Why “Buy European” Isn’t Enough: What Switzerland Should Actually Do About Digital Sovereignty

When the EU published its Cloud Sovereignty Framework and awarded EUR 180 million in cloud contracts to four European providers in April 2026, it looked like a clear win for digital sovereignty. But at the Swiss Software Festival 2026 in Basel, UCL economist Cecilia Rikap offered a sharper analysis: geographic sovereignty is necessary but insufficient. The deeper problem is what she calls epistemic capture. “Epistemic” means relating to knowledge and how we define categories. The idea is simple: the fox helped design the henhouse. Hyperscalers shape the rules, definitions, and categories of the sovereignty game even when they appear to lose.

I spoke at the same event about Switzerland’s engineering advantage in the AI era, and I want to connect Rikap’s academic argument to what I see every day operating infrastructure for regulated Swiss organizations: the gap between sovereignty as policy and sovereignty as engineering practice.

The sovereignty framework worked. Sort of.

The EU’s SEAL framework scored providers on eight dimensions. Three pure-European providers achieved SEAL-3. Proximus, whose consortium included Google Cloud (via the S3NS joint venture with Thales), scored only SEAL-2. The framework correctly penalized hyperscaler involvement. We analyzed the framework and scored VSHN against it, a useful exercise for any provider serious about sovereignty.

What matters most about this framework is not the scores themselves. It is that sovereignty is no longer a binary, emotional debate (“are we sovereign or not?”). It is now measurable across eight dimensions that you can discuss, plan, and prioritize. That changes the conversation from ideology to engineering.

But Rikap’s point is that Microsoft, Google, and Amazon were ready for this framework before it was published. They had already structured joint ventures, local subsidiaries, and partnership models designed to score well on sovereignty assessments. The framework didn’t catch them off guard. They helped shape the environment in which it was written.

This is epistemic capture: when the entities being regulated influence the categories, definitions, and priorities of the regulation itself. The result is sovereignty frameworks that address the symptoms (data location, legal jurisdiction) without touching the root cause (control over the technology stack and its development trajectory).

What epistemic capture looks like in practice

Google, Amazon, and Microsoft collectively control roughly 65% of the global cloud market, plus the undersea cables connecting it. Rikap described AI as a “Trojan horse”: organizations adopt AI services that run on hyperscaler infrastructure, creating dependencies that go deeper than where data is stored:

• Black-box models: you use the API without access to the model weights, training data, or architecture decisions. Your AI strategy depends on a vendor you cannot audit.
• Ecosystem lock-in: once your data pipeline, ML training, and inference run on a hyperscaler’s stack, switching means rebuilding, not just migrating.
• Data gravity: AI models need data, data attracts services, services attract more data. This self-reinforcing loop makes AI one of the biggest centralizing forces our industry has seen. The data is already there, the ecosystem of tools is already there, and every new integration makes the next one harder to place elsewhere.
• Standards capture: hyperscalers fund and staff the standards bodies that define cloud-native computing. The “neutral” standards often embed assumptions that favor their architectures.

A European company running Mistral AI on Azure is not sovereign just because Mistral is French. The AI model sits inside an ecosystem controlled by Microsoft, subject to US law, dependent on Nvidia hardware supply chains.

“Buy European” and “buy Swiss” miss the point

Rikap explicitly warned against replacing US Big Tech with European Big Tech. SAP, Siemens, and Mistral being European does not make them sovereign alternatives in any meaningful sense. They operate the same business models (platform dominance, proprietary lock-in, rent extraction) just with a different flag.

The same logic applies to “buy Swiss.” Switzerland has genuine structural advantages for sovereignty (more on that below), but a Swiss flag on the invoice is not sovereignty. A Swiss company reselling Azure with a local support contract does not give you operational independence. A Swiss SaaS vendor running on AWS eu-central-1 does not protect you from the CLOUD Act. The question is not where the vendor is headquartered. It is whether you can replace the vendor without replacing the technology.

China’s approach (state-orchestrated AI industrialization) is also not a model. As Rikap noted, it “reproduces the logics of US-led predatory ecosystems without challenging them.” Techno-nationalism is not sovereignty, whether the nation is the US, China, or Switzerland.

What actual sovereignty requires

If geographic origin and national champions are insufficient, what does genuine sovereignty look like? Based on Rikap’s analysis and what I see operating production infrastructure for Swiss banks, healthcare providers, and government agencies, three conditions matter:

1. Open-source foundations

Open source is the only technology model where you can verify what the software does, modify it to your needs, and switch operators without rebuilding. The Linux Foundation’s 2025 survey found 83% of companies see open source as valuable for their future. Thomas Wüst (ti&m CEO), also speaking at SSF 2026, described how ti&m migrated their own corporate systems to an open-source stack after seeing vendor lock-in costs escalate.

