Digitalization and Federalism – Is That Even Possible? How Patient Records, DigiSanté and 26 Cantons Are Undermining Switzerland's Sovereignty Claims
clarus.news | Analysis | May 22, 2026
At the federal level, the FOPH wants to ban American cloud providers from the planned Swiss health data space – citing the US Cloud Act. Meanwhile, the Inselspital, operated by the Canton of Bern, runs the US clinic information system Epic for now 228 million francs, and the cantonal government wants to make Epic the cantonal standard. Between them stands an electronic patient record that failed as announced and a 625-million program called DigiSanté, which is supposed to deliver the missing data foundation – years after the record should have been built on it. The Federal Audit Office has precisely identified the central risk. But it cannot look exactly where the most expensive and consequential decisions are made: in the cantons. The question is not whether Switzerland wants to digitalize. The question is whether a federal state can do so at all when the Confederation sets standards and 26 cantons procure the opposite.
Two Projects That Belong Together – And Were Separated
Anyone wanting to understand Swiss health digitalization must examine two projects simultaneously that officially should have little to do with each other: the electronic patient record (EPR) and the DigiSanté program.
The EPR is the visible part – the patient file that insured persons and care providers should access. It has been operational since 2021 and is now considered a failure. Depending on the source and reference date, between roughly 72,000 and 133,000 records have been opened – in any case under 1.5 percent of the population. ZHAW Professor Alfred Angerer summarized the situation in three words: "The situation is desolate." The diagnosis has been known for years: double voluntary participation (for the population and for ambulatory care providers), no compensation for additional physician workload, fragmented infrastructure of regional communities, and – as a consequence – a system perceived by physicians merely as a "secure PDF storage." The Confederation invested around 80 million francs by 2024, with cantons and the healthcare system investing multiples of that.
DigiSanté is the invisible part – the "engine room." The program is supposed to create from 2025 to 2034 with a commitment credit of 392 million (total funding requirement 625 million) those basic building blocks the EPR never had: uniform data standards, national registers, interfaces, a unique patient identifier. Around 50 projects are assigned to the program. The largest of these is the health data space (SwissHDS) – the platform to be built gradually by 2034 for exchanging all health data between doctors, hospitals and other specialists, significantly more comprehensive than the EPR. Precisely here, at DigiSanté's largest construction site, the data protection dispute ignites.
Here lies the first, rarely mentioned contradiction – an architectural flaw. A functioning digital patient record requires a common data layer: uniform formats, binding interfaces, interoperability. Switzerland did exactly the opposite. It first built the record (EPR, conceived from 2007, operational from 2021) and is delivering the data foundation only years later (DigiSanté, from 2025). And it deliberately decoupled the two projects: Due to the upcoming EPR law revision, the client decided, according to the SFAO audit report, to expressly not subordinate the record to DigiSanté.
Family physician and medical professor Sven Streit describes the practical consequence of this architectural flaw soberly: They managed to get all actors working digitally, from the FOPH to family practices – "but we can't manage to exchange the data. We send PDF files by email. We have no standards." His wish: significantly more political leadership. The Confederation must determine what standards everyone must meet.
The Data Protection Contradiction: The Confederation Prohibits, the Canton Procures
Precisely the same federal fracture line also splits Switzerland's sovereignty and data protection claims – and it's happening live.
At the federal level, the FOPH is wielding the sovereignty hammer with the "Swiss Health Data Space" (SwissHDS) project. In the documents published in February 2026, the explosive requirement is listed first: The entire infrastructure must be subject exclusively to Swiss law. The US Cloud Act is explicitly mentioned – the law that obligates US corporations to surrender data regardless of server location. This would be a de facto veto against Microsoft, Google and AWS.
But the Federal Office for Buildings and Logistics (FOBL), responsible for procurement, immediately backpedaled: This was not yet a WTO tender, but a "market survey" – and a blanket exclusion of American companies would not even be permissible in a real tender. The reason is the WTO procurement agreement GPA, which requires equal treatment of all bidders. The federal sovereignty claim is thus legally devalued before the tender even begins.
The more effective lever lies not in procurement law but in data protection law – and that is origin-neutral. The Association of Swiss Data Protection Officers (privatim) clarified the provisions at the end of 2025: Authorities may not store unencrypted particularly sensitive personal data like patient data in the public clouds of international tech corporations. Vice President Dominika Blonski justifies this with loss of control – as soon as a foreign state can access it, this is inadmissible for authorities. The Cloud Act enables exactly that: It obligates US corporations like Google or IBM to disclose data to US authorities, even if stored in Swiss data centers. When asked how it would ensure data protection, the FOPH initially reacted cautiously and then referred to applicable data protection laws and the Confederation's internal guidelines for public cloud use. Matthias Stürmer, digitalization professor at Bern University of Applied Sciences, is clearer: The Confederation must build the platform without the major US tech companies – if sensitive health data fell into American hands, trust would be lost.
