In 2026, the question is no longer where your data sits; it is which jurisdiction can subpoena it, who controls the AI model processing it, and whether you can leave your provider if geopolitics demands it.

Introduction: From Cloud Sovereignty to a Broader Conversation

Last September, I argued that cloud sovereignty is not a switch to flip; it is a continuum of jurisdictional, operational, technical, and supply-chain controls that can be tuned per workload and per risk scenario. I proposed a “sovereignty ladder” as a practical framework: each rung accumulates the prior one, each implies cost and complexity, and each should be justified by risk and strategy, not slogans.

That ladder still stands. But the world around it has shifted. Dramatically.

TL;DR: What you need to know

• Geopolitical incidents in 2025, from the ICC / Microsoft lockout to Starlink leverage in US–Ukraine negotiations, turned sovereignty from a compliance debate into an operational continuity risk. The Franco-German Summit (18 November 2025) and Switzerland’s Digital Strategy 2026 made it a political priority.
• A dense regulatory wave is now in force: the EU Data Act mandates cloud portability, the AI Act‘s main framework lands on 2 August 2026, and Swiss regulators (privatim, FINMA, SBA) are tightening expectations on jurisdictional control and exit readiness.
• The cloud market is adapting, hyperscalers are building sovereign overlays, European alternatives are maturing, but the real shift is broader: digital, AI, and technology sovereignty now demand control over the full stack, from infrastructure and models to corporate structures and supply chains.
• For practitioners: sovereignty remains a risk decision, not an ideology. Map your dependencies, document your risk acceptances, build exit capability, and assign clear accountability. The ladder has more rungs now. Start climbing where the exposure is greatest.

In the seven months since that article, sovereignty has broken out of its cloud-specific container. What was primarily a conversation about data residency, encryption keys, and provider jurisdiction has expanded into a full-spectrum strategic concern: who controls your digital infrastructure, your AI models, and your technology supply chain, and under whose laws.

Three forces drove this acceleration.

Geopolitics moved from theory to incident. The US CLOUD Act’s tension with European data protection was always a structural risk. In 2025, it became an operational one, with real-world disruptions to the International Criminal Court’s communications, reports of Starlink access being used as diplomatic leverage, and a hardening US posture toward EU tech regulation. These incidents helped turn strategic autonomy from a talking point into a political priority, feeding into initiatives such as the Franco-German Summit on European Digital Sovereignty in November 2025. Section 2 covers these catalysts in detail.

Regulation crystallised into obligation. The EU Data Act entered into force on 11 January 2024 and became applicable on 12 September 2025, turning cloud switching and interoperability from best practices into legal requirements. The EU AI Act continued its phased rollout: prohibited practices and AI literacy from 2 February 2025, GPAI obligations from 2 August 2025, with the Act becoming broadly applicable from 2 August 2026, though some high-risk obligations for systems embedded in regulated products run on a longer timetable to 2 August 2027. Switzerland’s Federal Council named digital sovereignty as a focus theme for 2026. And privatim’s November 2025 resolution, sharply restricting the acceptable use of international SaaS for sensitive public-sector data unless true end-to-end encryption is in place and the provider cannot decrypt, sent a clear signal that regulatory expectations are tightening, not relaxing.

AI raised the stakes entirely. The question is no longer just “where is my data?” but “who controls the model that processes it, the data it was trained on, and the infrastructure it runs on?” With Europe holding only a modest share of global AI computing capacity versus the dominant US position, AI sovereignty has emerged as the defining challenge, one that makes cloud sovereignty look like a necessary but insufficient foundation. Switzerland’s response, the Apertus national LLM, the Alps supercomputer, sovereign AI stacks from providers like Phoenix / PHOENIQS, signals that this is not abstract policy but active infrastructure investment.

This article picks up where the last one left off. It expands the lens from cloud sovereignty to the broader landscape of digital, AI, and technology sovereignty, primarily through the Swiss lens, with Europe as the essential context. It covers what changed politically and regulatorily, where the cloud sovereignty market stands in 2026, what “digital and technology sovereignty” means beyond the cloud, and what this all means practically for IT leaders and decision-makers.

Dedicated follow-ups on cloud sovereignty and AI/data sovereignty will go deeper into their respective domains. For now, consider this the map, updated for a world that moved faster than most organisations expected.

As I wrote last time: sovereignty is not a destination but a discipline. Only now, that discipline extends further than we anticipated, and the cost of not climbing the ladder has become far more visible.

What Changed: The Political and Geopolitical Catalysts

If sovereignty was a slow-building concern in 2024, it became an operational reality in 2025. Several events converged to move the conversation from strategy decks to emergency board meetings.

The CLOUD Act stopped being abstract. The US CLOUD Act of 2018 has always been the structural fault line beneath European cloud adoption: it empowers US authorities to compel American technology companies to hand over data regardless of where it is physically stored. For years, this was treated as a theoretical risk; something lawyers debated but operations teams deprioritised. That changed.

