Digital Sovereignty in Italy: Why Your CRM Choice Matters More Than Ever
We live in interesting times. Geopolitical tensions are rising, technological competition is fiercer than ever, and the concept of digital sovereignty has gone from a niche policy topic to something that keeps business leaders and government officials up at night. For Italy, this shift is particularly significant. As a key player in the European Union, Italy’s quest for digital autonomy isn’t just about ticking regulatory boxes. It’s about securing the country’s economic future and protecting the data of millions of citizens and businesses.
The Italian government has been championing initiatives to strengthen its digital infrastructure, and in doing so, it has started asking some uncomfortable questions about the country’s reliance on US-based cloud and CRM providers like Salesforce and Microsoft. This article takes a deep dive into what’s happening with digital sovereignty in Italy, why US hyperscalers pose real risks to your business, and how a Swiss sovereign alternative called InvestGlass might just be the answer you’ve been looking for.
What You’ll Learn
In this comprehensive guide, you’ll discover the critical factors shaping Italy’s digital future and how your choice of CRM and cloud provider can either expose your business to significant risks or position it for success in this new era of data sovereignty.
Here’s what we’ll cover:
•The current state of digital sovereignty in Italy and the key government initiatives driving the change, including the Polo Strategico Nazionale and the European Declaration on Digital Sovereignty
•The risks associated with using US-based CRM and cloud providers, including the far-reaching implications of the CLOUD Act
•Why Switzerland offers a unique advantage for data sovereignty and how InvestGlass leverages this to provide a secure and compliant CRM solution
•How InvestGlass stands as a powerful, sovereign alternative to Salesforce and Microsoft for Italian businesses seeking to protect their most valuable asset: their data
The Drive for Digital Sovereignty in Italy: A National Priority
Italy’s commitment to digital sovereignty isn’t just political rhetoric. It’s become a strategic pillar of the national agenda, and it’s been gaining serious momentum in recent years.
In November 2025, Italy joined other EU member states in signing the “Declaration for European Digital Sovereignty” in Berlin. This landmark document lays out Europe’s ambition to act autonomously in the digital sphere. It emphasises the importance of regulating technologies, data, and infrastructure in line with European laws and values, while still remaining open to collaboration with like-minded international partners.
Italian Innovation Undersecretary Alessio Butti put it clearly when he said that with this Declaration, “strongly supported by the Italian government,” Europe is making a statement. Digital sovereignty doesn’t mean closing off from the world. It means equipping ourselves with the tools needed to “choose our technological solutions autonomously, protect our most sensitive data and strengthen critical infrastructure.”
This is an important nuance. Digital sovereignty isn’t about building walls or becoming isolationist. It’s about making sure that Italy and Europe can make independent decisions about their digital future without being beholden to foreign powers or corporations.
The Polo Strategico Nazionale: Italy’s Cloud Backbone
At the heart of Italy’s strategy sits the Polo Strategico Nazionale, or PSN for short. You might also hear it called the National Strategic Hub. This ambitious initiative aims to create a secure, efficient, and reliable cloud infrastructure for the country’s public administration.
The goal is bold: have 75% of government offices leveraging cloud services by 2026. That’s a clear signal of the government’s intent to modernise its digital infrastructure and reduce its reliance on foreign providers. The PSN is backed by major Italian companies like TIM, Leonardo, and Cassa Depositi e Prestiti, which shows just how serious Italy is about building a sovereign cloud ecosystem.
The PSN represents a significant investment in Italy’s digital future. The European Investment Bank and other financial institutions are providing substantial funding to accelerate its development. By creating a national cloud infrastructure, Italy aims to ensure that the sensitive data of its public administration is stored and processed within its borders, under its own legal jurisdiction. This is a critical step in reducing the country’s dependence on foreign cloud providers and mitigating the risks associated with data being subject to foreign laws.
A Booming Market with Growing Awareness
The Italian cloud market is booming. It reached €8.1 billion in 2025, which represents a 20% increase from the previous year. This growth is being fuelled by increasing demand for digital services, the adoption of artificial intelligence, and a growing awareness of the importance of data sovereignty.
As Italian businesses and public sector organisations embrace digital transformation, the choice of their cloud and CRM providers becomes a critical decision with far-reaching implications.
