Sure! Here’s the translation:
—
The new reform of the Swiss Federal Council requires digital services with more than 5,000 users to store metadata, identify users, and actively cooperate with authorities to decrypt communications. The impact extends to encrypted services like Proton and Threema and poses serious implications for the cloud and software ecosystem in Europe.
In a decision shaking the foundations of the European tech industry, the Swiss government —through the Federal Council and the Federal Department of Justice and Police (FDJP)— has announced its intention to implement new digital surveillance measures by decree, bypassing Parliament. This move aims to radically transform the Swiss digital ecosystem by mandating online service providers to store data, identify users, and provide technical cooperation for decrypting communications.
Mandatory Metadata and the End of Anonymity
According to the draft reform of the Regulation on Postal Traffic and Telecommunications Surveillance (VÜPF), all digital services with more than 5,000 users will be required to store metadata for six months, including IP addresses, used ports, and connection dates. Additionally, they will be obliged to verify their users’ identity with an official document or at least a phone number. This effectively ends anonymous registration on cloud platforms, messaging services, email, or online collaborative tools.
Unlike previous legislation, this expansion of state control will not be subjected to parliamentary voting but imposed through executive action, generating severe criticism even within a country accustomed to direct democracy.
A Direct Threat to Encrypted Privacy
One of the most alarming aspects is the requirement that providers with “full or reduced obligations” be capable of eliminating any encryption they have implemented or managed. Article 50a of the new VÜPF states that these services must “capture and decrypt the telecommunications traffic of the surveilled persons at suitable points,” so that the data is delivered in plain text to authorities. Although end-to-end encryption between users would be excluded, this exception would not apply at the provider level, where potential backdoors would be enabled.
The immediate impact on cloud services, collaboration platforms, productivity tools, and DevSecOps solutions would be significant. Interoperability, data integrity, and legal security would be compromised in an environment where unauthorized access —even by the state— undermines basic guarantees of confidentiality and compliance.
Swiss Tech Ecosystem at Risk
Two of the main services affected by the measure are Threema and Proton Mail, both based in Switzerland and historically committed to privacy. These platforms have over a million users and annual revenues exceeding 100 million Swiss francs, placing them directly under the new regulation.
Andy Yen, CEO of Proton, has stated that he will not be able to comply with the new legal requirements “under any circumstances” and has suggested potentially relocating the company outside the country. Robin Simon, CEO of Threema, has warned that he is prepared to launch a public initiative to halt the advancement of the “surveillance state.”
In addition to these firms, cybersecurity startups, SaaS providers, and open-source projects would also be caught by the requirements, jeopardizing the continuity of emerging tech initiatives that chose Switzerland precisely for its protective legal environment.
Criticism from the Digital and Legal Sector
Organizations like Digitale Gesellschaft have described the reform as “a frontal assault on the rule of law and secure communication,” noting that cloud platforms, collaboration tools like Nextcloud, development platforms, and any service that allows sharing or editing documents online would be subject to these obligations. Even small businesses and nonprofit organizations would be required to deploy secure storage infrastructure and bear the costs of compliance.
From the legal sector, experts like Jonathan Messmer have warned that the new rule would allow authorities to make automated data requests every few seconds, creating real-time tracking of user activity, something unprecedented in the European cloud ecosystem.
Implications for European Digital Sovereignty
The measure comes at a particularly delicate time, with the European Union pushing initiatives like the Digital Services Act, the AI Act, and plans for a European sovereign cloud. The implementation of these new rules in Switzerland, a historically neutral country but deeply integrated into the European digital market, could undermine confidence in cloud infrastructures operating from Swiss territory.
For many analysts, the Swiss decree represents a legal regression that aligns the country more closely with surveillance models like those in the U.S. (Patriot Act, Cloud Act) or China, rather than with the principles of data minimization, privacy by design, and technological sovereignty promoted by the European GDPR.
A Chance for Cloud Giants?
Paradoxically, this regulatory tightening could strengthen large U.S. tech companies, such as Meta (WhatsApp), Google, or Microsoft, which might remain outside the reach of Swiss regulation since they do not operate from its jurisdiction. This would push Swiss users and businesses toward services over which the government has no direct legal control, further weakening the local ecosystem.
Conclusion: The Beginning of the End for Swiss Digital Sanctuary?
With decades of reputation as a safe destination for sensitive data, Switzerland now faces a technological, legal, and political crossroads. If this reform is approved, it will not only affect individual freedoms but also jeopardize an entire tech sector built on the values of privacy, innovation, and digital neutrality.
The debate has only just begun, but the implications are already global. The Swiss cloud, a symbol of trust for years, could cease to be so. And that is something that the rest of the European cloud ecosystem cannot afford to ignore.
Source: heise and Security News
—