Swiss Government Agencies Transition to Open Source Cloud Solutions

Open source cloud services in Europe are gaining momentum in Switzerland following a recent directive by Privatim, the Swiss privacy regulator. 

Published in late November 2025, the new guidance mandates agencies at federal, cantonal, and municipal levels to transition away from certain global and US-based cloud services. Open source cloud solutions are emerging as a preferred replacement choice, particularly those that can be hosted locally or by European providers.

Privatim is short for the Swiss Data Protection Commissioners' Conference. It acts as the main point of contact for public administrations on data protection matters and regularly publishes position papers, responses to consultations, press releases, and guides on current issues. Its recent stance on cloud services demonstrates how data protection requirements can drive systematic adoption of open source solutions across an entire country's public sector.

Adopted on 24 November 2025, Privatim’s position concludes that “the use of international SaaS solutions for sensitive personal data or data subject to a legal obligation of secrecy by public bodies is only possible if the data is encrypted by the responsible body itself and the cloud computing service provider does not have access to the key.” 

The directive applies to all Swiss public bodies under data protection authority supervision, including federal, cantonal, and municipal agencies. According to Dr. Iur. Dominika Blonski, Vice-President of Privatim and Director of the Data Protection Office for the Canton of Zurich, it "establishes a definitive legal standard for what constitutes compliant outsourcing of sensitive public data across the entire country."

The timeline creates immediate compliance urgency: new contracts or renewals must meet the requirements from the outset, while existing non-compliant services require a rapid transition process. 

The guidance aligns with current Swiss data protection law, which itself follows EU GDPR standards. 

In response to these requirements, European and open source cloud solutions are emerging as a preferred choice for Swiss authorities.

"Open source software, particularly when self-hosted or hosted by a local provider, offers far greater transparency (inspectable code) and allows the public body to retain effective control over the software and data," explains Dr. Iur. Blonski. 

Solutions that can be hosted locally or on-premise are particularly favoured under the new standards. Various cloud service providers are already available at the European level and are capable of providing their products and services to Swiss public administration bodies. The resolution promotes procurement policies that favour the Swiss and European cloud market, while open source solutions offer agencies the added benefit of direct control through self-hosting capabilities.

While the directive establishes clear requirements, Swiss authorities could face technical and operational challenges during the transition, particularly due to lock-in situations involving proprietary software providers. According to Dr. Iur. Blonski, “moving vast amounts of existing data (emails, files, calendars) from deeply entrenched ecosystems to new platforms is complex and requires specialised support by the data protection authorities.”

However, Privatim aims to provide reassurance by clarifying that each cantonal office is able to provide consultation and support to public administrations to help with the transition process.

Privatim's position is a major catalyst for the adoption of open source technology across Switzerland's public sector. Following the resolution, Swiss agencies are now required to actively evaluate new cloud alternatives. This creates positive momentum for European and open source cloud services, as demand for local and self-hosted solutions is expected to increase as a result of the resolution. 

Far from being an isolated case, Switzerland's resolution reflects principles developed across Europe in response to shared data protection concerns. The German Conference of Data Protection Authorities (Datenschutzkonferenz, DSK) and the French data protection authority (Commission Nationale de l'Informatique et des Libertés, CNIL) have raised similar concerns about digital sovereignty and foreign access to data. While Privatim is a purely Swiss body, Dr. Blonski notes that "its resolution is a direct implementation of the principles developed across Europe, shown for example by the aligning views of the DSK and the CNIL."