In May 2025, reports surfaced that the International Criminal Court’s chief prosecutor, Karim Khan, had lost access to his Microsoft Outlook account, a consequence of US sanctions imposed on ICC officials in February over arrest warrants connected to the conflict in Gaza. Microsoft disputed the characterisation, but the disruption was widely reported and the signal was unmistakable: a European-based international institution, relying on a US provider, found its communications disrupted as a consequence of US foreign policy. By October 2025, the ICC confirmed it was replacing Microsoft Office with openDesk, an open-source suite from Germany’s ZenDiS. Meanwhile, Reuters reported that US negotiators had raised the possibility of cutting Ukraine’s Starlink access during talks on critical minerals. The “digital kill switch”, the idea that a foreign government could selectively degrade or disrupt European digital services, stopped being a thought experiment.

For Swiss and European executives, the lesson was immediate: jurisdictional dependency is not just a compliance risk. It is an operational continuity risk with geopolitical dimensions that no DPA or SCC can contractually neutralise.

Europe responded institutionally. On 18 November 2025, France and Germany convened a Summit on European Digital Sovereignty in Berlin, identifying seven strategic pillars and launching a joint task force to report in 2026. The institutional signal was reinforced at the Commission level: the second von der Leyen Commission created the position of Executive Vice President for Tech Sovereignty, Security and Democracy, appointing Henna Virkkunen to oversee the EU’s digital agenda. Sovereignty was no longer a fringe concern; it had become an organising principle for EU industrial policy.

Switzerland drew its own red lines. On 12 December 2025, the Federal Council adopted the Digital Switzerland Strategy 2026 and listed digital sovereignty as one of its focus themes for 2026, alongside “digital host state” and the roll-out of the e-ID. The Federal Administration committed to increasing its digital sovereignty and resilience, with an interdepartmental working group tasked with identifying security and foreign policy risks arising from digital resources.

But the sharpest Swiss signal came a few weeks earlier. On 24 November 2025, privatim (the Conference of Swiss Data Protection Officers) issued a resolution that sharply restricted the acceptable use of international SaaS for especially sensitive or legally confidential public-sector data. The resolution concluded that outsourcing such data to SaaS solutions from large international providers is only permissible if the public body itself encrypts the data and the cloud provider has no access to the key. Most mainstream offerings from Microsoft, Google, and Amazon do not meet this bar without additional tooling.

For now, the privatim resolution applies to the public sector. But the trajectory is clear. Regulated industries, banking, insurance, healthcare, legal services, tend to align with standards set by government bodies. The question is obvious: if US-based SaaS is too risky for Swiss authorities, how long before the same logic applies to banks and hospitals?

Sovereignty-by-acquisition became a new risk vector. Even organisations that deliberately chose European providers discovered a new vulnerability. In November 2025, the American IT services company Kyndryl announced its intention to acquire Solvinity, a Dutch managed cloud provider. This came as an unpleasant surprise to several of Solvinity’s government clients, including the municipality of Amsterdam and the Dutch Ministry of Justice and Security, who had specifically selected Solvinity to reduce their dependence on American firms. Solvinity also runs the infrastructure behind DigiD, the national digital identity system used by 16.5 million Dutch citizens. The deal triggered a parliamentary roundtable, cabinet-level concern, and a 140,000-signature petition.

The lesson was sobering: sovereignty is not a one-time procurement decision. It requires ongoing vigilance over the corporate ownership, jurisdictional exposure, and supply-chain dependencies of your entire provider ecosystem. A European provider today can become a US-owned entity tomorrow, and with it, the legal protections you relied on can evaporate.

The net effect: sovereignty became non-optional. By the end of 2025, digital sovereignty had moved from a CIO-level technical concern to a board-level strategic risk. The political catalysts, incidents, summits, resolutions, acquisitions, created a ratchet effect: each event made it harder for organisations to justify inaction, and easier for regulators to justify tightening the screws. The question shifted from “should we care about sovereignty?” to “how fast can we act on it?”

The Regulatory Wave: New Frameworks Shaping Sovereignty

The political catalysts described above did not occur in a regulatory vacuum. They landed on top of, and accelerated, a dense wave of digital regulation across Europe and Switzerland. This is not an exhaustive legal analysis; rather, it is a strategic map of the frameworks that matter most for cloud, digital, and AI decision-making in 2026.

The EU Data Act: sovereignty through portability. The EU Data Act (Regulation 2023/2854) entered into force on 11 January 2024 and became applicable on 12 September 2025, marking a philosophical shift. Rather than mandating where your data must sit, it mandates that you must be able to move it. Chapter VI introduces a dedicated regime for switching between cloud and data-processing services: providers must remove contractual, commercial, and technical barriers to switching; include comprehensive switching clauses in contracts; support functional equivalence on the target platform; and provide open interfaces and interoperable formats. From 12 January 2027, switching charges, including data-egress charges, are removed entirely.

