Federal Office of Public Health bans, Bern procures: How federalism devalues Switzerland's sovereignty claims

Blog (EN)

clarus.news | Analysis | May 12, 2026 Andreas Binggeli and Ernst Anker

The Federal Office of Public Health (FOPH) wants to effectively exclude US cloud providers like Microsoft, Google and AWS from a multi-million tender with the "Swiss Health Data Space" (SwissHDS) project. Justification: Protection of highly sensitive patient data from the US Cloud Act. But while Bern wields the sovereignty hammer at federal level, the Inselspital, co-financed by the canton, has been operating the American hospital information system Epic since March 2024 – with total costs now reaching 228 million francs. And the cantonal government wants to make Epic the cantonal standard for all public hospitals. The central question: What good is a federal US ban if 26 cantons are autonomous in procurement – and order the opposite in droves?

What the FOPH demands – and what the FOBL is just taking back

The FOPH project SwissHDS is intended to create a networked data space for exchanging patient data between doctors and hospitals. In February 2026, the office published initial documents on the Simap procurement platform. The explosive requirement is listed right at the top: "The entire SwissHDS infrastructure must be subject exclusively to Swiss legal order." The US Cloud Act is explicitly mentioned – the law that obligates US corporations worldwide to grant US authorities data access, regardless of server location.

This would be a de facto veto against Microsoft, Google and AWS. But the Federal Office for Buildings and Logistics (FOBL), responsible for procurement, is already backtracking. Procurement chief Thierry Vauthey explained to the "NZZ am Sonntag" that the uploaded documents were not yet a WTO tender, but a "market survey." And then the crucial half-sentence: If the federal government eventually puts out the million-franc tender, the exclusion of American companies formulated today would not be permissible.

Thus the federal sovereignty claim is already legally devalued before the actual tender. Switzerland is bound by the WTO Government Procurement Agreement (GPA), which requires equal treatment of all bidders from member states. A blanket exclusion of US companies would be protectionism violating international law – at least according to current interpretation and especially since Switzerland is simultaneously conducting trade negotiations with the Trump administration.

This fits the broader line of the Federal Chancellery. On December 12, 2025, it issued binding guidelines for digital sovereignty for the first time. They apply – importantly – only to the central federal administration. For projects with sovereignty risks, the Federal Digitalization Council must be informed. For cantons, municipalities and institutionally autonomous entities like public hospitals: guidance at best.

The Digital Switzerland Strategy has a blind spot

The "Digital Switzerland Strategy" updated in December 2025 explicitly sets digital sovereignty as a focus topic for 2026. But: "It is binding for the federal administration. For other actors such as cantons, municipalities, business, science and civil society, it serves as guidance," states digital.swiss.

This is precisely where the claim crashes against federal reality. The Federal Council, together with the Conference of Cantonal Governments (CCG), made a fundamental decision on December 19, 2025, to further develop Digital Administration Switzerland (DVS) toward a political platform with binding standard-setting. The Federal Council has even commissioned a partial revision of the Federal Constitution. But a consultation draft will take months, a constitutional amendment including referendum years. And in this gap, facts are being created – big, expensive and barely reversible ones.

Inselspital: 228 million for a US system – with blessing of Bern's data protection officer

This is most impressively demonstrated in the federal city itself. The Insel Group – Switzerland's largest university hospital network and owned by the Canton of Bern – introduced the hospital information system Epic on March 2, 2024. Manufacturer: Epic Systems Corporation based in Verona, Wisconsin (USA).

In February 2026, Insel disclosed the total costs for the first time: 182.5 million francs in one-time implementation costs plus 45 million francs in operating costs until 2032 – totaling 228 million francs. The original tender in 2020 was for 83 million. Insel justifies the additional costs with increased case and user numbers, subsequently purchased modules, external consulting and VAT. External license and consulting costs alone amount to 101.6 million francs, plus 52.5 million francs in internal personnel costs for the four-year project phase.

Politically even more explosive: The Grand Council of the Canton of Bern rejected a postulate to investigate the additional costs on March 2, 2026, by 93 to 58 votes. Justification: The audit commission had already initiated clarifications. The 228 million will thus be processed without formal parliamentary investigation – even though the difference from the initial tender exceeds the 2022 annual loss that led to the closure of the hospitals in Münsingen and Tiefenau.

For data protection, Insel operates Epic "on-premises" on its own servers in the local data center in Bern. Christoph Zwaan, Insel's media spokesperson, emphasizes: "The operation of Epic and the patient data contained therein remain on the Insel Group's servers." Bern data protection officer Ueli Buri has reviewed the system and demanded compensatory measures – directives on access rights, logging, controls. The originally 86 open findings dropped to 25.