But here’s the thing: this growth isn’t happening in a vacuum. It’s being driven by a fundamental shift in how Italian businesses and government agencies view their data. Data is no longer just a byproduct of business operations. It’s now recognised as a strategic asset that must be protected and managed with the utmost care. This shift in mindset is creating fertile ground for sovereign cloud and CRM solutions that prioritise data protection and compliance.
Key Areas of the European Digital Sovereignty Declaration
The Declaration for European Digital Sovereignty, which Italy has signed, outlines several key areas of focus that are directly relevant to businesses operating in the country.
These include:
•Data sovereignty: Protecting sensitive data from external interference and extra-EU regulations
•Strategic technologies: High-performance computing, semiconductors, next-generation communication networks, satellite infrastructure, quantum technologies, cybersecurity, cloud computing, and artificial intelligence
The declaration also recognises open source as a strategic asset, provided it meets high cybersecurity standards and can be complemented with reliable proprietary technologies. This is a significant acknowledgement of the role that open-source software can play in achieving digital sovereignty, as it allows for greater transparency and reduces dependence on single vendors.
The declaration also stresses the importance of the human factor, including digital skills and education, media and digital literacy, and research and talent attraction. It warns against disinformation, deepfakes, and cyberattacks, describing the protection of democracy and public trust as a priority.
The Hidden Risks of US Cloud Giants: A Threat to Italian Businesses
For years, US tech giants like Salesforce and Microsoft have dominated the CRM and cloud market in Europe, including Italy. Their platforms have become deeply embedded in the daily operations of countless businesses, from small startups to large enterprises.
But this dependence has created a significant and often underestimated vulnerability: the exposure of sensitive European data to US jurisdiction. The fundamental conflict between US surveillance laws and EU data protection regulations puts Italian companies in a precarious position, and it’s becoming increasingly untenable.
The CLOUD Act: A Legal Minefield
The US CLOUD Act (that’s the Clarifying Lawful Overseas Use of Data Act) is a prime example of this conflict. Enacted in 2018, this legislation allows US authorities to compel American cloud providers to hand over data, regardless of where that data is physically stored.
Let that sink in for a moment. Even if your company’s data is hosted on a server in Milan, Rome, or any other location within Italy, if it’s managed by a US-based company like Salesforce or Microsoft, it can be accessed by US law enforcement. This directly contradicts the principles of the General Data Protection Regulation (GDPR), which is designed to protect the data of EU citizens.
The implications are profound. US law can essentially reach across borders and override local data protection laws. For Italian businesses, this creates a significant compliance risk. If US authorities request data that’s protected under GDPR, the US cloud provider is caught in a legal bind: comply with the US request and potentially violate GDPR, or refuse the US request and face legal consequences in the US.
This isn’t a hypothetical scenario. It’s a real and present danger that businesses must take seriously.
Microsoft’s Admission: A Wake-Up Call
Here’s something that should give every European business pause. In a French court, Microsoft itself admitted that it could not guarantee that data would not be transmitted to the US government when legally required to do so.
This admission highlights the inherent conflict of interest that US cloud providers face when operating in Europe. They’re subject to US law, and when that law conflicts with European law, they’re ultimately bound to comply with US demands. This admission sent shockwaves through the European business community and served as a wake-up call for many organisations that had assumed their data was safe simply because it was stored on European soil.
Mark Boost, CEO of UK-based cloud provider Civo, put it perfectly: “You can put a data centre in Paris or London, but if the company is still governed by US law, the data ultimately sits under US jurisdiction.”
That statement encapsulates the core problem with relying on US cloud providers for data sovereignty. The physical location of the data is irrelevant if the company managing that data is subject to US law.
The Growing Chorus of Concern
The growing mistrust of US hyperscalers in Europe is palpable. Industry sources report that data sovereignty is now among the primary questions that salespeople at Microsoft, AWS, and Google receive when talking to European customers. This represents a significant shift in the market, as businesses are now actively seeking alternatives to US-dominated cloud services.
Frank Karlitschek, CEO and founder of Nextcloud, has branded Microsoft’s latest sovereignty efforts as “sovereignty washing.” He stated that “In Europe, sovereignty means the absence of strong dependencies on overseas third parties. The sovereign cloud from Microsoft does not deliver that.”
