Army Digitalization Platform: On Track – But on Whose Technology?

Executive Summary

The Swiss Federal Audit Office (SFAO) has reviewed the key project "New Army Digitalization Platform" (NDP) and fundamentally attests to the program having a realistic timeline and broad support. The first settlement package is scheduled to be operational by mid-2026 – verified at the military exercise EOS 26. However, time reserves are nearly exhausted, and dependence on a single external hardware supplier poses a serious schedule risk. What the report barely addresses: The NDP relies on American virtualization technologies and is being built by external providers – both raise fundamental questions about digital sovereignty and the long-term operational capability of the Swiss Army.

Persons

• Christian Brunner (SFAO Audit Leader)
• Bernhard Hamberger (SFAO Lead)

Topics

• New Army Digitalization Platform (NDP)
• Digital Sovereignty
• Mission-Critical ICT Infrastructure
• Agile Project Management / SAFe
• External Supplier Dependencies
• Data Center KASTRO II
• Swiss Federal Audit Office (SFAO)

Clarus Lead

The Swiss Army's Cyber Command is building a central ICT platform with the NDP that is intended to network sensors, decision-makers and effect systems – a mission-critical backbone for all army operations from 2026. The SFAO audit confirms plausible planning for the program, but notes: Time reserves have shrunk to around ten weeks after an external hardware supplier repeatedly caused delays. What the report doesn't illuminate is politically explosive: The Army is building its digital command capability on a platform whose core technologies are controlled by US corporations like Broadcom – and whose operation lies substantially in the hands of external partners.

Detailed Summary

Ambitious but Achievable – For Now

SFAO report EFK-25130 from October 2025 assesses the NDP program as substantively on track. The first settlement package (BSP I) includes military end devices, collaboration applications like chat, email and the Atlassian ecosystem, as well as specialized applications like Sitaware, KADAS and MeteoDVM. These are scheduled to be ready for operational use from July 1, 2026 and verified at the military exercise EOS 26. The goal is operational readiness for WEF 2028 in Davos as the first real test.

The settlement planning was developed jointly with all direct reports to the Chief of the Army – an approach the SFAO explicitly commends. In addition to mandatory work packages ("productive verification"), experimental packages were defined that can be implemented ahead of schedule if resources are available. This buffer seems clever – but it's nearly exhausted: Release 4 of the central hardware infrastructure ("Cubes") was delayed by three months, Release 5 shows further delays. Only a ten-week window remains until the planned production deployment – without significant program reserves.

Reporting Plausible, But at What Level of Understanding?

The transition of the previous key project RZ2020 ICT A&I into the NDP program is comprehensibly presented in the reporting. Cyber Command communicates via MVPs and demonstrators; a parliamentary demonstrator was planned for November 2025. However, the SFAO notes that it remains unclear whether existing reporting fully meets the requirements of the Army, VBS General Secretariat and Parliament. For the supervisory level, program status must be readable without supplementary background information – this is not yet guaranteed today.

Five recommendations from previous audits (2021 and 2023) were fully implemented, including quality assurance for KASTRO II, validation of security requirements in the building automation area, and introduction of external, independent quality and risk management (QRM) – after an initial provider failed to meet quality requirements.

Key Findings

• Time reserves exhausted: Release 5 of the Cubes is delayed; around ten weeks remain until production deployment without significant buffers.
• All five recommendations implemented: SFAO attests complete implementation of recommendations from 2021 and 2023.
• Reporting gap: Management and supervisory bodies cannot assess program status without additional information – an open recommendation from PA 23155 remains relevant.
• Agile methods prove effective: The SAFe method enables parallel work packages and flexible adaptation – a significant risk buffer amid schedule delays.
• Operations across all situations unclear: A concept for how military personnel should replace external partners in mobilization scenarios is still missing.

Critical Questions

1. Digital Sovereignty: Whose Infrastructure Protects Switzerland? The report mentions virtualization and collaboration platforms without addressing their origins. Central Army ICT infrastructures presumably rely on products from Broadcom (VMware) – a US corporation that radically restructured licensing models after Broadcom's 2023 acquisition. How can the digital sovereignty of the Swiss Army be ensured when mission-critical platform components are controlled by a foreign provider that can unilaterally change prices and licensing terms? What exit strategies have been evaluated?

2. External Construction, Internal Operation: How Realistic is Autonomy? The NDP is being developed and built substantially by external providers. The report notes that the Data Center Company and NDP Platoon are "currently in training" and a concept for operations "across all situations" is still missing. How realistic is it that Cyber Command can autonomously operate such a complex, multi-layered platform after project completion – without permanent dependence on external partners? What happens in mobilization scenarios when private sector specialists are no longer available?

3. Technological Obsolescence: Will the NDP Already Be Outdated When Completed? Large-scale public sector ICT projects structurally struggle with technological obsolescence: What was conceived in 2021 will be deployed productively in 2026 and should be fully expanded with BSP III by 2030. In a technology environment rapidly changing through AI-supported system integration, post-quantum cryptography and software-defined networks, the question arises: What mechanisms ensure the NDP won't already be technologically obsolete at full operation – particularly in encryption solutions and sensor integration?

4. Evidence and Data Quality: What Does "Feasible" Mean Without Numbers? The SFAO classifies BSP I as "ambitious but feasible" – without providing reliable metrics on resource utilization, specific budget ranges, or historical accuracy of comparable VBS projects. On what empirical basis does this assessment rest, and how were previous project experiences (RZ2020, FUNDAMENT, CAMPUS) quantitatively incorporated into the risk assessment?

5. Conflicts of Interest with External Partners: Who Audits Whom? The first external QRM provider was replaced because its reports "did not meet expected quality standards." Simultaneously, external suppliers are involved in both building and later operating the NDP. How is it ensured that external QRM truly acts independently – and not in conflict of interest with those providers it's supposed to audit?

6. Causality and Responsibility for Delivery Delays: Who Bears the Risk? Repeated delays with the Cubes (Release 4 and Release 5) endanger the final deadline. What contractual mechanisms apply for further delays by the external hardware supplier? Who bears additional costs – and what consequences does schedule delay have for planned system replacements that according to the report "essentially" depend on the mid-2026 deadline?

7. Lean Portfolio Management: System Change Without Secured Framework Conditions? Cyber Command plans to switch from classical HERMES project management to a continuous lean portfolio management approach. The SFAO notes that "the necessary framework conditions are being developed." How is it ensured that this management change doesn't itself become a risk factor – particularly in a phase when the NDP must simultaneously be deployed productively?

Sources

Primary Source: EFK-25130 – Audit of the Key Project New Army Digitalization Platform, Defense Group – www.efk.admin.ch

Supplementary Sources:

1. EFK-23155 – Audit of the DTI Key Project RZ2020 ICT Architecture and Infrastructure (2024)
2. EFK-21462 – Audit of the DTI Key Project Data Centers VBS/Federal Government 2020 (2023)
3. Army Message 2023, BBl 2023 619
4. HERMES Project Management Method, eCH-0054

Verification Status: ✓ October 2025

This text was created with the assistance of an AI model. Editorial responsibility: clarus.news | Fact-checking: October 2025