But: The central question of supplier sovereignty – can the US manufacturer change license terms, increase prices or yield to pressure from its own authorities? – is precisely not answered by local data storage. Swiss competitor Cistec with the KISIM system (used in Fribourg and St. Gallen) delivers exactly a different promise here: "All workplaces are located in Switzerland," says Key Account Manager Laura Fässler. "Likewise, all health data is stored exclusively in Switzerland." The Canton of Bern decided against this path.

Bern's double strike: Epic for all listed hospitals

The contradiction grows. In June 2025, the Bernese government sent a draft for the "Digital Health Platform" to consultation. Goal: All public listed hospitals in the canton should work with the same hospital information system – namely Epic. The platform construction alone is estimated at eleven million francs, with migration costs in individual hospitals described as "considerable." Private hospitals like Hirslanden, Lindenhof or Swiss Medical Network could participate voluntarily.

The Swiss Association for Digital Health (SVDG) and IG eHealth warn of a lock-in effect and Epic's monopoly position. Specifically regarding data protection: "Under the Cloud Act, patient data could be exposed to access by US authorities." Exactly the argumentation with which the FOPH wants to ban US providers at the federal level for SwissHDS is dismissed by the Bernese government for its own cantonal platform.

Grand Councilor Casimir von Arx (GLP) criticizes the financial burden and data protection problems – without political majority. And Bern is not alone: University Hospital Zurich (USZ) has also chosen Epic, Cistec has filed a complaint there. Zurich Children's Hospital, Lucerne Cantonal Hospital and Lausanne University Hospital also use Epic. Berlin's Charité will follow from 2029 for 200 million euros.

Who actually decides? The jurisdiction map

The federalism question of the day: Who in Switzerland is actually authorized to bindingly prescribe to an authority – federal, cantonal or canton-affiliated hospital operator – that software must be operated sovereignly, i.e., independently of the supplier?

The answer is sobering:

  • Federal administration: Binding guidelines of the Federal Chancellery (December 2025), based on EMBAG. Open source obligation for federal in-house developments according to Article 9 EMBAG. Digital Switzerland Strategy with focus on digital sovereignty.
  • Cantons: Own legislation, own procurement procedures via the intercantonal concordat IVöB, own data protection authorities. The DVS strategy 2024–2027 is cooperative and not binding.
  • Cantonal hospitals and public entities like the Insel Group: Procure autonomously. Supervision by the cantonal data protection office.
  • Private hospitals: Completely autonomous.

This means specifically: Even if the FOPH finds a WTO-compliant way tomorrow to exclude Cloud Act providers from SwissHDS – for example through security-based requirements instead of direct origin exclusions – this in no way prevents the Canton of Bern from declaring Epic the binding standard for its hospitals. And it doesn't prevent the Canton of Zurich from introducing Epic at USZ. An "interdepartmental working group on digital sovereignty" at the federal level under the leadership of the DDPS State Secretariat for Security Policy analyzes risks until 2027 – without reach-through to cantons or municipalities.

The Federal Council itself provided the definition in its report on postulate 22.4411 Z'graggen "Digital Sovereignty of Switzerland": "Digital sovereignty means having the necessary control and capacity to act in the digital space as a state to ensure the fulfillment of state tasks." What remains of this control and capacity to act when the most important IT system of Switzerland's largest university hospital is delivered from Verona, Wisconsin – and the cantonal government wants to declare it the sector standard?

Sovereignly operable: The question no one asks

This is precisely where the blind spot of the entire debate lies. Both the FOPH argument ("exclude providers under US Cloud Act") and the Insel argument ("data lies on our servers") dodge the actually decisive question:

Can the procured software continue to operate even if the manufacturer cancels the contract, runs into financial difficulties or yields to regulatory pressure from its home country?

For Epic: No. Without licenses, updates and support from the US manufacturer, the system could not be permanently operated. Patient data would lie physically in Bern, but the system around it would be dead. The Insel Group would have invested 228 million francs in an infrastructure whose lifespan depends on the business policy of a company from Wisconsin.

For Microsoft 365: No. For Broadcom/VMware in the Army's New Digitalization Platform, as clarus.news analyzed in April: also no. For AWS, Azure or Google Cloud: definitely not.

"In fact, the software was not bought, but only a usage right was acquired," summarizes Matthias Stürmer, professor at Bern University of Applied Sciences and initiator of the Sovereign Digital Switzerland network, the basic problem. "The intellectual property remained with the provider, who was thus able to expand his influence on the administration over the last 20 years."

