Yesterday at Cloud Native Zürich 2026, we had the chance to moderate a panel discussion in the Sovereignty Track titled “Digital Sovereignty – Perspectives from the Ecosystem.” Five panelists, five very different angles on the same topic – and a room full of people who were interested in Digital Sovereignty.

Setting the scene

The panel didn’t happen in isolation. It came at the end of a morning packed with sovereignty content: David Sterz opened the track making the case that Europe’s cloud future should be distributed by design rather than mirroring the centralized hyperscaler model. Our own Tobias Brunner followed with a talk that connected Swiss sausages (“Cervelat”) to sovereignty – and made a convincing case for why “it’s all open source anyway” is not the same as sovereignty. Pascal Stöckli then introduced Zentrum SDS, the new “Souveräne Digitale Schweiz” initiative bringing together 32 founding organizations from federal authorities, cantons, and Swiss IT companies.

By the time the panel started, the room had already heard that digital sovereignty is distributed, political, operational, and – apparently – has something to do with Cervelat. The panel’s job was to pull these threads together from the perspective of the people actually building, running, and governing this ecosystem.

Five seats, five perspectives

We deliberately put together a panel that covered the ecosystem end to end:

• Lena Fuhrimann (bespinian) – the implementation partner’s perspective, working directly with organizations migrating to cloud native technologies and helping them balance innovation, agility, and control.
• Roman Bachmann (Switch) – the cloud provider’s perspective. Switch operates digital infrastructure for Swiss universities and research institutions and is itself owned by the institutions it serves – sovereignty by design, in a sense.
• Tobias Brunner (VSHN) – the managed service provider’s perspective, on what it actually takes to make digital sovereignty operational: running production systems around the clock, not just writing about it.
• Simon Reber (Red Hat) – the software vendor’s perspective, on how open source contributes to flexibility, interoperability, and sovereignty – and where the limits of that argument are.
• David Sommer (Digitale Gesellschaft) – the civil society perspective, broadening the conversation from technology toward democratic rights, political will, and a digital society that works for everyone.
• Markus Speth (VSHN) – moderator

What we explored

Before diving into the discussion, we asked the audience a simple question: how many of you have used the term “digital sovereignty” in the past six months? Not surprisingly, almost every hand went up.

From there, we asked each panelist for their own definition – and got five genuinely different answers, ranging from technical and operational framings to questions of control, resilience, and democratic values. No single definition won, which was rather the point.

The discussion then moved into more concrete territory: how sovereignty shows up in day-to-day project work working with customers, what it means for a cloud provider to be “sovereign by design”, what it takes to run sovereign infrastructure in production 24/7 rather than on a slide, whether open source is sufficient on its own or just one part of the equation, and where the real blockers sit – in technology, in budgets, or in how organizations make decisions.

We also didn’t shy away from some of the harder numbers floating around this debate: the gap between what European IT leaders say they want to spend on local cloud alternatives and what they actually spend, and the sheer scale difference between hyperscaler investment and the European alternatives currently on the table.

A few things that stuck with us

Reflecting on the discussion afterwards, a few themes stood out:

Digital sovereignty is not a binary state. There’s no certificate that flips an organization from “not sovereign” to “sovereign” – it’s a spectrum across multiple dimensions, and frameworks like the EU Cloud Framework are starting to emerge specifically to measure that.

It’s also about more than where data physically lives. Control, portability, transparency, skills, governance, and legal jurisdiction all play a role – often a bigger one than location alone.

Complete sovereignty, in the sense of controlling everything end to end, is neither realistic nor desirable. Trace any dependency chain far enough and you eventually hit hardware, raw materials, and global supply chains that no single organization – or country – fully controls. The more useful goal is understanding your dependencies and making conscious choices about them.

And perhaps most importantly: sovereignty isn’t something any single company, vendor, or government can solve alone. It needs the whole ecosystem – providers, vendors, open source communities, public institutions, and civil society – all working together.

