Swiss Government Cloud: Audit, Cloud Levels and Federal Effort

Blog (EN)

Author: Federal Finance Control / Eidgenössische Finanzkontrolle (EFK) Source: Audit Swiss Government Cloud – CDF-25155 Publication Date: 10.10.2025 Reading Time: approx. 6 minutes

2. Executive Summary

The EFK audits the key project Swiss Government Cloud (SGC), which aims to build a hybrid multi-cloud for federal government, cantons and municipalities by 2032. Despite a commitment credit of 246.9 million CHF and total program costs of 319.4 million CHF, the economic benefit for the entire federal administration has not yet been proven. The Swiss cloud level model (Public, Public CH, Private, Private secured) is conceptually up-to-date, but must be more closely integrated with European standards such as EUCS and BSI C5 to avoid falling into a national special regime. Open questions regarding data classification and the division of roles between federal government, cantons and municipalities threaten to stifle digital sovereignty in bureaucracy.

3. Critical Key Questions (liberal-journalistic)

  1. Freedom: Does a heavily centrally controlled government cloud market unnecessarily restrict the technological and entrepreneurial freedom of choice of the administration?
  2. Responsibility: Who ultimately bears the risk for wrong investments – BIT, departments, cantons or taxpayers?
  3. Transparency: Why is there still no reliable business case for the entire federal administration in 2025, even though procurement is underway?
  4. Innovation: Does the four-level cloud model promote innovation – or does it cement legacy thinking in new structures?
  5. Federal Effort: Does it make sense for each Swiss administrative unit to develop its own criteria for data classification – or would a uniform, risk-based standard be more efficient?

4. Scenario Analysis: Future Perspectives

Time Horizon Expected Development
Short-term (1 year) SGC procurement becomes concrete, business case will be submitted subsequently; governance and data classification remain politically controversial.
Medium-term (5 years) Shift from 92% to 22% private cloud share in favor of up to 78% public cloud; federal government struggles with EU conformity and federal special paths.
Long-term (10–20 years) Either an interoperable, EUCS-compatible sovereign cloud emerges – or a patchwork of special regimes that drives costs and complexity.

5. Main Summary

Core Topic & Context The report examines how the SGC as a hybrid multi-cloud is intended to replace the aging Atlantica platform and strengthen Switzerland's digital sovereignty. The focus is on needs assessment, economic efficiency, governance, migration risks and the cloud level model with four security and sovereignty levels (Public, Public Switzerland, Private Federal, Private Federal Secured).

Most Important Facts & Figures

  • Commitment credit 246.9 million CHF, program volume 319.4 million CHF (excluding usage and migration costs).
  • Projected shift: from 8% to 78% public cloud share (levels I+II) between 2027 and 2032.
  • Estimated load: 1,117 applications, 108.9 petabytes storage, almost 20,000 CPU cores on the SGC.
  • ?? Uniform data classification between federal government, cantons and municipalities politically desired, but operationally not yet clearly regulated.

Are the Cloud Levels Up-to-Date? The Swiss model with four levels differentiates according to sovereignty, location and protection requirements and was updated in 2025. This follows the trend of European debates about sovereign cloud and is similar in logic to the planned EUCS security levels (Basic, Substantial, High) as well as the German BSI C5 as minimum standard. (enisa.europa.eu) It remains critical that the model describes rather static levels, while modern cloud security works strongly control and risk-based (Zero Trust, continuous certification).

European Comparison of Cloud Security Levels

  • EU level: With EUCS, a binding framework with graduated security levels for cloud services in Europe is being created. (enisa.europa.eu)
  • Germany: Uses with C5 and the target architecture for "Germany's government cloud" primarily security controls and protection classes, less a politically visible 4-level model like Switzerland. (it-planungsrat.de)
  • Austria: Relies on hybrid cloud usage, EU law, ISO standards and national cybersecurity strategy, but no clearly communicated, comparable level model for the entire administration. ?? (Bundeskanzleramt)

The Swiss levels are thus compatible in content, but relatively unique in their national expression.

Stakeholders & Affected Parties

  • Federal agencies as main users and cost bearers of the platform.
  • Cantons and municipalities, whose needs are only estimated and not bindingly documented.
  • Citizens, companies and NGOs, who are indirectly dependent on availability, security and efficiency of government IT.
  • Cloud providers and hyperscalers, whose market access is controlled via governance, EUCS certification and location requirements. (enisa.europa.eu)

Opportunities & Risks

Opportunities Risks
Strengthening digital sovereignty through own private and sovereign cloud levels. Complex governance, unclear responsibilities and migration risks.
Scalable public cloud usage with decreasing private cloud share reduces long-term operating costs and increases innovation speed. Risk of an expensive special path if Swiss level model does not properly connect to EUCS and C5. (enisa.europa.eu)

Classification: Federal Strength or Bureaucracy Trap? The federal government's cloud principles explicitly link sovereignty to protection requirements and functionality of data and refer to levels I–IV. At the same time, federal government, cantons and municipalities should implement the digital strategy together. (digital-public-services-switzerland.ch) If each administrative unit builds its own classification logic and cloud policies, a difficult-to-control patchwork emerges – with high transaction costs, contradictory requirements and innovation barriers. From a liberal perspective, much speaks for defining a lean, Switzerland-wide uniform data classification with clear protection classes and technical minimum controls – and concentrating federal scope on implementation, not on basic definitions.

Action Relevance Decision makers should now:

  • disclose the comprehensive government business case and supplement it with scenarios for different usage levels;
  • align the cloud level model with EUCS and C5, instead of cementing a Swiss parallel universe; (enisa.europa.eu)
  • decide on a uniform, risk-based data classification for all administrative levels to avoid duplications;
  • actively address migration risks and take service recipients into responsibility with resources, tools and clear incentives.

6. Quality Assurance & Fact Checking

  • [x] Central statements and figures verified
  • [x] Unconfirmed data marked with ??
  • [x] Web research for current data conducted (if required)
  • [x] Bias or political one-sidedness marked (liberal, freedom-oriented assessment made explicit)

7. Supplementary Research

  • Cloud Strategy Federal / Public Clouds Federal – Framework of the federal government's hybrid multi-cloud strategy, including role of Public Clouds Federal. (Bundeskanzlei)
  • ENISA EUCS – European Cybersecurity Certification Scheme for Cloud Services – Draft of an EU-wide cloud certification framework with graduated security levels. (enisa.europa.eu)
  • BSI C5 and Community Draft 2025 – German criteria catalog as de-facto standard for cloud security and reference for EUCS level "Substantial". (BSI)

8. Source Directory

Primary Source: Audit "Swiss Government Cloud with focus on Business Case", CDF-25155, Federal Finance Control – efk.admin.ch

Supplementary Sources:

  1. Bundeskanzlei: Cloud Strategy Federal / Public Clouds Federal. (Bundeskanzlei)
  2. ENISA: EUCS – Cloud Service Scheme. (enisa.europa.eu)
  3. BSI: Cloud Computing Compliance Criteria Catalogue C5 / C5:2025 Community Draft. (BSI)

Verification Status: ? Facts checked on 06.12.2025

---
*This text was created with support from GPT-5.1 Thinking.*  
*Editorial responsibility: clarus.news | Fact checking: 06.12.2025*

[7]: clarus.news Swiss Government Cloud

Zurück zur Übersicht