There is no need for the SBB (Swiss national railway) to use cloudflare or AWS when the same can be provided by a local provider that also has the ability to deal with large DDOS and cap off the outside when it comes down to the wire. It is more important for someone in Switzerland to be able to purchase a ticket than someone planning a trip from abroad.

> a de facto ban on the use of these services as comprehensive Software-as-a-Service (SaaS) solutions whenever particularly sensitive or legally confidential personal data is involved. For the most part, authorities will likely only be able to use applications like the widespread Microsoft 365 as online storage

Since when is Microsoft 365 the bastion of modern privacy?

At EPFL we observe worrying trends that all services are moved to Microsoft (e-mails, cloud).

What happened to universities to host elemental services themselves?

EPFL also partnered up recently with Omnissa Work Space One to strengthen security of IT on campus. Mandatory (American) software which EPFL IT office wants to install on machines...

Which is fine for IaaS use cases - spin up VMs, encrypt your disks, manage your own keys. But for productivity software like M365? The Swiss government is basically saying "yeah you can use it but only in a way that makes it almost pointless."

The Cloud Act part is what really matters here though. US providers can be compelled to hand over data regardless of where it's physically stored, and they've been pretty clear they'll comply with US law over local data protection rules when push comes to shove. For a foreign government storing legally confidential citizen data, that's a real problem. I suspect this will get quietly ignored like the previous declarations, because the alternative is either building everything in-house or relying on local providers that frankly don't have the same feature set or reliability.

"Swiss Government Moves Back to Cloud After Discovering Cleaning Staff Had More Physical Access Than IT Security Team"