Which brings us back to a question we asked at the start: is “sovereignty” even the right word? Maybe what most organizations are really after is resilience, autonomy, or freedom of choice, or simply the ability to make their own decisions without having to ask someone else for permission first.

One phrase from our preparation for this panel stayed with us: “sovereignty is a bridge, not a bunker”. The goal isn’t isolation – it’s the freedom to choose your own path while staying connected to a broader ecosystem.

Unfortunately, our time on stage ran out far too quickly. There were so many more angles we could have explored – and judging by the energy in the room, the audience felt the same way.

We’re already thinking about a follow-up session to dig deeper into some of these threads.

Watch the full discussion

The recording of the full panel discussion will be published soon – we’ll share the link as soon as it’s available, so you can hear all five perspectives directly from the panelists themselves.

A big thank you to Lena, Roman, Tobias, Simon, and David for a genuinely thoughtful discussion.

Thanks to the organizers of Cloud Native Zürich

A big thank you to the organizers for putting together another great edition of Cloud Native Zürich. We were happy to be involved as sponsors again – VSHN as a Silver Sponsor, and Servala sponsoring the Sovereignty Track at Cloud Native Zürich 2026.

As part of the track, our colleague Tobias Brunner also held a talk on Servala earlier in the day – we’ll be publishing that recording soon as well, so stay tuned.

If you’re curious about what Servala is and how sovereign, multi-provider managed services on Kubernetes can look in practice – check out Servala – Sovereign App Store, and feel free to get in touch if you’d like to become part of our growing ecosystem.

Also check out our full Cloud Native Zürich 2026 Recap.

On May 5, 2026, everyone in Switzerland with a stake in digital administration, infrastructure, and sovereignty gathered in Bern. TRANSFORM 2026 brought together experts from politics, public administration, business, and academia at the Bern City Hall – under the theme “Digital Public Infrastructure”.

One thing became very clear: digital sovereignty is no longer an abstract concept. It is becoming real.

From vision to implementation

Over the past years, discussions have often focused on strategies and high-level visions. In Bern, the focus clearly shifted towards implementation. Topics such as e-ID, electronic health records, and mobility data infrastructures show that key building blocks of digital public infrastructure are slowly but visibly taking shape.

At the same time, the core challenge remains: how can federal structures, diverse stakeholders, and existing systems be brought together to create scalable and functional platforms?

Digital public infrastructure as the foundation

A central topic was the role of Digital Public Infrastructure (DPI). These are foundational digital building blocks upon which services can be built – comparable to roads or power grids in the physical world.

This includes identity solutions, data infrastructures, and trust mechanisms. The key question is not just technology, but also governance, openness, and long-term control.

Open source as the anchor of sovereignty

One of the most impactful talks came from Dirk Schrödter.

His key message: digital sovereignty is primarily a technological issue today. It determines whether states can act independently in the digital space – and is therefore a prerequisite for political and economic autonomy.

It also became clear that “Buy European” alone is not enough. Replacing one proprietary dependency with another does not solve the underlying problem.

The real difference lies in openness: open source reduces technological dependencies – and therefore economic ones as well. It creates transparency, control, and long-term independence.

Beyond that, open source was framed as a growth driver: knowledge becomes shareable, innovation accelerates, and collaboration across organizational boundaries becomes possible.

Equally important is the cultural dimension: open source requires a real shift in mindset. Moving away from closed systems and silos towards openness, sharing, transparency, and collaboration. Organizations that embrace this shift build not only better technology, but also more resilient and sustainable structures.

The impact is measurable: a European Commission study (2021) shows that a 10% increase in open source investment could boost EU GDP by 0.4-0.6% and lead to more than 600 additional ICT startups.

And these effects are already visible in practice: Schleswig-Holstein alone saved around EUR 15 million in licensing costs in 2025 – funds that are being reinvested into open source, regional expertise, resilience, and innovation.