Thierry Carrez, general manager of the OpenInfra Foundation, echoed this sentiment, noting that “Right now the digital sovereignty concerns are at an all-time-high in Europe.” He added that while US hyperscalers are trying to find a mix of technical solutions and legal engineering to isolate their EU products from potential demands from the US government, “whether that mix will prove sufficient is unsure and untested.”
Operational Risks and Vendor Lock-In
The legal uncertainty is compounded by the operational risks of relying on a handful of US hyperscalers. Amazon, Microsoft, and Google together control nearly 70% of the European cloud market, giving them unmatched influence over how and where enterprise data is stored and processed. This concentration of power creates significant risks for European businesses.
Remember the AWS outage in October 2025? It disrupted public services across Europe and served as a stark reminder of the dangers of a single point of failure. When a small number of providers control such a large share of the market, any disruption to their services can have cascading effects across entire economies. This isn’t just a matter of inconvenience; it can have serious consequences for businesses that rely on these services for their daily operations.
And then there’s vendor lock-in. The long contracts, proprietary software, and ecosystem dependency that characterise relationships with US hyperscalers create significant barriers to switching. This weakens the negotiating leverage of European businesses and limits their ability to innovate and adapt. True sovereignty means not only legal compliance but also the freedom to choose and move between providers.
The Swiss Advantage: A Haven for Data Sovereignty
In the search for a truly sovereign and secure home for their data, Italian businesses are increasingly looking to Switzerland. Renowned for its political neutrality, robust legal framework, and unwavering commitment to privacy, Switzerland offers a unique and compelling proposition for data sovereignty.
The country’s Digital Switzerland Strategy 2025 and the proactive stance of its financial regulator, FINMA, have created an environment where data protection isn’t just a legal requirement but a core tenet of the business landscape.
Political Neutrality and Legal Independence
Switzerland’s strength lies in its independence. Unlike EU member states, it isn’t subject to the same level of political and economic pressures that can influence data-sharing agreements. Its long-standing tradition of neutrality provides a stable and predictable environment for businesses to operate, free from the geopolitical turmoil that can impact data stored in other jurisdictions.
This neutrality isn’t just a historical artefact. It’s a living principle that continues to guide Swiss policy in the digital age.
Swiss data protection laws are among the strictest in the world, providing a level of assurance that’s difficult to find elsewhere. The Swiss Federal Act on Data Protection (FADP) provides robust protections for personal data, and Switzerland has been recognised by the European Commission as providing an adequate level of data protection. This means that data can flow freely between Switzerland and the EU, while still benefiting from Switzerland’s strong legal protections.
FINMA and the Push for Local Solutions
FINMA, the Swiss financial regulator, is indirectly pushing for the usage of local IT solutions. By stating that banks must prove their resilience against cyberattacks, FINMA encourages financial institutions to use solutions from local players, as these solutions have been tested and can meet the stringent standards of FINMA. This regulatory pressure is creating a virtuous cycle, where Swiss technology companies are incentivised to develop world-class security solutions, and Swiss businesses are incentivised to adopt them.
This commitment to data sovereignty isn’t just a matter of national pride; it’s a key economic advantage. The World Economic Forum estimates that over 92% of all data is stored on servers owned by US-based companies. Switzerland’s independent stance becomes a powerful differentiator. It offers a genuine alternative to the US-dominated cloud market, providing a safe haven for businesses that refuse to compromise on the security and privacy of their data.
InvestGlass: The Swiss Sovereign Alternative for Italian Businesses
For Italian businesses seeking to navigate the complex landscape of digital sovereignty, InvestGlass emerges as a clear and compelling solution. As a 100% Swiss sovereign CRM and automation platform, InvestGlass is built on a foundation of privacy, security, and independence.
With the tagline “The Power of Automation. The Freedom of Sovereignty,” InvestGlass offers a comprehensive suite of tools that empower businesses to grow without compromising on their data sovereignty.
Freedom from US Jurisdiction
Unlike US-based providers, InvestGlass is not subject to the CLOUD Act or other US surveillance laws. This means that your data is protected by Switzerland’s stringent data protection laws, ensuring that it remains secure and private.
