Executive Summary

The Federal Audit Office (FAO) certifies the New Army Digitalization Platform (NDP) has a realistic timeline and broad support – yet time buffers are nearly exhausted. The first deployment package is scheduled to be operational by July 2026 and verified at the military exercise EOS 26. Critical concern: The platform relies on American virtualization technologies and is being built by external vendors, raising fundamental questions about digital sovereignty and long-term operational capability.

Persons

Topics

  • New Army Digitalization Platform (NDP)
  • Digital Sovereignty
  • Mission-Critical ICT Infrastructure
  • Dependence on External Suppliers
  • Agile Project Management (SAFe)

Clarus Lead

The Cyber Command is building with the NDP a central ICT platform designed to network sensors, decision-makers, and effects systems – a mission-critical backbone for all army operations from 2026 onward. The FAO audit confirms the program's plausible planning but warns: time buffers have shrunk to approximately ten weeks after an external hardware vendor repeatedly caused delays. Politically contentious: the Army is building its digital command capability on a platform whose core technologies are controlled by US corporations like Broadcom – whose operations are substantially in the hands of external partners.

Detailed Summary

The FAO audit (FAO-25130, October 2025) assesses the NDP program as substantively on track. The first deployment package (BSP I) comprises military end-user devices, collaboration applications (chat, mail, Atlassian ecosystem), and business applications such as Sitaware, KADAS, and MeteoDVM. These are to be operational as of 1 July 2026 and verified at the military exercise EOS 26. The target date for full operations is the WEF 2028 in Davos. The deployment plan was developed jointly with all direct subordinates of the Army Commander – an approach the FAO commends.

Beyond mandatory work packages, experimental packages were defined that were intended to serve as a time buffer. However, this buffer is nearly depleted: Release 4 of the central hardware infrastructure (Cubes) was postponed by three months, Release 5 shows further delays. Only ten weeks remain until the planned production go-live – without significant program reserves.

A second issue concerns reporting: the transition of the key project RZ2020 ICT A&I into NDP is clearly documented. However, the FAO notes that it remains unclear whether reporting fully meets the requirements of the Army, the State Secretariat VBS, and Parliament. For oversight bodies, program status must be legible without additional information – this is currently not assured. Positive: Five recommendations from previous audits (2021, 2023) have been fully implemented, including quality assurance, security validation, and the introduction of external quality and risk management.

Key Statements

  • Time buffers exhausted: Release 5 of Cubes delayed; only ten weeks until production go-live without meaningful buffer.
  • All five recommendations implemented: FAO confirms full implementation of recommendations from 2021 and 2023.
  • Reporting gap: Governance and oversight bodies cannot assess program status without additional information.
  • Agile methods successful: SAFe method enables parallel work packages and flexible adaptation – essential risk buffer.
  • Operations across all scenarios unclear: Concept for how military personnel should replace external partners in mobilization case still missing.

Critical Questions

  1. Digital Sovereignty: Mission-critical infrastructure presumably relies on products from Broadcom (VMware) – a US corporation that unilaterally changed licensing terms after 2023. How is Swiss digital sovereignty ensured if platform components are controlled by foreign vendors? Which exit strategies have been evaluated?

  2. External Dependence: The NDP is being developed substantially by external vendors. The RZ Company and NDP Section are still "in training"; an operations concept "across all scenarios" is lacking. How realistic is autonomous operations without permanent dependence after project completion? What happens in a mobilization case?

  3. Technological Obsolescence: What was conceived in 2021, put into production in 2026, and to be fully deployed in 2030 – in an environment of rapid change (AI, post-quantum cryptography, software-defined networks). What mechanisms prevent the NDP from being technologically obsolete upon full operation?

  4. Evidence Base: The FAO rates BSP I as "ambitious, but feasible" – without reliable metrics on resource utilization, budget buffers, or historical accuracy of comparable VBS projects. How empirically grounded is this assessment?

  5. Conflicts of Interest in QRM: The first external quality and risk management provider was replaced. External suppliers are simultaneously involved in development and later operations. How is the independence of external QRM ensured?

  6. Contractual Safeguards: Repeated delays in Cubes endanger the final deadline. What mechanisms take effect in case of further delays? Who bears additional costs? What consequences for planned system replacements that according to the report are "essential" to meeting the deadline?

  7. Governance Transition as Risk Factor: Cyber Command plans to shift from classical HERMES to continuous Lean Portfolio Management. The FAO notes: "Necessary framework conditions are being developed." Will this governance transition itself become a risk factor at a time when NDP must be put into production?

Sources

Primary Source: FAO-25130 – Audit of the Key Project New Army Digitalization Platform

Supplementary Sources:

  1. FAO-23155 – Audit of the DTI Key Project RZ2020 ICT Architecture and Infrastructure (2024)
  2. FAO-21462 – Audit of the DTI Key Project Data Centers VBS/Federal 2020 (2023)
  3. Army Message 2023, BBl 2023 619
  4. HERMES Project Management Method, eCH-0054

Verification Status: ✓ 18.03.2026

This text was created with the support of an AI model. Editorial responsibility: clarus.news | Fact-checking: 18.03.2026