At the cantonal level, exactly the opposite is happening in parallel – with the same data but reversed premise. The cantonal Insel Group in Bern has been operating the US system Epic (manufacturer: Epic Systems, Verona/Wisconsin) since March 2024. In February 2026, it disclosed the total costs for the first time: 228 million francs – compared to 83 million in the initial tender of 2020. The Grand Council of Canton Bern rejected a postulate to investigate the cost overruns on March 2, 2026, with 93 to 58 votes. And the cantonal government wants to make Epic the standard for all public list hospitals in the canton. The Swiss Digital Health Association and the IG eHealth warn of lock-in and – literally – of Cloud Act exposure of patient data. It is the same argument with which the FOPH wants to ban US providers at the federal level. Canton Bern dismisses it for its own platform.
The Insel operates Epic "on-premises" on its own servers; the Bernese data protection officer has demanded compensatory measures. But – and this is the question both sides avoid – local data storage does not answer supplier sovereignty. Matthias Stürmer, professor at Bern University of Applied Sciences and initiator of the Sovereign Digital Switzerland network, puts it succinctly: In practice, the software is not purchased but only a usage right is acquired; intellectual property remains with the provider. Without licenses, updates and support from the US manufacturer, Epic could not be operated long-term. The patient data would then physically lie in Bern – but the system around it would be dead.
Who Is Actually Allowed to Do What? The Federal Competence Gap
The sovereignty claim shatters against a soberly simple fact: There is nobody in Switzerland who could bindingly require a cantonal hospital operator to procure sovereignly operable software.
The competence landscape is clear. For the federal administration, binding guidelines from the Federal Chancellery (December 2025) apply, the open source obligation for in-house developments according to Article 9 EMBAG and the Digital Switzerland strategy with the focus topic digital sovereignty. But all of this is only binding for the Confederation. For cantons, municipalities and public law entities like the Insel Group, it serves at best as "orientation." The cantons procure autonomously via the intercantonal concordat IVöB, with their own data protection authorities. Private hospitals are completely autonomous.
The SFAO has documented exactly this mechanism cleanly in the audit report on DigiSanté (SFAO-24638): In healthcare, the Confederation has "no comprehensive competence, but only fragmented powers." Constitutionally, the cantons are responsible – also for handling health data. The greatest risk of the program, according to the SFAO, lies in the lack of federal enforcement capability. The auditors warn with remarkable sharpness against a repetition of the EPR debacle and coin a formula worth remembering: "Implementation responsibility without enforcement competence."
The Federal Council has recognized the problem. Together with the Conference of Cantonal Governments, it made a fundamental decision on December 19, 2025, to develop Digital Administration Switzerland toward binding standard-setting, and even commissioned a partial revision of the Federal Constitution. But a consultation takes months, a constitutional amendment including referendum takes years. In this gap, facts are being created – large, expensive, hardly reversible ones. Every additional Epic hospital is one of them. Besides the Inselspital, University Hospital Zurich, Children's Hospital Zurich, Lucerne Cantonal Hospital and Lausanne University Hospital have also chosen Epic.
The Quiet Criticism: What the SFAO Cannot Even Audit
It would be unfair to blame the Federal Audit Office for the weakness of this finding. On the contrary: The SFAO has precisely identified the structural Achilles heel in two reports – SFAO-24638 on DigiSanté and 23759 on steering federal digitalization. Its six recommendations on DigiSanté are all sensible: measurable program goals, effective portfolio management, a proposal to the Federal Council for creating the necessary federal competences, and honest reporting to Parliament about blockages and risks.
And yet precisely this good work marks a quiet void – not through fault of the SFAO, but in its mandate. The SFAO is the supreme financial oversight body of the Confederation. It audits the federal administration and federal agencies. It does not audit the 228-million procurement of the Inselspital, not the Bernese government's plan to declare Epic the sector standard, and not the Grand Council's decision to forgo an investigation. Precisely the level where the most consequential architectural and sovereignty decisions are made – cantonal hospital procurement – lies outside its reach. The federal division of powers that slows DigiSanté also limits oversight of DigiSanté.
A second, more subtle point is added. The SFAO consistently formulates the problem in its own language: governance, steering, enforcement competence, risk management, reporting. This is its craft, and it masters it. What is missing in its recommendations, however, is the actual architectural question: How would a national data layer need to be built technically so that it is manufacturer-independent and federally sustainable? The SFAO recommends creating competences and defining goals – but it prescribes no architecture. It correctly diagnoses the symptom (lack of enforcement power). The therapy – a coherent, sovereignly operable national architecture with binding standards – falls into a blind spot: between the SFAO's financial oversight competence and the constitutional autonomy of cantons. Nobody in today's Switzerland is simultaneously technically responsible and legally authorized to prescribe it.
This is the uncomfortable point of the federalism finding: Even the best federal auditor remains structurally half-blind here.
Proposal 1: The Confederation's Own Open Data Exchange Platform
How to get out of this situation? Two approaches suggest themselves – one for the Confederation, one for the cantons.