This is a fundamental difference that cannot be overstated. When you choose InvestGlass, you’re choosing to place your data under a legal framework that’s designed to protect it, not one that’s designed to facilitate access by foreign governments.
Flexible Hosting Options
InvestGlass offers a range of hosting options to meet the specific needs of your business, including a Swiss cloud hosting option and the ability to deploy the platform on-premise on your own servers. This flexibility allows you to maintain complete control over your data, ensuring that it stays within your chosen jurisdiction.
Whether you prefer the convenience of a managed cloud solution or the control of an on-premise deployment, InvestGlass can accommodate your requirements.
This is a critical advantage for businesses that are subject to strict regulatory requirements or that simply want to maintain the highest level of control over their data. With InvestGlass, you can choose to host your data in Switzerland, in Italy, or in any other location that meets your needs. You’re not locked into a single provider or a single jurisdiction.
A Complete Ecosystem
InvestGlass is more than just a CRM. It’s a complete ecosystem that combines digital onboarding, portfolio management, a client portal, and marketing automation in a single, integrated platform. This all-in-one solution streamlines your business processes, improves efficiency, and enhances the customer experience.
By consolidating multiple functions into a single platform, InvestGlass reduces complexity and eliminates the need for multiple integrations, saving you time and money.
With a strong focus on the financial services industry, InvestGlass is trusted by banks, asset managers, and other regulated institutions that demand the highest levels of security and compliance. As a preferred solution for many Swiss asset managers and with clients like Arab Bank, InvestGlass has a proven track record of delivering a secure and reliable platform for businesses that handle sensitive data.
Comparing InvestGlass to Salesforce and Microsoft
When evaluating CRM solutions, it’s essential to consider not just the features but also the underlying legal and operational framework. The following table provides a comparison of InvestGlass with Salesforce and Microsoft on key sovereignty-related factors:
| Feature | InvestGlass | Salesforce | Microsoft Dynamics |
| Headquarters | Switzerland | USA | USA |
| Subject to US CLOUD Act | No | Yes | Yes |
| Swiss Hosting Option | Yes | Limited | Limited |
| On-Premise Deployment | Yes | No | Limited |
| Data Sovereignty Guarantee | Yes | No | No |
| GDPR Compliant | Yes | Yes (with caveats) | Yes (with caveats) |
| Focus on Financial Services | Yes | Partial | Partial |
As this table illustrates, InvestGlass offers a clear advantage for businesses that prioritise data sovereignty. While Salesforce and Microsoft may offer some features to address European concerns, they’re fundamentally constrained by their US jurisdiction. InvestGlass, as a Swiss company, is not subject to these constraints and can offer a genuine guarantee of data sovereignty.
The Regulatory Landscape: NIS2, DORA, and the Compliance Imperative
The push for digital sovereignty in Italy isn’t happening in isolation. It’s being reinforced by a wave of new European regulations that are raising the bar for data protection and operational resilience. Two of the most significant are the Network and Information Security Directive 2 (NIS2) and the Digital Operational Resilience Act (DORA). These regulations are creating a new compliance imperative for Italian businesses, particularly those in the financial services sector.
NIS2: Expanding the Scope of Cybersecurity
NIS2 is a comprehensive update to the original Network and Information Security Directive, which was the first piece of EU-wide legislation on cybersecurity. NIS2 significantly expands the scope of the original directive, bringing a wider range of sectors and entities under its purview. It imposes stricter security requirements, including mandatory risk management measures and incident reporting obligations.
For Italian businesses, NIS2 means that cybersecurity is no longer optional. It’s a legal requirement.
The directive also places a greater emphasis on supply chain security, recognising that the security of an organisation is only as strong as its weakest link. This has significant implications for the choice of CRM and cloud providers. If your provider is subject to US jurisdiction and cannot guarantee the security of your data, you may be in breach of NIS2. Choosing a sovereign provider like InvestGlass, which is not subject to US law and offers robust security features, can help you meet your NIS2 obligations.
DORA: Building Operational Resilience in Finance
DORA is a regulation specifically targeted at the financial services sector. It aims to ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats. DORA imposes strict requirements for ICT risk management, incident reporting, digital operational resilience testing, and the management of ICT third-party risk.
For Italian banks, insurance companies, and investment firms, DORA is a game-changer.
