation.
Image generated by AI. This magazine article was inspired by a blog post by InfoGuard’s Michael Fossati. InfoGuard AG is a cybersecurity partner of MME.
