Newswire

For Further Information Contact:

switzerland@transatlanticlaw.com

Switzerland Update: How to Deal with US Cloud Risks in the Age of Trump

06/05/2025

The first 100 days of Donald Trump’s US administration have already caused considerable uncertainty as to where the US is heading. This also leads to questions about the use of cloud services by US hyperscalers: Is the data still safe from the US authorities? And could the US government instrumentalize cloud providers for its own purposes in view of Europe’s dependence? We have expanded our standardized method for assessing the risk of foreign lawful access so that these questions can now also be assessed and mapped.

Review: In 2019, I was commissioned by a large Swiss bank to answer the question of what technical and organizational measures are necessary when using a US cloud in order to bring the residual risk of US government access to a minimum acceptable for bank client confidentiality based on laws such as the US CLOUD Act. I developed a statistical method with which the risk could be divided into 19 prerequisites and systematically addressed. In 2020, I published the method in the form of an Excel as open source (available here with an FAQ).

This approach became known in the media as the “Rosenthal Method” and is now considered the standard procedure for assessing the risk of foreign government access in Switzerland and beyond. Banks and other persons subject to professional secrecy use them as well as public bodies when they want to use foreign cloud providers and are subject to special confidentiality obligations. The method is no longer used only in relation to the USA, but also to assess other legal systems. With the right measures, the probability of foreign authority access from the USA and some other countries with a comparable legal system can be reduced to a (theoretical) value of usually less than 1.5 percent over five years, as we know from numerous workshops. The issue thus seemed more or less “under control”, especially since the risk-based approach is now generally accepted.

Current fears regarding the US cloud

However, developments in the U.S. since U.S. President Trump took office have once again raised fears that security in the use of U.S. hyperscalers may no longer be so good:

  • It began with the news that Trump reportedly asked three Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB) to resign from office or fired them. This raised the question of whether the committee is still capable of acting (which it apparently affirmed for the time being). Among other things, it monitors the activities of the US intelligence services and also performs certain tasks within the framework of the CH-US/EU-US Data Privacy Framework (DPF), namely as a body to be consulted in the composition of the “DPF Court” and in assessing the effectiveness of the DPF (see here). Although the DPF does not necessarily depend on the PCLOB legally, voices have been raised in some places that the DPF is now endangered in its existence. So far, it continues unchanged and we currently do not see any efforts by the data protection authorities or the European Commission to overturn the DPF or the associated adequacy decision.
  • Another fear is that the Trump administration may be tempted to access the data stored in the cloud by European organizations on pretextual grounds (allegedly serious crimes). Although there are some hurdles to this, if done correctly, these require that the US authorities comply with US law and, if necessary, that the courts enforce it. In view of the developments of recent months with regard to the preservation of the principle of the rule of law and separation of powers, however, doubts are growing among some – and also as to whether the hyperscalers are willing to oppose such possible requests by the US government despite contractual obligations. The spectrum of opinions here is broad. So far, there are no known cases of such access to data of legitimate European cloud customers or violations of the hyperscalers’ contractual obligations in this regard.
  • Finally, it is feared that the US could impose requirements on US-based hyperscalers in order to enforce its interests, which are ultimately no longer acceptable to its customers in Europe, but which, due to their dependency, have no alternatives to submit to them or to meet associated political demands. Such requirements could be the obligation to store or purchase services directly from the US (instead of Europe) or the punishment of certain countries or organizations by way of export controls or sanctions that affect cloud services. Although the contracts with the hyperscalers regularly provide for provisions against foreign access by authorities, they also make their services subject to the proviso that they do not violate any applicable law. Here, the treaties offer a real gateway for such attacks by the US government. However, no such efforts are known so far.

Reaction of the hyperscalers

The US hyperscalers seem to have caught the current developments in the USA on the wrong foot. In any case, we had the impression that they are also at a loss as to how to deal with the new situation under the Trump administration. We know that they have been confronted with many inquiries on the subject, even if it seems that most customers just want to wait and see how it develops for the time being (see also below).

Last week, Microsoft was the first provider to take the plunge and tried to underpin the trust of its customers with a well-staged announcement of initial measures. This essentially consisted of three elements: The message that Europe is important for Microsoft and that it will therefore invest heavily in the expansion of infrastructure, that Microsoft will defend itself against all access attempts in court, and that partnerships have been concluded in order to be able to continue the operation of the European cloud independently of the parent company in an emergency. The first two points are nothing new in the result. Microsoft made it clear several years ago with a far-reaching “defend-your-data” clause that it would fight US government access to European data all the way to the highest court if necessary. Such a clause is now the standard requirement for cloud contracts (see also our model clause) and actually plays a central role in risk assessment. In certain contracts in the public sector, Microsoft’s contractual commitments go even further.