The strategic implication is subtle but powerful. The Data Act operationalises what I would call “interoperable sovereignty”: it accepts that European organisations will use global infrastructure, but demands that dependency is always reversible. For CIOs, this means exit readiness is no longer a nice-to-have architecture principle; it is a legal obligation. And for hyperscalers, the era of lock-in economics is being dismantled by regulation, not just by market competition.

The EU AI Act: phased rollout, real deadlines. The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and is being implemented in stages. Prohibited AI practices and AI literacy obligations have applied since 2 February 2025. Governance rules and obligations for general-purpose AI (GPAI) models became applicable on 2 August 2025. The Act becomes broadly applicable from 2 August 2026, including transparency requirements and the main compliance framework for high-risk AI systems in Annex III. High-risk AI systems embedded in regulated products have an extended transition to 2 August 2027, and the Commission’s Digital Omnibus proposal, still under negotiation, could delay some high-risk rules further.

From a sovereignty perspective, the AI Act does not explicitly mandate data localisation. But its effect is indirect and significant: if your AI system processes sensitive health data, financial records, or critical infrastructure telemetry and is classified as high-risk, GDPR Article 48 requirements create a direct tension with providers subject to extraterritorial laws like the US CLOUD Act. You cannot lawfully hand over such data to a foreign authority based solely on a foreign court order; a formally recognised international agreement is required. This legal reality is pushing European enterprises toward sovereign AI infrastructure where jurisdictional control is unambiguous.

Meanwhile, the Digital Omnibus simplification package, proposed by the Commission in November 2025, aims to reduce compliance friction. Among other things, it proposes linking the application of certain high-risk AI rules to the availability of harmonised standards, which could effectively extend some deadlines; it would also broaden regulatory flexibility for small mid-caps and simplify GDPR provisions for AI training data. The package signals that the EU is trying to balance sovereignty ambitions with competitiveness concerns, though as of early 2026, it is still working its way through Parliament and Council.

The Cloud and AI Development Act (CADA): Europe’s capacity play. One of the most important announced EU initiatives is the Cloud and AI Development Act (CADA), which the Commission had planned to propose in Q1 2026. CADA aims to address data-centre permitting bottlenecks, increase computational resources for startups, and (critically) establish EU-wide eligibility criteria for cloud service providers along with harmonised procurement processes. Its direction is clear, but its final legal shape is not yet settled. Whether CADA will effectively restrict non-EU providers or adopt a risk-based assurance model remains to be seen.

Complementing this is the European Commission’s Cloud Sovereignty Framework, currently used in Commission procurement to assess providers through minimum Sovereignty Effectiveness Assurance Levels (SEALs) and a detailed Sovereignty Score (SOV). The framework explicitly includes exposure to foreign extraterritorial laws as a sovereignty factor, a point we return to in Section 4.

Switzerland: no omnibus, but sharp sectoral tools. Switzerland’s regulatory approach to sovereignty is characteristically different from the EU’s. There is no equivalent of the Data Act, no horizontal AI Act, and no CADA. Instead, Switzerland achieves similar outcomes through a combination of its revised Federal Act on Data Protection (revFADP), sector-specific financial regulation, and industry guidelines.

The revFADP, in force since 1 September 2023, is technology-neutral and applies fully to AI and cloud processing. It requires data-protection impact assessments for high-risk processing and adequate safeguards for international transfers, with Swiss-specific “add-ons” to the EU Standard Contractual Clauses. Notably, and in contrast to GDPR, the Swiss framework allows for criminal fines targeting responsible natural persons, not just corporate entities, creating a highly personal risk environment for CISOs and IT leaders.

For the financial sector, FINMA Circular 2018/3 (Outsourcing) and FINMA Circular 2023/1 (Operational Risks and Resilience – Banks) set a high bar for cloud governance. The 2023/1 circular broadened data categories from “Client Identifying Data” to “bank client data” and “critical data,” expanding the scope of protection in outsourcing arrangements. FINMA’s thematic work on cyber risks and outsourcing flags cloud outsourcing and third-party dependency as persistent operational risks, noting both rising significant public-cloud outsourcing and that a notable share of reported cyber incidents involves third parties. The Swiss Bankers Association’s Cloud Guidelines (third edition, November 2025) align with FINMA’s framework and emphasise reversibility, auditability, and documented exit strategies.

The net picture: Switzerland does not prohibit foreign hyperscalers, but it imposes a governance, reversibility, and transparency bar that in practice favours providers with clear jurisdictional alignment. And from 1 April 2025, mandatory 24-hour cyber-attack reporting to Switzerland’s federal cyber authority (NCSC/BACS) for critical infrastructure added yet another layer of operational accountability.