Another key takeaway: success requires more than technology – including Open Source Program Offices, strong networks, and active ecosystem development.

Ecosystems over isolated solutions

Another strong theme throughout the event: complex digital challenges cannot be solved in isolation.

It is no longer about individual tools or platforms, but about building functioning ecosystems – connecting public administration, private sector, and communities in a meaningful way.

Digital sovereignty is not only a result of technology choices, but also of how collaboration and marketplaces are structured. This is exactly where platforms like Servala come in – as a sovereign app store connecting providers, technologies, and organizations in an open ecosystem, enabling real choice.

What this means for VSHN

For us at VSHN, TRANSFORM 2026 confirms much of what we have been working on for years.

We build on open source, open standards, and cloud-native platforms. With solutions like APPUiO – Expert Hosting, Servala – Sovereign App Store and Codey – European Code Collaboration, we aim to make digital sovereignty practical while enabling strong ecosystems.

We also actively contribute to open source: projects like k8up (a Kubernetes backup operator for automated backup and restore processes, now a CNCF Sandbox Project), Project Syn (tooling for managing large-scale Kubernetes cluster fleets using GitOps and centralized configuration), and most recently Espejote (a Kubernetes operator for managing arbitrary resources in-cluster, combining GitOps principles and leveraging Server-Side Apply and Jsonnet).

Because in the end, digital sovereignty is not achieved through isolation, but through strong, open, and well-connected systems.

Conclusion

TRANSFORM 2026 showed that Switzerland is moving in the right direction. Maybe not as fast as some would hope – but with a clear trajectory.

Digital sovereignty is becoming tangible – and open source plays a central role.

Now it is time to turn these insights into action.

On April 28, 2026, the Zentrum SDS – Souveräne Digitale Schweiz officially launched its activities – and we at VSHN are very happy to be part of the founding members.

Together with 30 other organizations from government, business, and academia, we are sending a clear signal: digital sovereignty in Switzerland is no longer an abstract concept – it is actively being shaped. Participants include institutions such as Kommando Cyber, the Canton of Solothurn, the Office for IT and Organization of the Canton of Bern, the Statistical Office of the Canton of Basel-Stadt, Organization and Informatics (OIZ) of the City of Zurich, the SWITCH foundation, as well as many leading Swiss IT companies.

The announcement can also be read on netzwoche and Inside-IT.

Why the Zentrum SDS matters

Digital sovereignty means maintaining control over data, technologies, and digital infrastructure – and consciously deciding which dependencies to accept. This is exactly where the Zentrum SDS comes in: it brings together key stakeholders to jointly develop solutions, define standards, and drive concrete alternatives forward.

In the coming months, members will collaborate across four key areas:

• Financing and procurement of Open Source technologies
• Sovereign workplace solutions such as openDesk
• Swiss cloud offerings
• Open Source-based AI platforms

The initiative was launched by the Institut Public Sector Transformation at the Berner Fachhochschule. Thanks to the contributions of its members, the collaboration can be structured effectively and developed sustainably over time.

Open Source as a key to sovereignty

A central pillar is the use of Open Source technologies. They enable transparency, control, and independence – exactly the qualities required for a sovereign digital infrastructure.

The growing international importance of this topic is reflected in the close collaboration with Germany. There is active exchange with the Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDis), which is involved in the development of openDesk.

A highlight in this context is the TRANSFORM conference 2026 on May 5, 2026 in Bern. There, Dirk Schrödter will demonstrate how Open Source concretely contributes to digital sovereignty. The program is complemented by international perspectives on Digital Public Goods and insights into the role of the state in digital infrastructure.

Servala – Sovereign App Store as a cloud-agnostic marketplace

With Servala, we at VSHN are taking this idea one step further. Servala connects providers, partners, and enterprises through a cloud-agnostic marketplace, making sovereign, standardized services easy to consume. Instead of locking into a single cloud provider early on, Servala enables real choice – based on open standards and interoperable services.