This is not idealism. It is risk management. When HashiCorp changed Terraform’s license and sold to IBM, the community forked OpenTofu under the Linux Foundation within months. When Atlassian forced Jira customers from Server to Data Center to Cloud, Wüst shared that ti&m saw their license costs rise roughly 900% between 2023 and 2027. Open source makes these forced migrations structurally impossible.

The EU and Switzerland are both moving toward open source as state policy. The Swiss Ständerat accepted a motion for a digital sovereignty impulse program in June 2026. Switzerland already has EMBAG, a federal law in force since 2024, requiring the government to open-source all custom software development unless there is a specific reason not to. The EU’s open-source strategy positions open source as central to technological sovereignty. These are not niche positions. They are emerging consensus.

2. Operational control, not just data location

The EU framework gets this partially right with its “Operational Sovereignty” dimension (SOV-4). But the common market interpretation is “European staff operating in European data centers.” That misses the point.

Operational control means: can you replace the operator without replacing the technology? If your managed Kubernetes runs on Red Hat OpenShift or upstream Kubernetes with documented APIs, you can switch operators. If it runs on Amazon EKS, Azure AKS, or Google GKE, you are using a proprietary control plane with cloud-specific integrations that do not transfer. The Kubernetes API is portable. The managed wrappers around it are not.

This is not a theoretical concern. If you are under FINMA regulation, you must document a process to exit any provider within 12 months, or you are not compliant. Portability is not optional for regulated Swiss organizations. It is a legal requirement.

This is what I mean by “who controls the runtime,” the question I built my SSF keynote around. AI is making code generation nearly free. The marginal cost of writing software is collapsing. But the complexity shifted: it moved to architecture, platforms, and security. The layer that decides your independence is no longer the application code. It is the platform underneath it.

Switzerland has a structural advantage here. The combination of regulated industries (which demand hybrid architectures), open-source fluency, and trusted regional cloud providers (Cloudscale, Exoscale) creates a practical multi-cloud ecosystem where operational portability is the default, not the exception. We have been building this kind of infrastructure at VSHN since 2014, not because sovereignty was fashionable, but because our customers in banking, healthcare, and government required it.

3. Governance over geography

Rikap’s strongest argument: sovereignty is a question of governance and democratic accountability, not territory or nationality. Who decides the technology roadmap? Who has access to the data? What recourse do users have when the platform changes?

For organizations evaluating cloud providers, this translates into concrete questions:

• Is the provider’s source code auditable?
• Can you run the same stack with a different operator?
• What happens to your data and operations if the provider is acquired?
• Are pricing and terms governed by a stable legal framework (Swiss law, EU law) or by a vendor’s quarterly earnings pressure?

Swiss law provides strong answers to several of these: no CLOUD Act, EU adequacy decision for data protection, stable commercial law. But Swiss law alone is not enough if the technology stack underneath is controlled by a US corporation. Governance requires both legal and technical independence.

The Swiss opportunity, and the Swiss gap

Switzerland is well positioned, but position is not the same as action. At SSF 2026, the recurring theme across all keynotes was that Swiss IT understands sovereignty but has not scaled sovereign alternatives fast enough.

The numbers tell the story. Over 70% of Swiss companies invest less than 5% of their IT budget in AI (ti&m/HSLU AI Maturity Study 2026). Meanwhile, Penny Schiffer from UBS shared that the bank already has over 300 AI use cases live in production and appointed its first Chief AI Officer. The gap between leaders and the majority is widening, and with it the risk that the majority becomes dependent on hyperscaler AI services by default rather than by choice.

The practical next step is not to wait for regulation or national champions. It is to build on what already exists: open-source software, Swiss-operated infrastructure, and engineering teams with the judgment to design platforms that no single vendor controls.

Switzerland has been building precision machinery for centuries. The next machine to build is the sovereign platform: open-source, multi-cloud, operationally portable, and governed by Swiss law. The components exist. The engineering talent exists. What is missing is the decision to assemble them.

The question is not which cloud you choose. It is whether your architecture gives you that choice tomorrow. If you are a dependent, you have to ask permission. If you are sovereign, you can ship.

VSHN operates open-source infrastructure for regulated Swiss organizations since 2014. We are Switzerland’s first CNCF Kubernetes Certified Service Provider, a Red Hat Premier Partner, and a Linux Foundation Silver Member. Our managed services run on Swiss cloud providers with Swiss law, open-source foundations, and no hyperscaler dependency. Book a consultation to discuss your sovereignty requirements.