What this means for practitioners. The regulatory landscape in 2026 is not a single wall; it is a layered mesh. The EU builds horizontal frameworks (Data Act, AI Act, CADA) that apply broadly. Switzerland builds vertical, sector-specific tools (revFADP, FINMA, SBA) that achieve similar constraints through a different philosophy. For organisations operating across both jurisdictions, which includes most Swiss multinationals and any EU firm with Swiss operations, the compliance surface is substantial, but the underlying logic converges: demonstrate control, ensure reversibility, and manage jurisdictional risk with technical measures, not just contracts.

Cloud Sovereignty: Where We Stand in 2026 (Preview)

Cloud sovereignty has its own dedicated follow-up article coming in this series. But the headline numbers and structural dynamics are essential context for what follows.

The market is booming, and still lopsided. Gartner projects worldwide sovereign cloud IaaS spending will hit USD 80 billion in 2026, a 35.6% increase year-on-year, with Europe (83%), Mature Asia/Pacific (87%), and Middle East and Africa (89%) all recording strong growth, and Europe forecast to surpass North America in sovereign cloud IaaS spending by 2027. Yet US hyperscalers still dominate the European cloud market, and no European provider has so far come close to matching them at scale. Forrester predicts no European enterprise will shift entirely away from US hyperscalers in 2026. The dependency is structural.

Hyperscalers are adapting, not retreating. AWS launched its European Sovereign Cloud in January 2026: a physically and logically separate partition in Brandenburg with EU-citizen-only management, backed by €7.8 billion in investment through 2040. Microsoft extended Sovereign Public Cloud capabilities across all European regions, including Switzerland, with Data Guardian, External Key Management, and a substantial Swiss infrastructure investment. Google offers its Regional Controls package at no additional cost across its regions including Switzerland. These are serious engineering investments, but the parent companies remain US-incorporated and therefore subject to the CLOUD Act. Whether contractual and architectural separations can withstand a determined US government request remains untested in court.

“Sovereignty washing” is the open risk. As demand grows, so does the risk of providers marketing solutions as “sovereign” without delivering genuine jurisdictional independence. The Commission’s Cloud Sovereignty Framework, with its SEAL and Sovereignty Score criteria, attempts to bring rigour to procurement, but whether its approach is robust enough to prevent well-resourced hyperscalers from gaming the system remains the defining market question of 2026.

Swiss and European alternatives are maturing fast. Phoenix / PHOENIQS, Swisscom, Infomaniak, and Exoscale now offer production-grade sovereign platforms targeting finance, healthcare, and government. These are no longer third-tier alternatives, and the capability gap with hyperscalers is narrowing faster than most CIOs expected.

The pragmatic model is both, governed deliberately. Critical workloads on sovereign platforms, innovation on hyperscaler scale, unified governance across both. BCG estimates a sovereignty premium in the range of 15–30%, increasingly reframed as insurance against non-compliance, forced re-migration, or geopolitical disruption. And while industry surveys consistently show growing concern over hyperscaler dependency among Swiss enterprises, far fewer organisations have a functioning exit plan. If you cannot leave, you are not sovereign.

But sovereignty is not an argument against cloud. It is worth pausing to remember why cloud matters in the first place. Ukraine’s experience since February 2022 provides the most powerful case study. Facing an existential threat to its physical infrastructure, the Ukrainian state migrated over 10 petabytes of government data, 42 ministries, and more than 100 state databases to public cloud within months. PrivatBank, serving nearly 20 million customers, moved its core applications and client data to AWS in a matter of weeks. Land registries, educational records, and tax systems all survived because they were no longer anchored to buildings that could be destroyed by cruise missiles. The cloud-native Delta battlefield management system became the operational backbone of Ukraine’s defence. The lesson is stark: on-premise infrastructure is a single point of failure when your threat model includes physical destruction. Cloud provides the elasticity, geographic distribution, and resilience that no local data centre can match. The sovereignty debate is not “cloud versus no cloud”; it is about ensuring that your cloud architecture does not create a different kind of single point of failure, one based on jurisdictional dependency rather than physical vulnerability.

The dedicated cloud sovereignty article will go deeper into provider comparisons, architectural patterns, the sovereignty premium economics, and exit-readiness frameworks. For now, this is the market context that shapes everything else in this piece.

Digital and Technology Sovereignty: Beyond the Cloud

Cloud sovereignty is necessary but no longer sufficient. The conversation in 2026 has broadened to encompass the full digital stack: infrastructure, platforms, applications, identity systems, hardware, and supply chains, and even the corporate structures that determine whether Europe can build its own technology companies at scale.

