Author: Federal Chancellery, Digital Transformation and ICT Management Division (DTI)
Source: bk.admin.ch – W012 Directives on Digital Sovereignty
Publication Date: December 10, 2025 (Effective Date: January 1, 2026)
Reading Time: approx. 8 minutes
Executive Summary
With the new directive W012, the Swiss Federal Administration commits to systematically reviewing and strengthening its digital sovereignty in all relevant IT projects. The ambitious regulatory framework establishes a two-dimensional analysis grid (8 technological levels × 6 key values) and makes digital independence a binding requirement. However, a critical cost-benefit analysis is lacking: whether the administrative overhead resulting from HERMES integration and documentation requirements is economically justified remains unanswered. An international comparative analysis also shows that Germany opts for more pragmatic, risk-based approaches.
Critical Guiding Questions on Digital Sovereignty
Freedom & Autonomy: Does W012's binding nature (MUST requirements) restrict project managers' agility in handling dependencies, or does it create genuine freedom of action through transparency?
Responsibility & Transparency: Who bears the financial responsibility for more expensive sovereignty measures (in-house development instead of cloud) when these costs are shifted to the state (and thus taxpayers)?
Evidence & Scalability: Is there empirical evidence that the 8-level system works in practice, or is there a risk of excessive bureaucratization without demonstrable security gains?
Economy & Efficiency: Is the cost-benefit ratio clarified – particularly for smaller projects that face significant documentation burdens due to HERMES checklist requirements?
Innovation & Competitiveness: Does the strong emphasis on independence lead to suboptimal solutions that cannot compete with global cloud providers, or does it promote technological self-reliance?
Scenario Analysis – Digital Policy Perspectives
| Time Horizon | Expected Development | Risks | Opportunities |
|---|---|---|---|
| Short-term (1 year) | Administrative transition phase; first implementation at milestones; resistance to HERMES overhead | Project delays due to additional review points; shortage of skilled professionals for assessments | Early risk detection in critical IT projects; avoidance of costly dependency traps |
| Medium-term (5 years) | Cultural change in federal administration; emergence of dual-sourcing strategies; stronger cooperation with cantons and research | Fragmentation instead of standardization; costs for redundancy solutions; brain drain to private sector | Strengthened critical infrastructures; knowledge building in public sector; reduced vendor lock-in |
| Long-term (10–20 years) | European sovereignty strategy could converge with Swiss approach; or isolation through overly strict independence goals | Technological lag; enormous lifecycle costs; security risks from unilateral approaches | Strategic technology autonomy; attractive jobs in critical sectors; geopolitical resilience |
Core Topic & Context Analysis
W012 regulates the systematic integration of digital sovereignty as a mandatory criterion in the Federal Administration. Sovereignty here means: control and capacity to act in the digital space to fulfill state tasks independently – without forced dependencies on individual vendors, proprietary systems, or critical infrastructure.
The regulatory framework is based on a matrix model:
- Vertical: 8 technological levels (from raw materials to legal systems)
- Horizontal: 6 key values (independence, costs, data protection, resilience, cooperation, innovation)
Goal: Systematic, traceable decisions on sovereignty already during project conception, not retroactively.
Key Facts & Figures
Scope of Applicability
- Binding on: Central Federal Administration (8 Departments + central authorities)
- Effective Date: January 1, 2026
- Retroactivity: Only new projects; ongoing projects optional
- Legal Basis: DigiV (Digitalization Ordinance), Art. 40
Implementation Mechanism
- Integration Point: HERMES project management system
- Review Requirement: Checklist items at every milestone
- Documentation: Mandatory; results must feed into decision-making processes
- Escalation: Strategically significant projects → Digital Council of the Confederation (DRB)
Level Model (Relevant Sphere of Action)
- Level 3: Communication infrastructure (broadband, mobile, satellite)
- Level 4: IT infrastructure (cloud, data centers, VMs)
- Level 5: Platform services (Kubernetes, Docker, analytics platforms)
- Level 6: Data spaces (registries, data exchange)
- Level 7: Software & SaaS (Office, specialized applications, AI frameworks)
- Level 8: Legal and value systems (e-identity, standards, trade agreements)
⚠️ Levels 0–2 (raw materials, components, basic supply) are intentionally excluded – falls outside the direct sphere of influence of the Federal Administration.