In the context of the Zentrum SDS, we see strong potential here: a shared ecosystem where services are available across different providers strengthens not only sovereignty, but also innovation and collaboration across the entire market.

Our perspective at VSHN

For us, participating in the Zentrum SDS is a natural next step. For years, we have been building on Open Source, open standards, and collaborative ecosystems – whether operating Kubernetes platforms, developing platforms like APPUiO, or driving initiatives like Servala.

Digital sovereignty does not emerge through isolation, but through collaboration on equal footing. This is exactly what the Zentrum SDS enables: a shared foundation on which innovation, security, and independence can grow together.

See also: EUR 180 Million for Sovereign Cloud: What the EU’s First Sovereignty-Scored Procurement Means for Swiss Organisations.

We look forward to actively shaping this journey.

On April 17, 2026, the European Commission awarded EUR 180 million in cloud contracts to four European providers – Post Telecom Luxembourg, STACKIT, Scaleway, and Proximus. For the first time, providers were scored on sovereignty using a formal framework with eight measurable dimensions. Hyperscaler involvement cost one consortium a lower score. Here is what this means for Swiss organizations choosing cloud providers.

The EU now scores sovereignty

The Commission’s Cloud Sovereignty Framework (v1.2.1, October 2025) defines eight Sovereignty Objectives and five assurance levels (SEAL-0 to SEAL-4). Providers bidding for these contracts were evaluated on:

• Strategic sovereignty – EU ownership and anchoring, resilience against foreign interference
• Legal & jurisdictional sovereignty – insulation from extraterritorial laws such as the US CLOUD Act
• Data & AI sovereignty – where data is stored, who holds encryption keys, independence of AI services
• Operational sovereignty – can EU-based teams operate the service independently?
• Supply chain sovereignty – geographic origin of components and sub-suppliers (highest weight: 20%)
• Technology sovereignty – open source, open standards, no proprietary lock-in
• Security & compliance sovereignty – certifications, independent patching, EU-based SOC
• Environmental sustainability – energy efficiency, renewable energy, carbon disclosure

Each objective carries a defined weight. Supply chain sovereignty is the highest at 20%, followed by strategic, operational, and technology sovereignty at 15% each.

What the results tell us

Three of the four winners achieved SEAL-3 (“Digital Resilience”), meaning EU actors exercise meaningful control with only marginal non-EU influence:

The Proximus consortium – which includes S3NS, a joint venture between Thales and Google Cloud – achieved only SEAL-2 (“Data Sovereignty”), where EU law is enforceable but material non-EU dependencies remain.

The message is clear: involving a US hyperscaler – even through a European joint venture with a defense contractor – measurably reduces your sovereignty score. The framework does not ban hyperscaler partnerships, but it scores them lower.

Why Swiss organizations should pay attention

Although this procurement targets EU institutions, the framework will cascade:

• EU member states will adopt similar criteria for national cloud procurement, following France’s “Cloud de Confiance” and Germany’s “Souveräner Cloud” strategies that the framework explicitly references.
• Regulated industries (banking, insurance, healthcare) already face FINMA, DORA, and NIS2 requirements that overlap with these sovereignty objectives – particularly legal jurisdiction, data sovereignty, and security compliance.
• Swiss public sector procurement increasingly references EU standards. Organizations evaluating cloud providers now have a structured vocabulary to compare sovereignty claims instead of relying on marketing.

Eight dimensions, not just “data stays in Switzerland.”

Most sovereignty marketing stops at data residency. The EU framework goes much further – and so should your evaluation criteria:

Where VSHN stands: self-assessment against the framework

We applied the EU’s eight sovereignty objectives to our own services. This is a self-assessment – VSHN has not been formally scored by the European Commission – but we believe transparency is more useful than vague claims. The full assessment with references is available on request.