The EuroStack vision: Europe’s full-stack ambition. The most ambitious articulation of this broader sovereignty is the EuroStack initiative, a coalition including Nextcloud, IONOS, Ecosia, and economist Cristina Caffarra. EuroStack argues that Europe needs sovereign capacity across the entire digital infrastructure, from undersea cables to cloud to AI to applications. It is not a single product but a strategic framework: open standards, federated architecture, market-driven investment, and a clear-eyed definition of where European alternatives can and should compete with US platforms.

EuroStack’s political traction has been significant. It was explicitly anchored in Germany’s coalition agreement in early 2025. France and the Netherlands have aligned with its principles. The European Parliament’s Committee on Industry, Research and Energy drew heavily on EuroStack thinking when defining tech sovereignty. And the Franco-German Summit in November 2025 reflected its seven-pillar structure. Critics argue, correctly, that building a European competitor to AWS or Azure is financially unrealistic and risks burdening European businesses with higher costs and lower capabilities. EuroStack’s proponents counter that the goal is not autarky but strategic resilience: creating genuine choice and reducing the leverage that comes with monopoly dependency.

EURO-3C: from vision to funded infrastructure. At Mobile World Congress 2026, the European Commission unveiled EURO-3C, a project to develop Europe’s first large-scale federated Telco-Edge-Cloud infrastructure, backed by Telefónica, dozens of European companies, and Horizon Europe funding. EURO-3C aims to fill a concrete gap: the EU wants its growing portfolio of digital government services on infrastructure under full EU control, but lacks a real equivalent to the US hyperscalers. Whether EURO-3C can overcome the inertia of established platforms remains to be seen, developers and public procurement teams are deeply embedded in AWS and Azure ecosystems, but the funding commitment signals that European digital sovereignty is moving from aspirational white papers to funded engineering.

Gaia-X in 2026: not what it was supposed to be, but useful. The Gaia-X initiative has been criticised for years as bureaucratic, abstract, and ultimately a failure. That criticism was partly fair; Gaia-X was never going to become a European hyperscaler, and its early years were marked by governance sprawl and hyperscaler co-optation. But in 2026, Gaia-X has found a more honest role: it has matured into a standards and interoperability framework, providing the trust specifications and verification rules that allow different sovereign clouds and industry-specific data spaces to interoperate. Lighthouse projects like Community-X (municipal data in Germany), Data4Industry-X (French industrial data), and RegenAg-X (cross-border agriculture) demonstrate that federated data sovereignty can work in practice. Gaia-X did not replace hyperscalers (no one seriously expected it to), but it is providing the connective tissue between Europe’s growing patchwork of sovereign offerings.

Open source as a sovereignty enabler. Technology sovereignty is not only about building European hardware; it is also about reducing dependency on proprietary software stacks. After the ICC’s chief prosecutor lost access to his Microsoft account in May 2025, the Court confirmed in October 2025 that it was replacing Microsoft Office with openDesk, an open-source suite delivered by Germany’s Centre for Digital Sovereignty (ZenDiS). Germany’s ZenDiS initiative and France’s public-sector open-source mandates demonstrate that open standards, open-source stacks, and interoperable formats are practical sovereignty tools. They reduce vendor lock-in, enable portability, and create exit options that proprietary ecosystems systematically discourage. For enterprises, the implication is not “abandon Microsoft”; it is “ensure that your architecture does not make you captive to any single vendor’s legal jurisdiction.”

Technology sovereignty: the hardest layer. At the deepest level, technology sovereignty means controlling. or at least having credible alternatives for , the hardware, chips, and supply chains that underpin digital infrastructure. The EU Chips Act, adopted in 2023, aims to double Europe’s global semiconductor market share to 20% by 2030, mobilising public and private investment on that scale. This is the most capital-intensive and time-horizoned dimension of sovereignty, and the one where Europe remains most dependent on non-European suppliers. For most enterprises, technology sovereignty at the hardware level is a government and industrial-policy concern, not a near-term procurement decision. But it shapes the strategic context: the more Europe invests in domestic chip capacity, foundry capabilities, and alternative supply chains, the more credible the entire sovereign stack becomes over the medium term.

But sovereignty needs companies, and Europe makes it hard to build them. There is a deeper structural obstacle to European technology sovereignty that no regulation or industrial programme can solve on its own: the patchwork of 27 distinct legal systems that makes it significantly harder to found, fund, and scale a technology company in Europe than in the United States or China.

In the US, the “Delaware Inc” model provides a single, predictable, globally trusted standard for corporate law. A startup can incorporate in hours, raise capital from any US or international investor under a familiar legal framework, and scale across a 330-million-person market without crossing a single jurisdictional boundary. Delaware’s Court of Chancery offers specialised, experienced adjudication of corporate disputes. The entire system. legal structure, capital access, talent mobility, tax treatment of stock options, is optimised for the speed and scale that technology companies require.

