Meta Information

Author: Joyce Lopes de Azevedo
Source: Inside Paradeplatz (Original article not directly available)
Publication Date: November 6, 2025
Summary Reading Time: 4 minutes

Executive Summary

Swiss large corporations like SBB and Roche rely on contractual assurances for IT outsourcing without controlling actual data processing. The example of mobility company Urban Connect illustrates: Despite data protection clauses, companies cannot precisely specify where their developers are located and who has access to systems. Recommendation: Swiss companies must go beyond mere contractual clauses and implement active control of their digital supply chains.

Critical Key Questions

How can Swiss companies ensure genuine data sovereignty when they rely only on contractual assurances instead of technical control?
What strategic risks arise when critical infrastructure operators like SBB cannot verify their IT security themselves?
Is the balance between cost efficiency through global outsourcing and national data security still appropriate given geopolitical tensions?

Core Topic & Context

The article exposes systematic weaknesses in IT outsourcing of Swiss large corporations. The trigger was an anonymous tip about mobility company Urban Connect, whose IT infrastructure was suspected to be in data protection-problematic countries. The investigation reveals fundamental control deficits in digital supply chains.

Key Facts & Figures

• Urban Connect serves prominent clients: SBB, Roche, Google • Developer teams are located in Switzerland, EU, USA, Serbia and "individual additional countries" • SBB relies exclusively on contractual assurances, no internal verification • CLOUD Act allows US authorities access to data of American companies worldwide • Russian law permits state access to all IT systems by law • Federal Councilor Jans declared on December 2, 2024: "With the Data Protection Act, our data is protected"

Stakeholders & Affected Parties

Directly affected:

Swiss infrastructure operators (SBB, energy companies)
Pharmaceutical giants (Roche)
Tech corporations (Google Switzerland)
IT service providers with international teams

Indirectly affected:

All Swiss companies with IT outsourcing
End customers of affected service providers
Swiss data protection authorities

Opportunities & Risks

Risks:

Undetected backdoors in critical systems through foreign developers
State data access via foreign legal systems (CLOUD Act, Russian law)
Compliance violations without knowledge of Swiss clients
Industrial espionage through insufficient control of development environments

Opportunities:

Competitive advantage for providers with verifiable Swiss IT infrastructure
Market differentiation through genuine data sovereignty
Regulatory leadership role in digital sovereignty in Europe

Scenario Analysis: Future Perspectives

Short-term (1 year): Stricter audit requirements for IT service providers, initial repatriation of critical systems to Switzerland, increased sensitivity in public sector tenders.

Medium-term (5 years): Emergence of specialized Swiss IT security providers, legal tightening of data localization obligations for critical infrastructures, new certification standards for "Swiss IT".

Long-term (10-20 years): Complete digital sovereignty as Swiss unique selling proposition, dedicated cloud infrastructures for sensitive industries, possible decoupling from global tech platforms for critical applications.

Action Relevance

Immediate measures required:

Implement technical audits instead of mere contractual clauses
Geographically and legally segregate development environments
Bring build pipelines and system logs under Swiss control

Time-critical: With increasing geopolitical tensions, the risk of state interventions in foreign IT systems is escalating exponentially.

Sources

Primary Source:

Zürcher Mobilitätsfirma im Clinch - Inside Paradeplatz, 6.11.2025

Supplementary Sources:

Verification Status: ✅ Facts checked on November 6, 2025