Overall: SEAL-3 equivalent – the same level achieved by the three strongest providers in the EU’s own tender. No provider achieved SEAL-4.

Why not SEAL-4?

SEAL-4 (“Full Sovereignty”) requires complete EU/EEA control with no non-EU dependencies. No provider achieved it – not even in the EU’s own EUR 180M procurement. The gaps are structural, not provider-specific:

• Switzerland is not an EU/EEA member but participates in the single market through bilateral agreements, is Schengen-associated, and has an EU adequacy decision for data protection. The gap is formal, not substantive.
• Hardware supply chains are global: semiconductors, networking equipment, and storage are manufactured in Asia and the US. This applies to every cloud provider, including the SEAL-3 winners.
• Open-source foundations are US-based: the Linux Foundation, CNCF, and the Apache Foundation are US entities. Open-source licensing mitigates this (code is forkable and auditable), but strict SEAL-4 interpretation could flag it.

VSHN operates at the practical maximum. The remaining gaps in SEAL-4 are shared by every cloud provider worldwide.

Sovereignty is a bridge, not a bunker

It’s tempting to frame sovereignty as a defensive exercise — protecting data, avoiding foreign law, ticking compliance boxes. But that misses the point.

As Stefan van Oirschot argues, infrastructure should be a bridge that enables agility, not a bunker that constrains it. The distinction matters: organizations on proprietary platforms ask their vendor for permission to innovate. Organizations on sovereign, open-source platforms grant themselves permission.

The invisible taxes of lock-in: Proprietary platforms carry two hidden costs that don’t appear on invoices. First, implementation debt: migrating working solutions to a vendor’s proprietary framework burns capital and frustrates engineering talent. Second, compliance reset: regulations like DORA and NIS2 increasingly require credible exit strategies. An infrastructure that can’t be migrated creates audit risk — what van Oirschot calls “regulatory deadlock.”

The sovereignty dividend: Open-source infrastructure — Linux, Kubernetes, PostgreSQL, OpenBao, Crossplane — transfers ownership from vendors to the organizations using it. Vendors become partners, not landlords. When your infrastructure is built on standards rather than rented land, you can change providers, add clouds, or adopt new technology without rebuilding from scratch.

AI readiness requires sovereign infrastructure: The next wave of enterprise technology, agentic AI, RAG pipelines, and private LLM inference demands infrastructure that you control. Running AI workloads on a platform where a foreign vendor holds the keys to your data, your models, and your compute is the opposite of self-determination. Sovereign infrastructure is the prerequisite for sovereign AI. This is why VSHN operates managed LLM inference on customers’ infrastructure, so that organizations deploying AI keep control of their data and their models.

The EU framework scores eight technical dimensions. But the strategic question is simpler: does your infrastructure let you move faster, or does it slow you down?

The bottom line

The EU Cloud Sovereignty Framework confirms what VSHN has built over the past decade: sovereign cloud operations are not just about where data is stored. They require European ownership, independent operational capability, open-source technology, transparent supply chains, and jurisdictional insulation from foreign law.

Sovereignty is not a cost center; it is the foundation for agility, compliance, and AI readiness. Organizations that treat it as a checkbox will find themselves asking their vendor for permission. Organizations that build on sovereign infrastructure will already be shipping.

For Swiss organizations evaluating cloud providers, the question is no longer “Do you host in Switzerland?” but “How do you score across all eight sovereignty dimensions, and does your infrastructure enable or constrain your next move?”

For product-specific sovereignty assessments, see GitLab, Keycloak, OpenShift, OpenBao, and our full service catalog.

Sources:

• Commission awards EUR 180 million tender for sovereign cloud to four European providers – European Commission, April 17, 2026
• Cloud Sovereignty Framework v1.2.1 – European Commission, October 2025
• EU Cloud Sovereignty Framework analysis – Sovereign Cloud Stack
• Stefan van Oirschot: Is your infrastructure a bunker or a bridge?