In Europe, founders face the opposite: painfully bureaucratic incorporation processes (Germany’s can take weeks, with mandatory notary sessions and high capital requirements), 27 different national systems for corporate disputes, bankruptcy, and minority investor rights, and tax regimes that often tax stock options before they are liquid, effectively penalising the very talent that sovereign tech companies need to attract. This fragmentation directly drives Europe’s most promising companies and founders to move their legal headquarters to the US for access to global capital markets and legal certainty.

The European Commission’s “EU Inc” proposal attempts to address this, offering fast digital incorporation, a flat fee, and a “once-only” data submission principle. But it falls short of the structural ambition required. Rather than creating a true “28th regime”, a single, standalone European company structure, the proposal effectively introduces 27 national versions of EU Inc. Corporate disputes, bankruptcy proceedings, and investor rights will still be governed by 27 different national court systems and legal traditions. Without a specialised, unified EU-wide corporate court analogous to Delaware’s Court of Chancery, legal certainty for large-scale international investors remains elusive.

This matters directly for technology sovereignty. You cannot build a sovereign European technology stack if the companies building it are structurally incentivised to incorporate in Delaware. You cannot compete with US hyperscalers if your best startups need to leave Europe to raise their Series B. The regulatory frameworks for cloud, AI, and data sovereignty are necessary, but they are not sufficient if the corporate and capital-market infrastructure that enables European technology companies to scale remains fragmented by design. Until Europe solves the “company formation” problem with the same ambition it brings to data regulation, technology sovereignty will remain an aspiration built on a shaky foundation.

The European Digital Identity Wallet: sovereignty for citizens. Sovereignty is not only an enterprise concern. The revised eIDAS regulation requires every EU member state to offer at least one European Digital Identity Wallet by 2026, enabling citizens to prove their identity securely online with government-issued credentials that work across borders. The federated model, where different national systems interoperate through shared standards, embodies the same principle of sovereignty-through-portability that runs through the Data Act and the cloud frameworks. For organisations, the eIDAS wallet will become a building block for customer onboarding, KYC processes, and cross-border service delivery.

Switzerland’s position: pragmatic, distinct, and strategic. Switzerland approaches digital and technology sovereignty differently from the EU, not through grand industrial programmes but through targeted, high-quality investments.

The Swiss Government Cloud (SGC) is the centrepiece: a hybrid multi-cloud infrastructure operated by the Federal Office of Information Technology (FOITT), with a guarantee credit of CHF 246.9 million and total expected project cost of around CHF 319 million over 2025–2032. Its three-tier architecture: Public Cloud for non-sensitive workloads, Public Cloud Switzerland for increased sovereignty requirements with data processing restricted within Swiss borders, and Private Cloud Bund for maximum sovereignty in federal data centres, applies the same risk-based logic to government infrastructure that my sovereignty ladder applies to enterprise workloads. First functionalities are expected in 2026, with productive migration beginning in 2027. Cantons and communes will be able to use the services; the private sector is explicitly excluded.

Beyond infrastructure, Switzerland is positioning itself as a “digital host state”, leveraging its neutrality, strong IP laws, cybersecurity leadership, and the “International Geneva” ecosystem to attract organisations that need sovereign, high-trust digital infrastructure. The Swiss AI Initiative, the Alps supercomputer at CSCS, Zurich’s status as one of Europe’s densest AI talent hubs, and the Unlimitrust Campus near Lausanne for digital trust technologies all contribute to a positioning that is less about building a national hyperscaler and more about creating the conditions for trusted, sovereign digital operations at the intersection of Europe and the world.

The tension, and the opportunity, is that Switzerland sits outside the EU but closely aligns with its standards. This gives Swiss organisations and their clients the benefit of EU adequacy recognition and GDPR-compatible data protection, while retaining the flexibility of a jurisdiction that regulates pragmatically rather than prescriptively. For multinational organisations seeking a trusted, neutral, high-sovereignty base in Europe, this is a compelling combination.

AI Sovereignty: The New Frontier (Preview)

AI sovereignty deserves, and will receive, its own dedicated article. But no discussion of digital sovereignty in 2026 would be complete without acknowledging that AI has fundamentally changed the stakes. This section establishes the key dimensions; the next article in this series will go deeper.

The core asymmetry. The United States holds a commanding share of global AI computing capacity, while Europe’s share is materially smaller. This is not a marginal gap; it is a structural dependency. For every European enterprise deploying a proprietary US-hosted model, there are governance questions that cloud sovereignty alone cannot answer: Where is the training data? Who controls the model weights? Under whose jurisdiction does the inference pipeline operate? Can a foreign government compel access to the model’s outputs or the data it processes? These are procurement decisions that boards are making, or should be making, right now.

Three dimensions of AI sovereignty. For practitioners, AI sovereignty breaks down into three interlocking dimensions.

First, model sovereignty: who built the model, under what licence, and can you inspect, modify, and host it independently? The open-source versus proprietary debate is not just a technical preference; it is a sovereignty decision. Open models like Apertus, which publishes its code, weights, methods, and training-data documentation under an open framework, give organisations a high degree of inspectability and control. Proprietary models from US providers, however powerful, come with opacity and jurisdictional exposure that may be unacceptable for regulated workloads.

