Digital Sovereignty: Why Swiss SMEs Should Rethink Their Microsoft Dependency

The end of Windows 10 support is forcing SMEs to buy new hardware, licence costs keep rising, and the US CLOUD Act reaches Swiss data. Why vendor dependency is a security risk and which open source alternatives are realistic.

In October 2025, Microsoft ended support for Windows 10. Millions of perfectly functional devices have been cut off from security updates ever since, because they do not meet the hardware requirements of Windows 11. The options: buy new devices, subscribe to paid Extended Security Updates, or keep working unpatched. From a security perspective, the last one is not an option. The episode reveals a structural problem that goes far beyond Windows: if you build your entire IT on a single vendor, you also adopt that vendor's roadmap, pricing policy and legal jurisdiction. That is exactly what digital sovereignty is about. To be clear: this is not a call to cancel Microsoft tomorrow. A properly configured M365 tenant can be operated securely, and we verify this regularly in our assessments. But dependency is a risk. And risks need to be assessed.

When the Vendor Decides Your Hardware Is Obsolete

Windows 11 requires TPM 2.0 and recent processor generations. Devices that would easily handle office work for years to come are dropped from support as a result. Extended Security Updates cost businesses around 61 US dollars per device in the first year, and the price doubles every year after that. Paying buys time, not a solution. There is a third option that never even appears in many evaluations: Linux. Modern distributions such as Ubuntu LTS run smoothly on exactly the hardware Microsoft has written off, and receive five to ten years of security updates. For standard workstations running a browser, email and office documents, this has long been ready for everyday use. The real point, however, is strategic: whoever has a credible alternative negotiates with every vendor from a different position.

Your Data, Foreign Law: The US CLOUD Act Meets the nDSG

Microsoft operates data centres in Switzerland, and many SMEs deliberately choose the «Switzerland North» region. What gets lost in the process: the US CLOUD Act of 2018 obliges American providers to hand over data to US authorities, regardless of where it is stored. A server location in Zurich therefore offers only limited protection. For holders of professional secrecy such as lawyers or doctors, and for anyone processing sensitive personal data under the nDSG (Swiss Data Protection Act), this is a genuine conflict. May 2025 showed just how genuine: following US sanctions against the chief prosecutor of the International Criminal Court, his Microsoft email account was blocked, according to media reports. A political decision in Washington ended access to a mailbox in The Hague. The question for your SME is not whether this scenario will affect you. It is what it means that it is possible.

Concentration Risk: One Provider Fails, Everything Stops

On 29 October 2025, a faulty configuration in Azure Front Door took down Microsoft 365, Teams and countless dependent services for hours, barely a week after the major AWS outage. If you bundle email, telephony, file storage and identity management with the same provider, every incident becomes a total outage. Then there is the security dimension: in 2023, the Storm-0558 group used a stolen Microsoft signing key to access Exchange Online mailboxes, including those of US government agencies. In its investigation report, the Cyber Safety Review Board described a chain of avoidable errors and an inadequate security culture. Monocultures are as risky in IT as they are in agriculture: one weakness, everyone affected.

Open Source Has Grown Up

This is no longer a niche position. With the EMBAG, the Swiss federal government has committed since 2024 to releasing software it develops as open source. Schleswig-Holstein is migrating 30,000 government workstations to LibreOffice and Linux. And the EU now discusses sovereign cloud infrastructure not as a vision, but as a procurement criterion. For SMEs, a mature alternative exists today for almost every Microsoft building block: Nextcloud on Swiss servers instead of SharePoint and OneDrive, LibreOffice or OnlyOffice instead of Office, Proxmox instead of VMware, whose licence costs have multiplied for many customers since the Broadcom takeover. The security advantage: open code is auditable. You do not have to trust anyone, you can have it verified. We know this from our own practice: our SIEM runs on Wazuh, open source, with over 2,400 detection rules on Swiss infrastructure. Not out of ideology, but because we want to know what our stack is doing, and because our customers' logs should never leave Switzerland.

Staying Realistic: What Works and What Does Not (Yet)

A full migration is neither necessary nor sensible for most SMEs. Industry software often runs only on Windows, well-established Excel macros and Power BI reports cannot be replaced overnight, and an Active Directory environment is deeply interwoven with the rest of the infrastructure. Ignoring this produces failed projects and frustrated teams. The realistic path is hybrid and gradual. First: inventory your dependencies. Which business processes depend on which provider, and what would an outage or an exit cost? Second: evaluate an open source option with every new procurement. Third: start where the switch hurts least, such as file sharing, virtualisation or server workloads. Fourth: define an exit strategy for your most critical services. Sovereignty is not a switch, it is a spectrum. Every step improves your negotiating position and reduces your concentration risk.

Next Steps

Treat vendor dependency like any other security risk: identify, assess, reduce. An exit strategy is like a backup. You hope you never need it, but when you do, it is too late to create one. As part of our security audits, MilesGuard also analyses your vendor dependencies: we map which business processes depend on which providers, assess concentration and jurisdiction risks, and show you where open source alternatives are realistic for your SME and where you are better off staying with the status quo. Honest, technical and free of ideology.