At the federal level, Switzerland should stop arguing about the nationality of providers and instead regulate the operability of systems. The dispute over company headquarters is legally lost before it began – WTO law does not permit it, as the FOBL has already admitted. The productive lever is different: The Confederation builds or procures the national interoperability and data exchange layer as open, open-source infrastructure – exactly those basic building blocks, registers and interfaces that DigiSanté budgets anyway, but as a sovereign platform under Swiss control.
Three arguments support this. First, the legal basis already exists: Article 9 EMBAG obligates the Confederation to provide in-house developments as open source. Second, there is political tailwind – Parliament has earmarked ten million francs for the army for an open-source alternative, and organized Switzerland showed with e-ID that broadly supported digital proposals can gain majorities. Third, and decisive: Open source is the cleanest way to pass the operational sovereignty test that a serious strategy should require. This test is origin-neutral and thus WTO-compliant; it asks not where the provider comes from, but: Does the system run with escrowed source code, documented interfaces and qualified third-party operators even when the original manufacturer cancels the contract, gets into difficulties or yields to regulatory pressure? For Epic, Microsoft 365 or Broadcom/VMware, the answer today is No – for an open federal platform, it would be Yes by design.
The direction is even already right: The data protection clarification by privatim and the Confederation's internal public cloud guidelines argue not about provider nationality but about loss of control – whoever can access from outside is eliminated. This is the origin-neutral core. Only the consistent next step is missing: extending it from mere storage location to the operability of the entire software.
Architecturally, this means no central data silo – no national honeypot with all patient data in one place. A federated solution makes sense: Data remains with hospitals and cantons, the Confederation operates the standard, directory and exchange layer. This is realistic for a federal state – and it is exactly what DigiSanté conceptually wants but cannot enforce without enforcement power.
Proposal 2: Binding Standards for Cantonal Hospitals – The Scandinavian Model
The harder problem remains: the clinic information systems of cantonal hospitals. The Confederation cannot force Canton Bern to renounce Epic today. But the reference to federalism as an insurmountable obstacle is a fallacy – and Scandinavia proves it. Denmark and Finland are also multi-level organized (municipalities, regions, state), and both have solved the problem at which Switzerland fails. They show two viable architectural models.
The Danish (federated) model. Denmark stores health data decentrally but exchanges it via binding national standards. The non-profit organization MedCom (founded 1994) has defined national exchange standards for almost three decades and operates core infrastructure for data exchange. The national portal sundhed.dk bundles over a hundred data sources for citizens and specialists. The Danish Health Data Authority is responsible for the national reference architecture. Decisive for the Swiss debate: By 2026/2027, Denmark is merging sundhed.dk, the Health Data Authority and MedCom into a single national organization – "Digital Health Denmark", jointly supported by municipalities, regions and state. The federal structure has thus not prevented a binding national level; Denmark has created a jointly owned national body with standard-setting competence.
The Finnish (centralized) model. Finland takes the opposite path. The Kanta system (operated by the Social Insurance Institution Kela, in production since 2010) is a central national patient data repository. All public care providers have been connected since 2014, private providers are obligated when keeping electronic records; treatment data is automatically transferred. The national institute THL prescribes mandatory information models. The result is coverage near 100 percent.
Both models share two ingredients Switzerland lacks: a national body with binding standard-setting competence and mandatory participation. The double voluntary nature of the EPR and the procurement autonomy of cantons are the exact opposite of this design.
For Switzerland, the Danish governance pattern suggests itself because it fits the federal DNA: a body jointly supported by Confederation and cantons, building on the already initiated DVS reform, that sets binding interoperability and sovereignty standards. Health policy expert Felix Schneuwly has already identified the necessary lever to reach cantonal hospitals without first amending the constitution: Whoever wants to bill health insurers must not only show diplomas but also meet technical standards. Via the KVG and billing authorization, the binding standard obligation could be introduced in a federalism-friendly way – constitutional adaptation remains the permanent but slower solution.
Conclusion: The Problem Is Not Federalism But Missing Architecture
"Digitalization and federalism – is that even possible?" Denmark answers the question with Yes. A multi-level state can coherently digitalize its healthcare system – but only with a jointly supported national standards body, mandatory participation, and an operational sovereignty test instead of a hopeless debate about provider nationalities.
Swiss failure lies not in federalism itself. It lies in the absence of a binding architectural layer and a body authorized to enforce it. The EPR failed due to this gap. DigiSanté threatens – according to the SFAO – to fail from the same deficiency. And into this vacuum push the Epic procurements of cantons, creating expensive, manufacturer-dependent and hardly reversible facts. The sovereignty dispute is fought on the wrong axis: about company headquarters (WTO-contrary) instead of operational independence (technically verifiable, origin-neutral).
Andrey was right with his "bigger box": The real problem is not technology but governance. Switzerland has a strategy, a platform, an advisory board, an interdepartmental working group and a commissioned constitutional amendment with uncertain outcome. What it