One of the key aspects of DORA is its focus on third-party risk management. Financial entities are required to conduct thorough due diligence on their ICT providers and to ensure that their contracts include appropriate provisions for data protection and security. This is particularly relevant for CRM providers, as they often handle sensitive customer data.
Choosing a provider that’s subject to US jurisdiction and cannot guarantee data sovereignty creates significant third-party risk under DORA. InvestGlass, with its Swiss jurisdiction and flexible hosting options, offers a compelling solution for financial entities seeking to comply with DORA.
The Italian AI Law: A Focus on Data Localisation
In addition to EU-wide regulations, Italy has also enacted its own legislation to address the challenges of the digital age. Law 132/2025, also known as the Italian AI Law, dedicates significant attention to defending digital sovereignty. The law promotes the localisation of data centres and cloud services in Italy, recognising the strategic importance of keeping sensitive data within national borders.
This is a clear signal from the Italian government that it’s serious about digital sovereignty and that it expects businesses to take appropriate measures to protect their data.
For Italian businesses, this regulatory landscape creates a clear imperative: choose your technology partners wisely. The days of simply selecting the biggest or most well-known provider are over. In the new era of digital sovereignty, compliance, security, and data protection must be at the forefront of every technology decision.
Making the Switch: A Practical Guide for Italian Businesses
For Italian businesses that are currently using Salesforce, Microsoft, or other US-based CRM providers, the prospect of switching to a sovereign alternative may seem daunting. But with careful planning and the right partner, the transition can be smooth and the benefits substantial.
Here’s a practical guide to help you navigate the process.
Step 1: Assess Your Current Situation
The first step is to conduct a thorough assessment of your current CRM and cloud infrastructure. This should include an inventory of all the data you’re storing, where it’s stored, and who has access to it. You should also review your contracts with your current providers to understand your obligations and any potential exit costs.
This assessment will give you a clear picture of your current exposure and help you identify the areas where you need to make changes.
Step 2: Define Your Requirements
Once you have a clear understanding of your current situation, you can begin to define your requirements for a new CRM provider. This should include not only the functional requirements (things like contact management, sales automation, and reporting) but also the non-functional requirements (data sovereignty, security, and compliance).
Be specific about your data residency requirements and ensure that any potential provider can meet them.
Step 3: Evaluate Sovereign Alternatives
With your requirements defined, you can begin to evaluate sovereign alternatives. InvestGlass should be at the top of your list, given its Swiss jurisdiction, flexible hosting options, and comprehensive feature set. But you should also consider other European providers to ensure you’re making the best decision for your business.
When evaluating providers, pay close attention to their data protection policies, their security certifications, and their track record with similar clients.
Step 4: Plan the Migration
Once you’ve selected a new provider, you need to plan the migration carefully. This should include a detailed timeline, a data migration strategy, and a training plan for your staff. Work closely with your new provider to ensure that the migration is executed smoothly and that there’s minimal disruption to your business operations.
InvestGlass offers dedicated support for migration projects, helping you move your data and processes to the new platform efficiently.
Step 5: Monitor and Optimise
After the migration is complete, it’s important to monitor the performance of your new CRM and to optimise your processes over time. Take advantage of the reporting and analytics features offered by InvestGlass to gain insights into your customer relationships and to identify areas for improvement.
Regularly review your data protection policies and ensure that you’re staying compliant with the evolving regulatory landscape.
Conclusion: The Future of Business is Sovereign
As Italy forges ahead with its digital sovereignty agenda, the choice of a CRM and cloud provider is no longer just a technical decision. It’s a strategic one. The risks associated with US-based hyperscalers are real and growing, and Italian businesses can no longer afford to ignore them.
The time has come to embrace a new generation of sovereign solutions that prioritise data protection, security, and independence.
InvestGlass stands at the forefront of this movement, offering a powerful and proven alternative to Salesforce and the US-dominated cloud market. With its Swiss roots, unwavering commitment to data sovereignty, and comprehensive suite of tools, InvestGlass is the ideal partner for Italian businesses that are serious about protecting their data and securing their digital future.
By choosing InvestGlass, you’re not just choosing a CRM. You’re choosing a partner that shares your values and is committed to your success in the new era of digital sovereignty.