Second, data sovereignty for AI: where is the training data sourced, stored, and processed? The EU AI Act’s transparency requirements for general-purpose AI models (training data summaries, copyright compliance) and GDPR Article 48’s restrictions on cross-border data disclosure create a legal framework that effectively penalises opaque, extraterritorial AI supply chains. For Swiss law firms, hospitals, and banks handling client-privileged data, feeding that data into a US-hosted model, even one running in a “European region”, creates CLOUD Act exposure that no contractual clause can fully neutralise.

Third, compute sovereignty: who owns and operates the GPU infrastructure where models are trained and inference runs? Switzerland’s response here has been unusually concrete. The Alps supercomputer at CSCS, powered by over 10,000 NVIDIA Grace Hopper Superchips running on 100% carbon-neutral electricity, provided the compute for Apertus. Phoenix / PHOENIQS hosts Apertus on sovereign Swiss infrastructure, creating what it describes as the country’s first end-to-end sovereign AI stack. Swisscom’s Swiss AI Platform offers an NVIDIA SuperPOD with full data sovereignty across the AI processing chain. VSHN operates as an LLMOps competence centre, deploying and managing LLM workloads on Swiss sovereign clouds with guaranteed data residency and auditability. These are not proofs of concept; they are production platforms serving finance, healthcare, and government.

Europe’s institutional response. At the EU level, the AI Continent Action Plan (April 2025) aims to make Europe a global leader in trustworthy AI, with the AI Factories initiative targeting at least 15 operational factories by 2026, tripling compute capacity on the continent. The InvestAI fund will support five AI gigafactories dedicated to next-generation model development. Mistral’s high-valuation raise in 2025 is held up as proof that European AI companies can reach scale. These are necessary steps, but they remain dwarfed by US investment levels, and the gap in frontier model capability persists.

The intersection is where the complexity lives. The real strategic challenge is not AI sovereignty, cloud sovereignty, or data sovereignty in isolation; it is their intersection. An AI model is only as sovereign as the least sovereign component in its stack: the training data’s jurisdiction, the compute platform’s operator, the inference API’s legal exposure, and the orchestration layer’s portability. For organisations that have spent years building cloud sovereignty foundations, AI sovereignty is the next floor; and you cannot build it without the one below.

The next article in this series will map this intersection in detail: model governance frameworks, sovereign MLOps architectures, the regulatory interplay between the AI Act and data protection regimes, and practical decision frameworks for choosing between open, hosted, and hybrid AI deployment models. For now, the takeaway is this: AI sovereignty is not a future concern. It is a 2026 procurement decision, and organisations that treat it as an afterthought to their cloud strategy will find themselves climbing the sovereignty ladder all over again.

What This Means for Organisations: Practical Takeaways

Theory and regulation are important. But sovereignty ultimately lives or dies in the decisions that IT leaders, architects, and boards make about infrastructure, providers, and governance. This section distils the preceding analysis into a practical framework, consistent with the risk-driven, Pareto-minded approach I outlined in my original article.

Start with four questions. Before evaluating any provider, framework, or architecture pattern, every organisation should be able to answer these clearly.

First: Which digital dependencies worry you most, and have you quantified the risk? Not all dependencies are equal. A dependency on a US-headquartered SaaS provider for email is a different risk profile than a dependency on the same provider for your core banking platform or your AI inference pipeline. Map your dependencies, classify them by criticality and jurisdictional exposure, and use established risk frameworks (NIST SP 800-30, ISO/IEC 27005, FAIR) to quantify expected loss against the cost of mitigating controls. Sovereignty decisions should be driven by risk analysis, not anxiety.

Second: Where is your most critical data processed today, and under whose jurisdiction? This is not just a data-residency question. It is a question about who can subpoena it, who can access it operationally, and what legal regime governs the provider entity itself. The privatim resolution and the CLOUD Act tension have made this a board-level question in Switzerland. If you cannot answer it precisely for your top-ten most sensitive workloads, you have a governance gap.

Third: Where do you consciously accept lock-in, and where would an exit scenario be mandatory? The Data Act now makes cloud switching a legal right in the EU. FINMA and SBA guidelines require documented exit strategies for financial institutions. But exit readiness is not just a compliance checkbox; it is an architectural discipline. Are your workloads running on portable, standards-based patterns (vanilla Kubernetes, open data formats, container images), or are they deeply coupled to proprietary services that would make migration a multi-year project? The answer determines whether you are sovereign or merely hosted.

Fourth: Who internally has the mandate, and the authority, to say “stop” when sovereignty is at risk? Sovereignty is not a technology decision alone. It requires clear organisational accountability: someone who can halt a procurement, challenge a provider selection, or escalate a jurisdictional concern before it becomes a compliance incident. If accountability is diffuse, others will make the decisions for you: providers, business units, or short-term project goals.