An operational sovereignty test – can the system continue to run with escrowed source codes, documented interfaces and qualified third-party operators even without the original manufacturer? – is missing in most procurements. Exactly this test would have to be required by a serious sovereignty strategy, instead of getting stuck on the question of provider location, which WTO law doesn't allow anyway. It is origin-neutral, technically verifiable, and would affect Swiss and European providers as well as American ones.

Conclusion: Sovereignty in 26 versions is no sovereignty

The FOPH SwissHDS ban on US providers is a political signal – but legally questionable and practically ineffective as long as cantons can unimpededly purchase Epic, Microsoft and Broadcom for their hospitals, administrations and schools. Switzerland thus plays out a textbook case of federal incoherence: The federal government makes sovereignty claims that its own procurement rules don't allow – and to which the cantons, who operate the bulk of state-related IT, don't have to adhere anyway.

France has DINUM, an authority that can demand and enforce migration plans across ministries. Switzerland has – honestly speaking – none. It has a strategy, a platform, an advisory board, an interdepartmental working group and a commissioned constitutional amendment with uncertain outcome.

Three concrete demands are pressing:

First, an operational sovereignty test must be established as a procurement standard. Every state-related IT procurement above a threshold to be defined would have to demonstrate that the system remains operable without the original manufacturer. This test is WTO-compliant because origin-neutral, and it breaks down today's misleading debate about provider nationality to the actual question: Who has control?

Second, cantonal and municipal procurements need binding standards. The constitutional amendment initiated on December 19, 2025, must address this point unambiguously – otherwise every federal signal remains symbolic politics. A "Digital Switzerland Strategy" that is "guidance" for cantons is worthless in a sovereignty emergency.

Third, a central office with reach-through is needed. Without a Swiss equivalent to France's DINUM, a coherent sovereignty strategy cannot be implemented. The Delegate for Digital Transformation currently has too few competencies, as documented by the Swiss Federal Audit Office in audit report 23759. A reform that doesn't address the constitutional and competency question will fail on this.

Until then: The FOPH can formulate as strictly as it wants at the federal level – if the Canton of Bern simultaneously declares Epic the standard for all public hospitals, if USZ introduces Epic, if the Insel Group invests 228 million in a US system and the Grand Council rejects the investigation into it, then Switzerland's "digital sovereignty" is not a strategy. It is a Sunday speech – distributed among 26 cantonal governments, a federal office, a federal chancellery and an interdepartmental working group that mutually assure each other that actually someone else is responsible.

This article is based on publicly accessible sources as well as previous clarus.news analyses on digital sovereignty.

Sources:

  • NZZ am Sonntag: "No Deal for the Americans – Federal Government Takes on US Tech Giants", 09.05.2026
  • heise online: "Swiss Health Data: Confederates against US Cloud Dominance", 12.05.2026
  • 20 Minuten: "Inselspital Discloses – Hospitals Choose More Expensive System from USA Instead of Switzerland", 11.02.2026
  • Netzwoche: "This Much the Bern Insel Group Pays for Epic HIS", 17.02.2026
  • Berner Zeitung: "Grand Council Rejects Investigation into Insel IT Epic", 02.03.2026
  • Insel Gruppe: Press Release "Investments for the Medicine of the Future", February 2026
  • Medinside: "Criticism of Bern's Digital Health Platform", 17.10.2025
  • Der Bund: "Canton Bern – Epic for All Public Hospitals", June 2025
  • Der Bund: "Epic IT System in Bern Hospitals – Criticism of Government Council", 10.11.2025
  • Inside-IT: "Epic Leads to Data Protection Discussions at Inselspital", May 2024
  • digital.swiss: Digital Switzerland Strategy 2026
  • Federal Chancellery: "Guidelines for Digital Sovereignty in the Federal Administration", 12.12.2025
  • Federal Council / CCG: Fundamental Decision on DVS Development, 19.12.2025
  • Federal Council Report in Fulfillment of Postulate 22.4411 Z'graggen "Digital Sovereignty of Switzerland"
  • Republik: "The USA Lobbies Against Switzerland's Digital Sovereignty", 26.01.2026
  • SwissICT: "Digital Sovereignty – Two Perspectives" (Matthias Stürmer / Marc Holitscher), 10.04.2026
  • SFAO Audit Report 23759: Federal Digitalization Governance, November 2024
  • clarus.news: "Digital Sovereignty – France Tackles the Bigger Box", 14.04.2026

Tags: #DigitalSovereignty #SwissHDS #FOPH #Epic #Inselspital #Cistec #KISIM #PatientData #CloudAct #Federalism #FOBL #DVS #FederalChancellery #CantonBern #WTO

Zurück zur Übersicht