Frequently Asked Questions (FAQs)
1. What is digital sovereignty and why is it important for Italy?
Digital sovereignty is the ability of a country to have control over its own digital infrastructure, data, and the legal framework that governs them. For Italy, it’s a strategic priority to ensure the security of its citizens’ and businesses’ data, reduce its dependence on foreign technology providers, and strengthen its position in the global digital economy. This is being driven by initiatives like the Polo Strategico Nazionale (PSN) and the pan-European push for digital autonomy, as articulated in the Declaration for European Digital Sovereignty signed in November 2025.
2. What are the main risks of using US-based CRM providers like Salesforce and Microsoft in Italy?
The primary risk is the exposure of your data to US jurisdiction through laws like the CLOUD Act. This allows US authorities to access data held by American companies, regardless of where it’s stored. This creates a direct conflict with the EU’s GDPR. There are also operational risks, such as service disruptions due to geopolitical issues, and vendor lock-in, which can limit your flexibility and negotiating power. The concentration of the market among a few US hyperscalers also creates systemic risks.
3. How does the US CLOUD Act affect my business in Italy?
If you use a US-based cloud or CRM provider, the CLOUD Act means your data can be legally accessed by US authorities, even if it’s stored on servers within Italy or the EU. This can lead to non-compliance with GDPR and other European data protection regulations, potentially resulting in significant fines and reputational damage. Microsoft has admitted in a French court that it cannot guarantee data will not be transmitted to the US government when legally required.
4. What is the Polo Strategico Nazionale (PSN) and how does it relate to digital sovereignty?
The Polo Strategico Nazionale is Italy’s National Strategic Hub, a secure cloud infrastructure designed for the country’s public administration. It’s a cornerstone of Italy’s digital sovereignty strategy, aiming to migrate a significant portion of government data and services to a trusted, national cloud environment, thereby reducing reliance on foreign providers. The goal is for 75% of government offices to use cloud services by 2026.
5. Why is Switzerland considered a good location for data sovereignty?
Switzerland’s long-standing political neutrality, strong data protection laws (which are among the strictest in the world), and its independence from the EU and US make it an ideal location for data sovereignty. It provides a stable and secure environment for data, free from the jurisdictional conflicts that affect other countries. The Swiss financial regulator, FINMA, also encourages the use of local IT solutions, further strengthening the ecosystem.
6. What is InvestGlass and how is it a sovereign alternative?
InvestGlass is a 100% Swiss-owned and operated company providing a comprehensive CRM, PMS, and client lifecycle management platform. Because it’s a Swiss company, it’s not subject to the US CLOUD Act. It offers flexible hosting options, including on Swiss servers or on-premise in your own country, giving you complete control over your data and ensuring compliance with data sovereignty requirements. It’s designed as a powerful alternative to Salesforce and Microsoft.
7. Can InvestGlass replace my existing Salesforce or Microsoft CRM?
Yes, InvestGlass is designed as a powerful and comprehensive alternative to Salesforce and Microsoft. It offers a full suite of features including digital onboarding, portfolio management, marketing automation, and a client portal. Many businesses are migrating to InvestGlass to enhance their data security and regain control over their data. The platform is designed to be flexible and scalable, making it suitable for businesses of all sizes.
8. What kind of businesses is InvestGlass suitable for?
While InvestGlass has a strong focus on the financial services industry, serving banks, wealth managers, and insurance companies, its flexible and scalable platform is suitable for any business that prioritises data sovereignty and security. This includes government agencies, healthcare providers, and any organisation handling sensitive client information. The platform can be customised to meet the specific needs of different industries.
9. Does using a Swiss company like InvestGlass guarantee GDPR compliance?
Using InvestGlass significantly simplifies GDPR compliance. By hosting your data in Switzerland or on-premise, you remove the conflict with the US CLOUD Act. InvestGlass’s platform is built with data protection by design and by default, providing the tools and framework to help you meet your GDPR obligations. However, ultimate responsibility for GDPR compliance remains with your organisation as the data controller.
10. How do I get started with InvestGlass?
You can explore the features of the platform and even start a free trial to see how it can fit your business needs. For a more in-depth understanding, you can book a demo with the InvestGlass team to discuss your specific requirements and learn how the platform can be tailored to your organisation. The team is based in Geneva and offers support across multiple time zones.