In recent months, the word sovereignty has appeared everywhere in the tech world. From ‘sovereign clouds’ to ‘sovereign AI’, every vendor seems to offer something that sounds compliant, secure, and independent. But as with greenwashing or AI washing, we’re starting to see a new phenomenon emerge – sovereignty washing.

What is Sovereignty Washing?

Sovereignty washing happens when companies market their products as sovereign without truly giving users control, autonomy, or independence.
Often, this means a provider hosts data in a local data center, adds a ‘.eu’ to their cloud name, and declares victory. But real digital sovereignty is much more than a ZIP code.

Sovereignty Is Not Just About Data Location

Yes, where your data resides matters. But even more important is who controls the infrastructure, software stack, and decision-making.

If the control plane, billing systems, or support teams still depend on a non-European parent company, then even a ‘local’ cloud can be forced to comply with foreign jurisdiction – whether through the CLOUD Act, extraterritorial export rules, or simply commercial lock-in.

In other words – sovereignty means the ability to make your own decisions, not just store your data in your preferred country or location.

Lessons from Industry – The Nexperia and Microsoft Cases

The recent story around Nexperia, a Dutch chipmaker owned by a Chinese company, and the German automotive industry’s current dependency on critical semiconductor supply already leading to short-time work and production stoppages, shows how strategic autonomy isn’t just a political slogan – it’s a business necessity.

When an entire sector relies on a single supplier, it loses bargaining power, flexibility, and resilience. The same applies to software and cloud platforms:
If your critical systems only run on one hyperscaler, you are not sovereign – no matter how many ‘sovereign’ labels appear on your dashboard.

A recent case involving Microsoft underlines this risk on a global scale. The company blocked access to Outlook email accounts of employees at the International Criminal Court in The Hague, following U.S. sanctions compliance rules. The decision, reported by Heise Online, serves as a wake-up call for digital sovereignty in Europe – showing that control over essential communication infrastructure can be limited by non-European legal frameworks.

How to Spot Sovereignty Washing

So how can you tell if a vendor’s sovereignty claim holds up? Here are some questions worth asking:

• Control: Who operates the platform and has access to the control plane?
• Legal independence: Is the provider fully governed under EU or Swiss law, or are there foreign parent companies involved?
• Open standards: Can I move my workloads to another provider without rewriting everything?
• Transparency: Is the software stack open source or verifiable, or locked behind proprietary APIs?
• Interoperability: Does the solution integrate with other vendors and clouds, or create another walled garden?

If the answer to most of these questions is ‘no’, chances are you’re looking at sovereignty washing.

Recent analyses like DNIP Briefing #48 – Dokumentierte Überwachung describe this problem vividly. The section “Cloud ohne Souveränität” points out how cloud providers without full jurisdictional control expose users to surveillance and dependency risks – demonstrating that technical sovereignty is meaningless without legal and operational sovereignty to match.

Why True Sovereignty Matters

For governments, public institutions, and regulated industries, true digital sovereignty is about long-term independence, not short-term convenience.
It ensures continuity, resilience, and the freedom to innovate without being tied to one vendor’s roadmap.

At VSHN, we see sovereignty not as isolation, but as collaboration across open ecosystems – where European cloud providers, software vendors, and enterprises work together on open standards and interoperable solutions.

That’s the vision behind Servala – the Sovereign App Store, connecting vendors and providers and ensuring services can run on any cloud or on-premise, without lock-in.

Because real sovereignty means – choice, transparency, and trust.

📬 Curious to see how sovereignty works in practice?
Join us at the Servala Ecosystem Day on December 1st in Zurich and help shape the future of open, sovereign cloud services.

📖 Want to dive deeper?
Check out the Sovereignty Washing White Paper by ZenDis for deeper insights into what makes true sovereignty.