Summary

The Federal Office of Public Health (BAG) wants to effectively exclude US cloud providers such as Microsoft, Google, and AWS from the "Swiss Health Data Space" (SwissHDS) project – to protect against the US Cloud Act. At the same time, the Insel Group, co-financed by the Canton of Bern, has been operating the American clinic information system Epic since March 2024 at a total cost of 228 million francs. The canton plans to make Epic the standard for all public hospitals. The central tension: A federal system in which the federal government demands sovereignty, while 26 cantons remain autonomous in IT procurement – and effectively order the opposite.

Persons

Topics

  • Digital Sovereignty Switzerland
  • US Cloud Act and Data Protection
  • Federalism and IT Procurement
  • Epic Licensing System
  • State Control Capability in Digital Space

Clarus Lead

Switzerland preaches sovereignty at the federal level – and practices technological dependency in the same breath. The BAG formulates WTO-compliant requirements, while the Federal Office of Buildings and Logistics (BBL) dismisses them as "inadmissible" before the tender even begins. The real problem: federal incoherence. As long as cantons can freely purchase Epic, Microsoft, and Broadcom for their core infrastructures, every federal sovereignty signal remains symbolic politics – distributed across 26 different versions.

Detailed Summary

The BAG project SwissHDS aims to create an interconnected data space for patient data between physicians and hospitals. In February 2026, the office issued a central requirement: "The entire SwissHDS infrastructure must be exclusively subject to Swiss law" – explicitly to exclude the US Cloud Act, the law that obliges US corporations worldwide to grant US authorities data access. This would have been a de facto veto against the three largest cloud providers.

However, the BBL is already rowing back. Procurement Chief Thierry Vauthey told "NZZ am Sonntag" that the published documents were not a WTO tender, but a "market survey." Critically: In the actual tender, a blanket exclusion of US companies would be contrary to international law – Switzerland is bound by the WTO Government Procurement Agreement (GPA) and is conducting parallel trade negotiations with the Trump administration.

On 12 December 2025, the Federal Chancellery issued binding guidelines for digital sovereignty for the first time – but only for the central federal administration. Cantons, municipalities, and public-law entities receive only "guidance." The "Strategy Digital Switzerland" 2026 has a blind spot: it is not federally binding.

The Insel Group, Switzerland's largest university hospital network and owned by the Canton of Bern, introduced Epic – an American clinic information system from Epic Systems Corporation of Verona, Wisconsin – on 2 March 2024. The costs: 182.5 million francs one-time, 45 million until 2032 for operations, total 228 million – compared to an initial tender of 83 million. External licensing and consulting costs alone amount to 101.6 million. The Grand Council rejected an investigation into these cost overruns on 2 March 2026 by a vote of 93 to 58.

Technically, Insel stores patient data on-premises on its own servers in Bern. The Bern Data Protection Officer Ueli Buri reviewed the system, demanded compensatory measures, and reduced open findings from 86 to 25. But the central question remains: Can Insel continue operating the system without Epic licenses, updates, and support from the US manufacturer? No. Matthias Stürmer, professor at the Bern University of Applied Sciences, diagnoses the fundamental problem: "In effect, the software was not purchased, but merely a usage right was acquired. The intellectual property remained with the provider."

Swiss competitor Cistec, with its KISIM system (in use in Fribourg and St. Gallen), makes a different promise: "All workstations are located in Switzerland, and health data is stored exclusively in Switzerland." The Canton of Bern rejected this approach.

In June 2025, the Bernese government council launched a draft "Digital Health Platform": all public listed hospitals in the canton should work with Epic. Development costs: eleven million francs. The Swiss Association for Digital Health (SVDG) and the IG eHealth warn of lock-in effects and monopoly power. They argue: "Under the Cloud Act, patient data could be subject to access by US authorities" – precisely the justification used by the BAG at the federal level to banish US providers. The University Hospital Zurich (USZ), the Children's Hospital Zurich, the Lucerne Cantonal Hospital, and the University Hospital Lausanne also rely on Epic. Berlin's Charité will follow from 2029 at a cost of 200 million euros.

The question of responsibility is fragmented: the federal administration follows binding guidelines; cantons have their own legislation and procurement procedures; cantonal hospitals procure autonomously; private hospitals are completely free. An "interdepartmental working group on digital sovereignty" at the federal level analyzes risks until 2027 – without enforcement power. The Federal Council itself defined in 2024: "Digital sovereignty means possessing the necessary control and action capability in the digital space as a state." This capability is fragmented.

Key Statements

  • The BAG demands US Cloud Act exclusion in SwissHDS; the BBL declares this WTO-illegal before the tender begins.
  • Insel Group invests 228 million in Epic, a US system whose continued operation depends on the manufacturer – not on local data storage.
  • The actual sovereignty test is missing: Can a system operate without the original manufacturer? For Epic, Microsoft, Broadcom: no.
  • Federal incoherence: The federal government makes sovereignty claims that its own WTO obligations do not permit – and cantons need not comply.
  • France has created a cross-departmental agency with enforcement power through DINUM; Switzerland has strategy, platform, and advisory board, but no binding coordination.

Critical Questions

1. Evidence/Data Quality: How transparent are the cost calculations of the Insel Group really? Were the 228 million francs subjected to independent validation, or is transparency based solely on a press release without an audit report?

2. Evidence/Source Validity: The BBL declares the sovereignty exclusion "not WTO-compliant" – but is there formal legal expertise, or is this an interpretation position? How much latitude does the GPA Agreement actually provide for security-related requirements?

3. Conflicts of Interest: What role do Epic sales contacts and consulting firms play in the Insel Group's and Canton of Bern's procurement decision? Were potential conflicts of interest disclosed?

4. Causality/Alternatives: The analysis claims Cistec made a sovereignty-compliant offer. Why was it specifically rejected – due to performance, costs, integration, or lobbying?

5. Causality: Can Bern Data Protection Officer Ueli Buri actually prevent Epic from releasing data under pressure from US authorities – or are his "compensatory measures" controls that would be meaningless in a Cloud Act emergency?

6. Feasibility/Risks: An "operational sovereignty test" with "escrowed source codes" and "qualified third-party operators" – how realistic is this as a standard for hundreds of cantons and municipalities? Which third-party operators qualify for Epic systems?

7. Feasibility: The constitutional amendment for Digital Government Switzerland is supposed to require "months" for consultation and "years" for enactment. How binding can standards be as long as this constitutional gap exists?

8. Side Effects/Enforcement: If the federal government creates a sovereignty mandate for cantons in the future – who monitors and sanctions violations? Are legal safeguards in place against cantonal free-riders?

Source Directory

Primary Source: BAG Prohibits, Bern Procures: How Federalism Devalues Switzerland's Sovereignty Claim – clarus.news, 12 May 2026

Supplementary Sources:

  1. NZZ am Sonntag: "No Deal for the Americans – Federal Government Faces Off Against US Tech Giants", 09.05.2026
  2. Berner Zeitung: "Grand Council Rejects Investigation into Insel IT Epic", 02.03.2026
  3. Federal Chancellery: "Guidelines for Digital Sovereignty in Federal Administration", 12.12.2025
  4. Federal Council: Report on Postulate 22.4411 Z'graggen "Digital Sovereignty of Switzerland"
  5. Federal Audit Office: Audit Report 23759 "Control of Digitalization Federal", November 2024

Verification Status: ✓ 12.05.2026

This text was created with the assistance of an AI model. Editorial responsibility: clarus.news | Fact-check: 12.05.2026