US CLOUD Act: why a Swiss cloud region is not data sovereignty
Microsoft, Google and AWS are subject to the US CLOUD Act, even when the data sits in a Swiss datacenter. What this means for regulated industries, and what real data sovereignty looks like.
Many Swiss companies believe their data is safe as soon as it sits in a Swiss region of Microsoft, Google or AWS. Legally that is a fallacy, because the US CLOUD Act reaches across borders.
What is the US CLOUD Act?
The Clarifying Lawful Overseas Use of Data Act of 2018 obliges providers subject to US jurisdiction to hand over data in their possession or under their control, regardless of which country the servers are in. So what matters is not where the data sits, but whether the provider is subject to US law. This explicitly includes the European subsidiaries of US corporations.
Why does it affect Switzerland?
The Swiss datacenters of the large hyperscalers are ultimately controlled by US corporations too. That means the data stored there potentially falls under the CLOUD Act, despite a Swiss address. How real this is became clear in June 2025: Microsoft's French subsidiary had to admit under oath before the French Senate that it cannot rule out disclosure to US authorities even for data stored in France. For banks, insurers, lawyers, doctors, fiduciaries and public authorities that must uphold professional secrecy, banking secrecy or the revised Swiss data protection act, this is a real problem.
Data location is not data sovereignty
A server in Zurich alone offers no protection if the operator is subject to a foreign jurisdiction. A provider can in theory challenge a disclosure order if it violates foreign law, but the burden of proof lies with them, and such an objection only works in practice if there is a corresponding agreement between the US and the country concerned. So far the US has concluded such agreements only with the United Kingdom and Australia, not with Switzerland. Data sovereignty only exists when location, operator and governing law are all in Switzerland, with no foreign parent company that can be compelled to disclose.
What you should do
- Classify your data: which information is genuinely sensitive or regulated?
- For sensitive data, choose a provider that offers exclusively Swiss law and Swiss ownership.
- Review contracts and subprocessors, especially for Microsoft 365 and other cloud services.
- Where possible, encrypt with your own keys so the provider never sees the data in clear text.
The point
Public cloud is convenient and perfectly fine for plenty of data; the CLOUD Act does not allow arbitrary mass collection, it applies within concrete criminal proceedings. But for anything that must not leave Switzerland, what counts is not the claim of data in Switzerland, but the question of who could access it if it came to that, without Swiss judicial oversight.
How we solve this for you.
Our private cloud runs exclusively under Swiss law and in Swiss hands, with no access path via the CLOUD Act, ideal for data that must not leave Switzerland.
You might also like.
FortiBleed: when the problem is not the flaw but the credentials
FortiBleed is not a FortiOS flaw but a credential-harvesting campaign against Fortinet devices. Why stolen credentials and missing MFA are the real risk, and how a managed firewall subscription prevents it.
VMware after Broadcom: what the new licensing costs mean for SMEs
Since the Broadcom takeover, VMware is subscription-only and often much more expensive. What options SMEs have, from Proxmox to a managed private cloud.
The single-person IT risk: what happens when your IT person is out?
In many SMEs the entire IT depends on one single person. What that means in an emergency, and how to defuse the risk without building a whole department.