What was new was the announcement of the contingency plan in the event that Microsoft was legally successfully forced to discontinue its cloud services in Europe, the operation of partners in Europe should be able to continue, whereby the source code of the cloud software would be safely stored in Switzerland for this case (we assume that Switzerland was chosen for legal reasons, among other things, because it offers special legal provisions that provide special protection against access by foreign authorities). In the future, this will also be recorded in customer contracts.

This announcement is undoubtedly a clever move, but it cannot hide the fact that there are more subtle threat scenarios and that even the emergency scenario would not be a long-term solution. Of course, we also don’t know the details of the emergency plan. Microsoft and Google have already offered the possibility of “sovereign” cloud data centers operated by legally independent companies; Google even offers customers to operate such a cloud with their software themselves. However, independent operation is only the minor challenge. In addition, in the conceivable scenarios, the operation of the cloud as a whole would not necessarily be prohibited, but that new restrictions could also lead to it no longer being acceptable. For example, if certain features that protect against access by the US authorities were no longer available outside the USA, or certain services would now have to be provided from the USA.

Finally, the greater challenge is the further development of the software stack on which the cloud is operated: For security reasons alone, it must be constantly developed and otherwise maintained, which requires enormous know-how. If this is only found in the USA, the dependence remains. The same applies to activities accompanying the operation, such as the analysis of security threats. The question therefore arises as to whether, depending on developments in the USA, hyperscalers could sooner or later be forced to move their know-how from the USA abroad, should their business in the rest of the world otherwise be endangered. In any case, according to reports, it is already larger at Microsoft than that in the USA. We should also remember that large companies usually do not act ideologically, but purely opportunistically: business comes first. This can have an impact on all sides. The US government would therefore be well advised to handle the hyperscalers with kid gloves. Of course, velvet gloves have not been her strong point so far, and this brings us back to the topic of smoldering uncertainty.

Further development of our assessment method

Against this background, we have expanded the method to be able to map these uncertainties in the context of risk assessments and thus enable a clean assessment and documentation of the risks.

The method already covered the aspect of foreign lawful access. It is agnostic, i.e. not focused on a particular legal system and also not dependent on how this legal system functions, i.e. whether the separation of powers is respected or the principle of the rule of law applies. In particular, it can also be used to assess the current situation in the USA, however it is assessed on these points. So no adjustments to the method as such are necessary. However, it can only reflect a single state of affairs or an overall assessment for the entire assessment period, and this may be insufficient or difficult to make an overall factual assessment in relation to the volatility of the current situation. What the method also does not reflect are risks with regard to securing business continuity through foreign legal developments. So far, this has been a subordinate issue in the perception of most users, at least in relation to the USA.

We have therefore supplemented the methodology in two respects: a scenario-based assessment and an assessment of business continuity risks. The extended Excel can be downloaded here at the previous address and is offered in German and English (see worksheet “Multi-Scenario …”). It is currently a draft for public comment. The sample values and entries contained in blue are only used to illustrate how the worksheets can be filled out (even the scenarios contained do not necessarily reflect our view or forecast); whoever uses the method should reflect his or her own view of things.

New: Scenario-based assessment of foreign lawful access risk

The method now works with four scenarios of how the situation in the USA (or any other country) can develop during the assessment period, and assesses the probability on the basis of these four scenarios. These are described in a worksheet (we have provided four model scenarios for the USA 2025-2030, which can and should be adapted or adopted according to our own assessment).

  • The first step is to assess the probability of each scenario occurring (together, this should add up to 100 percent).
  • In a second step, the existing factors are then assessed for each of these scenarios using the existing methodology. For example, today’s “pre-Trump” baseline scenario can be transferred from an already existing assessment to the worksheet in the first scenario. It can then be assessed and recorded how the assessment is likely to change in the relevant points for the other three scenarios. Naturally, only those factors will change that depend on the political and legal situation in the USA or the country in question. These are in bold. Attention: The value in No. 2.13, the inverted percentage value is used for better comprehensibility, i.e. if the original method says 80%, 20% must be entered here. We have summarized the longer description from the original method; Nothing changes in terms of content.
  • From this set of four assessments, a third step is then used to calculate an average weighted according to the probability of the scenario occurring, which ultimately serves as the final result. The known parameter of the number of years is again calculated until there is a 50 or 90 percent probability of at least one case. The Government Council of the Canton of Zurich, for example, has stipulated that a new risk decision by the Government Council is only necessary for the value for the 90 percent if this value falls below 100 years, which corresponds to a probability of occurrence of about 10 percent over five years. However, everyone has to set their own boundaries.

The previous Excel is still used to calculate the concrete values (in Excel, the four worksheets that are used for this purpose are hidden). So nothing changes in the method.