The pragmatic architecture, revisited. The sovereignty ladder from my original article remains the right mental model, but the external environment has pushed organisations to apply it more broadly and more urgently. The emerging pattern across Swiss and European enterprises looks like this:

Critical workloads (sensitive client data, regulatory reporting, AI inference on privileged information) run on sovereign platforms under Swiss or EU/EFTA jurisdiction, with tenant-held encryption keys, local-only operational access, and documented exit paths. This is the “vital few” that the Pareto principle tells us to prioritise: the controls that remove the most exposure for the least cost and complexity.

Innovation workloads (development environments, non-sensitive analytics, global collaboration tools) leverage hyperscaler breadth and scale, governed by standard compliance controls, DPAs, and contractual safeguards. These are the workloads where the risk is manageable and the cost of full sovereignty is not justified.

A unified security and governance model spans both tiers: consistent identity management, logging, encryption standards, and incident response, regardless of whether the underlying infrastructure is sovereign or global. This is not a two-track architecture; it is a single governance posture applied across a hybrid estate.

Cost remains the restraint; risk remains the driver. My original article argued that sovereignty is a risk decision first, and that budget should track the risk curve, not the rhetoric. That principle has not changed. What has changed is the definition of “risk.” It now includes geopolitical leverage, operational continuity during international incidents, regulatory enforcement that carries personal liability in Switzerland, and reputational exposure if client data ends up in a foreign jurisdiction’s legal proceedings.

In this expanded risk frame, the sovereignty premium, real but moderate , looks increasingly like insurance. And as the Data Act eliminates egress fees, as Swiss and European providers close the capability gap, and as open-source models reduce dependency on proprietary AI platforms, the cost differential will continue to narrow.

Document what you accept. This is perhaps the most underrated discipline in sovereignty management. Not every workload needs to be at the top of the ladder. But every risk acceptance should be explicit, documented, approved by an accountable person, and reviewed periodically as laws, threats, and budgets evolve. Sovereignty is not a destination; it is a continuous calibration between control and capability, advanced one step at a time as risks justify and budgets allow.

Looking Ahead

The sovereignty landscape will not simplify in 2026 and 2027. It will deepen. Here are the milestones that should be on every IT leader’s radar.

2 August 2026: The EU AI Act becomes broadly applicable, including the main transparency duties and the compliance framework for most high-risk AI systems. If your AI supply chain is not mapped and your jurisdictional exposure is not documented by then, you are late.

2026–2027: Enhanced cloud-services interoperability requirements under the EU Data Act continue to take effect, further tightening the portability mandate.

12 January 2027: Switching charges, including data-egress charges, are fully removed under the Data Act, a structural blow to lock-in economics and a tailwind for sovereign and multi-cloud architectures.

2 August 2027: High-risk AI rules for systems embedded in already-regulated products (such as medical devices, machinery, toys) enter application.

2026–2027 (ongoing): The Swiss Government Cloud delivers its first functionalities, with productive migration of federal applications beginning in 2027. The CADA initiative works its way through the EU legislative process, potentially reshaping procurement eligibility for cloud providers. EU member states roll out their first European Digital Identity Wallets. And the EUCS cybersecurity certification scheme, politically stalled for years, may finally resolve the sovereignty-tier debate that has divided member states.

Beyond the milestones, the broader trajectory is clear. Sovereignty pressure will intensify, not because of ideology, but because the real-world incidents keep coming, the regulations keep tightening, and the geopolitical environment keeps reminding European organisations that digital dependency is a strategic vulnerability. The organisations that will navigate this best are not the ones chasing full autonomy at any cost. They are the ones making conscious, documented, risk-justified decisions about where they need control and where they accept dependency, and building architectures that allow them to change their minds when circumstances shift.

This article has covered a lot of ground: from the political catalysts that hardened the sovereignty conversation, through the regulatory frameworks now shaping it, to the cloud and digital sovereignty market in 2026, and into the emerging frontier of AI sovereignty. The next article in this series will focus specifically on cloud sovereignty in depth: provider comparisons, architectural patterns, the economics of the sovereignty premium, and exit-readiness frameworks. After that, AI and data sovereignty get their own deep-dive.

As I wrote in my original article, and as this follow-up has tried to demonstrate through every section, sovereignty is not a destination but a discipline. The ladder I proposed last year still stands. It just has more rungs now, extends into new dimensions, and the ground beneath it has shifted. The organisations that will thrive are not the ones standing still, debating whether to climb. They are the ones already moving: deliberately, proportionately, and with their eyes open.

Where is your organisation on the sovereignty ladder today, and where does it need to be by the end of 2026? I would love to hear your perspective. Let’s continue the conversation.