Swiss canton fires CISO in dispute over use of Microsoft cloud

Contents

The increasing use of cloud applications from the US software company Microsoft in Swiss federal and cantonal authorities, as well as municipal administrations and other official bodies, is generating growing resentment in Switzerland.

The dependence on a US company and the associated threat to digital sovereignty is frequently criticized. The Federal Administration itself stated in a press release in 2023: "In fact, the Federal Administration is now dependent on Office products from Microsoft." Critics also see various associated data protection risks, especially when processing personal data in the Microsoft cloud.

Criticism from politicians and data protectionists falls flat

This has now prompted the Green Party of the Canton of Lucerne to call for an immediate haltto the M365 project (short for Microsoft Office 365) in an urgent initiative. This is to be rolled out in the canton's administration over the course of this year. The investment costs are expected to amount to 5.8 million Swiss francs (approx. 6 million euros), with additional operating costs of almost 22 million Swiss francs (23 million euros) by 2029.

The data protection officer of the canton of Lucerne was not the only one to express considerable criticism of the project in his 2024 activity report. The cantonal court and internal experts had also warned against this step, the Greens wrote in a press release. According to the party, Lucerne should become more independent of US companies and examine open source solutions, as the Swiss Federal Court and other administrations in Europe are already doing.

The government had ignored previous criticism and even released an internal expert. In addition, the executive had refrained from evaluating alternatives to Microsoft.

The data protection officer warns of the loss of digital sovereignty due to dependence on Microsoft ("vendor lock-in") if the project is continued and states that it would seriously encroach on the fundamental right to informational self-determination.

According to media reports, the Lucerne government is defending the decision. The government council responded to a question from cantonal councillor Fabrizio Misticoni (Greens), stating that the data would only be stored on servers in Switzerland and processed within the EU. Nevertheless, data transfers to the USA cannot be completely ruled out. Despite the concerns, the cantonal government wants to stick with M365.

Cantonal CISO must go

However, the Lucerne cantonal government has not retained an internal critic of the M365 migration. The online magazine Republik reported that the canton's "Chief Information Security Officer (CISO) was let go at the beginning of June due to his concerns about the Microsoft 365 timetable".

The head of IT security had pointed out to the Lucerne cantonal government "that the canton had not yet done the necessary homework on IT security in relation to the Microsoft Cloud project, which in turn has been confirmed by various sources in the Republik". The CISO therefore put the brakes on. However, the cantonal government insisted on its timetable and instead, according to the Republic, the critic had to vacate his seat.

"To date, the responsible finance department has not provided any internal or public information about the personnel matter," writes the medium. The head of IT security himself could not be reached for comment, according to the magazine, while the cantonal government denied: "The departure has no connection with the introduction of Microsoft 365 at the canton of Lucerne".

M365 introduction: things are bubbling behind the scenes

Similar processes are also taking place in other cantons during the changeover to M365. Critics generally lack transparency, but above all an open discussion about an exit strategy. Vendor lock-in, digital sovereignty and self-determination are up for debate if you look at the US government's policy or US laws such as the Cloud Act.

However, awareness of the inherent problems is growing. The canton of Basel-Stadt also wants to introduce M365 services in its administration from fall 2025. The cantonal data protection officer spoke out against the decision and found political support: a cross-party group in the Basel-Stadt parliament is also opposing the planned use of M365. They are calling for a new legal basis for "whether and which personal data should be outsourced to clouds".

So it can be said: Wherever M365 is currently or will be introduced in Switzerland, there is plenty of need for debate, clarity and efforts to find alternatives. It's not just at cantonal level that things are boiling over, but also at federal level. At least the Federal Chancellery is trying to at least partially free itself from the Microsoft embrace, writes Republik.

The Federal Data Protection and Information Commissioner also demanded that the proportionality of a cloud-based federal solution be examined and that "alternatives that can be used in the medium term" be evaluated. This was already done last year in a "study on open source alternatives to Microsoft Services" – but in the meantime, the rollout of M365 at the federal government has already made great progress.

Since M365 was introduced to the first departments of the federal administration as part of a pilot project in summer 2024, the switch from old MS Office versions, which will soon no longer be supported, to Microsoft 365 is currently underway. M365 was rolled out to more than a third of the 40,000 workstations at the end of February. The rollout should be completed by the end of 2025.

(vbr)