New: Assessment of business continuity risks

The method now also makes it possible to assess the business continuity risk, i.e. the possibility that, due to developments in the USA, the cloud service under discussion is not or no longer available in the required way and can therefore no longer be used. Of course, this risk is not new and we have regularly dealt with it in our cloud consulting of public and private bodies: Cloud services or important aspects (e.g. storage in Switzerland or certain functions) can be discontinued or changed more or less abruptly if this becomes legally required, services can become the victim of technical failures or cyberattacks.

In the eyes of some, there is an increased risk that the US government will use Europe’s dependence on US hyperscalers for political purposes or otherwise take measures that call into question the continued use of hyperscalers. Whether and how likely such developments are is something everyone has to judge for themselves. A resistance by European governments is also conceivable. The same applies to precautions taken by the cloud providers themselves, such as those of Microsoft described above. These additional risks and countermeasures due to the political situation in the USA can now also be assessed:

  • The first step is to state what the consequences would be if an organization had to give up cloud use in the short term, which depends on whether it has a “plan B”. Every organization should have already made this assessment as part of its cloud risk management. However, we see in our consultations that many projects are weak on this point. For example, when using M365, we recommend an emergency concept that provides for at least emergency operation of corresponding functions outside the cloud and backups that also do not take place in the cloud (see also below).
  • In a second step, it is assessed which possible other circumstances could arise that have not yet been assessed that could hinder or hinder the continuation of the cloud solution, for example the case that the US government uses further access as a means of exerting pressure to enforce political demands in another area. Here, the probability of these circumstances occurring is assessed for all four scenarios.
  • In a third step, possible countermeasures can be assessed, such as the EU forcing hyperscalers to structure their operations in Europe in such a way that they are independent of the USA or the hyperscalers decoupling their European business from the USA. Here, too, it can be assessed for all four scenarios how likely it is that such a measure will be taken that is actually effective. This probability is then offset against the probabilities from the second step.
  • Finally, an overall risk per scenario is calculated on the basis of the results from all three steps, which in turn is used to calculate and report a weighted average risk. In contrast to the assessment of authority access, where only the probability of occurrence is assessed (because it is assessed according to the principle that each access represents the maximum degree of severity), in the case of business continuity, the risk (severity level x probability of occurrence) is actually calculated, on a risk matrix of 4 x 4.

Here, too, we have entered sample values. Each body must assess the probabilities itself. The sample values are for illustration purposes.

How the market views the current situation

We have already received various inquiries about how organizations should deal with the political uncertainties and developments in the USA with regard to their cloud projects with US hyperscalers. This shows that the level of suffering in the private sector seems to be much lower than in public administration. This is not surprising: If the state goes to the cloud, topics such as “digital sovereignty” and the US CLOUD Act play a greater role in the minds of commentators, politicians and data protection authorities than if a bank, an industrial company or a trading company does this for itself. It is hardly disputed that developments in the USA increase the risk of cloud deployment. However, opinions differ on whether this increase is significant enough to make changes necessary. In many cases, the public discussion is also polemical and emotional. This is not surprising; even the earlier dispute about the risk of access under the US CLOUD Act was unobjective for long stretches and was based on incorrect assumptions about the legal situation. This is unfortunate, because in relation to the current situation in the USA, there are actually relevant questions that we should deal with:

  • For example, it is (still) not true that the US CLOUD Act provides US authorities with free access to data stored in the cloud. It is true, however, that protection against such access is based, among other things, on applicable US law and depends on the authorities and courts complying with it – or at least the courts doing so. Protection therefore requires a functioning separation of powers. Against this background, the Trump administration’s efforts to undermine it are relevant for risk assessment. We do not know how the situation in the USA will develop, but anyone who wants to carry out a risk assessment conscientiously today must take these uncertainties into account. This can be done with the previous and the extended method; in the latter case, it is possible to take into account in particular how the situation in the United States might change in the next few years, since this is precisely what many observers are particularly concerned about, rather than the situation today. In the new scenarios, not only the reliability of the legal arguments against lawful access can be assessed, but also the question of whether the US government has an increased interest in actual access to European cloud data or even an expansion of foreign mass surveillance. In our opinion, there are doubts about both, even if Donald Trump is not known to be particularly squeamish when it comes to actions against others. However, it should be borne in mind that US law gives him much more convenient and effective means to put pressure on Europe, for example, in the area of the cloud, should he want to do so (see below). For example, we do not see any motives or signs for an expansion of cable reconnaissance abroad. Likewise, we do not see why the Trump administration should have an increased interest in obtaining the data on the mail server of a canton, a compensation office or the federal government, for example, through legal channels via the providers. That simply does not fit his profile.
  • The cloud contracts with Microsoft, AWS and Google are usually concluded by European companies with the European subsidiaries of the three hyperscalers. It seems unlikely to us and most of the customers we talk to that they will stop or restrict their service provision to European companies due to political developments in the USA. However, it has become conceivable that the Trump administration will also come to the conclusion in the area of cloud services for some reason that the European dependence on such services can be used to enforce any factually unrelated claims against individual states or industries. But here, too, a sober consideration is necessary: If cloud users of a country were actually taken “hostage” by the Trump administration, for example for the purposes of a trade war, what would that mean for the individual users? Should they forego the cloud as a precaution because of such a risk? Or does it not have to be opportunistically calculated completely differently: If it is estimated that half to three quarters of all mail servers already run on Microsoft software today and will then also be in the cloud, Microsoft is “too big to fail” in this respect. Would access to this resource really be threatened if customers didn’t take the position that it was up to the state to protect them – according to the principle that “the ransom never pays the hostage”? Of course, this way of thinking can be described as irresponsible. In fact, however, we have the impression that this is what it boils down to. Hardly anyone will be able to blame the individual, average customer who chooses M365 like “everyone else”, because from his point of view it will often be the easiest way for him to solve his need. This may also explain why hardly any customers think about the scenario of a world without Exchange Online – to take an example. The path of the herd is chosen, and the trust in livestock protection is not entirely wrong for many private and public bodies from a purely opportunistic point of view. For this reason, we envisage in our method that this reality, which in our experience exists, can also be depicted – just as everyone wants to do for their case. Another question is whether the state sees a need for action for regulation, as it sees elsewhere, for example, where there are “too big to fail” risks. The argument that there is competition among the three major cloud providers does not solve all problems, given that they are all US-based. However, we do not have the impression that the level of suffering is high enough at the moment that the state sees a need to intervene here.
  • The public repeatedly refers to open source alternatives to the offerings of the major cloud providers; for public administration, the example of Schleswig-Holstein is regularly cited, but in Switzerland the Federal Supreme Court should also be mentioned. However, we have the impression that there has been little or no interest on the customer side so far in withdrawing from the cloud, especially from M365. Behind closed doors, even various self-confessed open source representatives did not believe that public authorities with M365 or plans to introduce this solution would say goodbye to the cloud in the short or medium term when we talked to them. The situation in the USA has not changed this so far and is unlikely to change anything anytime soon, unless more dramatic developments arise. However, the US developments are causing two things: First, there is a growing need to assess the uncertainties created by the developments in the USA, objectively, not emotionally. This has already been one of the main reasons for using our method. Secondly, more and more public authorities are realising that, in addition to the issue of lawful access from abroad, ensuring business continuity management is just as, if not more important. Especially in the circles of the data protection authorities, this aspect has been lost due to the sometimes blind focus on foreign access to authorities – we have pointed this out again and again. In practical terms, this means that public and private entities alike should not make the journey to the cloud without a “Plan B” or even “Plan C”. On the one hand, this must include a backup of all data outside the cloud and, on the other hand, a way to be able to offer the basic functions of M365, for example, even if the cloud is no longer available as required in the medium or long term for any reason (which does not have to have anything to do with Trump). This should be possible with reasonable effort, especially for mail and file server applications, even if such emergency solutions will not come close to the convenience of today’s solutions, according to some. The crux of such emergency solutions is not the software, but the provision of the necessary computer capacities and the creation of an emergency migration plan; in Switzerland, the federal government’s plan for a Swiss Government Cloud (which is also to be available to cantons and municipalities) and data centers from Swiss providers, which certainly exist, are particularly suitable for public authorities. Of course, the provision of computer capacities costs something. In our method, such business continuity measures can be mapped in the first block; the organization-specific business continuation risks are assessed and documented there. We regularly had this topic assessed in our Cloud Compliance and Risk Assessment “CCRA” in the cloud projects in which we have advised and continue to advise (see box). In practice, we saw much more need for action here than with the risk of foreign authority access.

In summary, we recommend that when using US cloud offerings, especially in public administration, we should deal with the possible effects of political developments in the USA, evaluate them and document them accordingly. In most cases, this will not result in any changes in the procedure, at least for the moment, at least if there is a “plan B”, but the homework has been done. The effort is ultimately limited. In practice, workshops are suitable for this purpose, as before, in which the various internal stakeholders develop a joint assessment of the questions that arise and record this. The decision as to whether the cloud services of a US company are used for the first time or continue to be used lies solely with the respective body. In particular, it is not to be made by the data protection authorities; Naturally, they will always warn. Public authorities that have done their homework properly and consider the risks to be bearable and accept them in good faith should not be intimidated by this and have the courage to implement their plans accordingly.

By David Rosenthal, Vischer, Switzerland, a Transatlantic Law International Affiliated Firm.

For further information or for any assistance please contact switzerland@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 84 Brook Street, London W1K 5EH, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.

Home