Key Values & Fields of Tension
| Overarching Key Values | Specific Key Values |
|---|---|
| Independence & Control | Resilience |
| Costs & Economic Efficiency | Data Protection & InfoSecurity |
| Cooperation & Standardization | |
| Innovation & Appropriateness |
Critical Note: The directive acknowledges that key values can conflict (e.g., independence vs. costs, innovation vs. security), but provides no criteria for prioritization.
Comparison with Germany: Pragmatic, Risk-Based
Germany (BSI Strategy, 2022–2025):
- Risk-based categorization instead of universal system
- Focus on critical systems (health, finance, infrastructure)
- Cloud checklists with prioritization matrices (not all projects treated equally)
- Close cooperation with EU sovereignty objectives (GAIA-X, digital Schrems II)
- Pragmatic hybrid model: cloud-first, but with sovereign-cloud exceptions
Switzerland (W012):
- Universal, systematic application to all ICT projects
- Mandatory documentation from study phase onward
- Stronger emphasis on independence as a value in itself (not merely risk-based)
- No explicit reference to international harmonization (EU, NATO)
Assessment: Germany saves administrative effort through prioritization; Switzerland has higher control intensity but also higher compliance burdens.
Stakeholders & Those Affected
Primarily Affected
- Project Managers & Commissioning Parties: Additional HERMES checklist items, documentation requirements, escalation risks
- IT Departments (CIO Networks): Pressure for in-house development instead of cloud standard solutions
- Digital Council of the Confederation: New governance function to assess strategic dependencies
Secondarily Affected
- Taxpayers: Potentially higher costs due to redundancies and in-house developments
- Software Manufacturers & Cloud Providers (Microsoft, AWS, Google, SAP): Limited market opportunities for federal projects; pressure for local data residency solutions
- Consulting Companies (Accenture, IBM, Sopra Steria): New market opportunities for sovereignty assessments
- Universities & Research Institutes: Potential partnership in in-house developments (GEVER-AI applications, open-source strategies)
Opportunities & Risks
| Opportunities | Risks |
|---|---|
| Early Risk Detection: Vendor lock-in scenarios are identified during the planning phase | Bureaucratic Burdens: Checklist requirements could lead to "box-ticking thinking" rather than genuine sovereignty |
| Cognitive Autonomy: Federal administration retains strategic understanding of critical systems | Cost Explosion: In-house developments and redundancies significantly more expensive than cloud standards |
| Value Creation in Public Sector: Incentives for skilled professionals in critical IT roles | Technological Lag: Open-source focus could disconnect from commercial innovations |
| Federal Cooperation: Cantons could adopt similar standards → national scaling | Governance Bottlenecks: DRB escalation could delay project approvals |
| Geopolitical Resilience: Independence from US/China-dominated platforms | Implementation Gaps: Small administrative units may lack assessment expertise |
Main Problem: Cost-Benefit Ratio Unclear
The Critical Economic Viability Question
The directive names economic viability as a key value (effort ↔ benefit) but does not define it operationally. Open questions:
How much effort is proportional?
- Does documentation for a small intranet portal cost as much as for a health registry?
- Are there thresholds or categorizations?
What is the measurable benefit?
- How do administrative units quantify "control capacity"?
- Are there KPIs for sovereignty?
Financial responsibility?
- Who pays for more expensive solutions (in-house development vs. cloud)?
- Are there additional IT budgets for sovereignty measures?
Finding: The directive shifts responsibility for technical assessment to project managers without clarifying central support or budget harmonization. → Risk of underinvestment (overly superficial documentation) or overinvestment (overly conservative solutions).
Actionable Relevance for Decision-Makers
What Should CIOs, Department Heads, and the Federal Council Monitor?
Implementation Audit (Q2 2026):
- How is W012 actually implemented? Are checklist items formal or genuine analysis?
- How much longer does a sourcing process take due to additional review points?
Cost Impact Analysis:
- Track additional costs from in-house operation vs. cloud standard in first 10–15 projects
- Benchmark: Comparison with German, Austrian, or Scandinavian approaches
Governance Test:
- Is the Digital Council of the Confederation overwhelmed by escalations?
- How clear are the criteria for "strategic significance"?
Skilled Workforce Reality:
- Can administrative units build assessment expertise or must they outsource?
- Brain drain risk: Exodus of IT professionals to private sector?
International Harmonization:
- How does Switzerland position itself relative to EU sovereignty initiatives (GAIA-X, Digital Markets Act)?
- Is harmonization necessary or is isolation a risk?
Quality Assurance & Evidence Review
- [x] Statements scientifically substantiated: The level model is based on acatech study (German Academy of Science and Engineering), is