Digital Sovereignty in Portugal: Why Swiss Solutions Like InvestGlass Are the Future of Enterprise Technology
As Europe grapples with its dependence on American technology giants, Portugal finds itself at a critical juncture in its digital transformation journey. The nation’s heavy reliance on US cloud providers like Salesforce and Microsoft exposes it to significant legal, operational, and strategic risks. This comprehensive guide explores the state of digital sovereignty in Portugal, the inherent dangers of US tech dependency, and why Swiss sovereign solutions like InvestGlass represent the most secure path forward for Portuguese businesses and government institutions.
What You’ll Learn
•The current state of digital sovereignty in Portugal and the alarming statistics revealed by recent studies
•Why the US CLOUD Act creates an irreconcilable conflict with European data protection laws
•The specific risks Portuguese organisations face when using Salesforce and Microsoft solutions
•How the European Union is responding to the digital sovereignty crisis through initiatives like GAIA-X
•Why Switzerland offers a unique legal framework for data protection that no other jurisdiction can match
•How InvestGlass provides a comprehensive sovereign alternative to US CRM and business software
•Practical steps for Portuguese organisations to transition towards digital sovereignty
Understanding Digital Sovereignty: A Definition for the Modern Age
Digital sovereignty represents far more than a mere technical consideration; it constitutes a fundamental right of nations, governments, and organisations to exercise complete control over their data, digital infrastructure, technologies, and processes. This control must ensure autonomy, security, and compliance with national laws and values. The concept does not advocate for technological isolation but rather promotes strategic autonomy, security, and prosperity in the twenty-first century.
The relevance of digital sovereignty is underscored by three critical imperatives. First, national security demands protection against espionage and loss of confidential information. Second, the privacy of citizens requires strengthening individual control over personal data processing. Third, economic autonomy necessitates reducing dependence on large technological multinationals that may not have the best interests of European nations at heart.
In the Portuguese context, digital sovereignty takes on particular urgency as the nation accelerates its digital transformation while remaining heavily dependent on foreign technology infrastructure. The government’s ambitious plans to digitise public services must be balanced against the need to maintain control over sensitive citizen data and critical national infrastructure.
The Portuguese Digital Landscape: A Nation at a Crossroads
Portugal has emerged as one of Europe’s most dynamic digital economies. The country’s National Action Plan for the Digital Transition, approved in 2020, prioritises digital inclusion and training alongside the modernisation of public services. The appointment of Portugal’s first Chief Technology Officer and the ambitious goal of making 100% of public services available digitally by 2030 demonstrate the government’s commitment to digital transformation.
However, this rapid digitisation has exposed a troubling reality. A comprehensive study conducted by Art Resilia in November 2025 analysed a representative sample of Portuguese cyberspace, encompassing approximately 215,692 hosts exposed to the Internet and 129,747 domains under the .pt top-level domain. The findings regarding technological independence revealed a critical lack of national infrastructure that should concern every Portuguese citizen and business leader.
The 5% Problem: Portugal’s Infrastructure Deficit
The Art Resilia study uncovered a startling statistic: only 5% of the infrastructure supporting Portuguese digital assets is physically located within Portugal. This means that 95% of the nation’s digital infrastructure is subject to foreign legislation and influences. While 75% of assets are hosted within the European Union cyberspace, which is considered a “friendly control” environment due to the Portuguese legal framework being intimately linked to EU harmonisation, this still leaves significant exposure to non-EU jurisdictions.
The implications of this infrastructure deficit are profound. When data resides outside national borders, it becomes subject to the laws of the host country. For data stored on US cloud platforms, this means exposure to American surveillance laws, including the controversial CLOUD Act, which grants US authorities the power to compel access to data regardless of where it is physically stored.
A Glimmer of Hope: Email Services and Critical Infrastructure
Not all findings from the Art Resilia study were negative. Email services, which serve as vital platforms for knowledge sharing and procedural control, showed a more favourable trend, with 55% of email infrastructure associated with Portuguese data centres or cyberspace. Additionally, the study identified 65 organisations deemed digital critical infrastructures, including Internet Service Providers and data centres. The control over these critical digital infrastructures was characterised as the study’s most robust attribute, with the overwhelming majority of headquarters and shareholders located in Portugal or the EU.
These findings suggest that Portugal has the foundation upon which to build greater digital sovereignty, but significant work remains to be done in extending this control to the broader digital ecosystem.
The US Cloud Conundrum: Why Salesforce and Microsoft Pose Risks to Portuguese Organisations
The dominance of American technology companies in the European cloud market cannot be overstated. Amazon, Microsoft, and Google together control nearly 70% of the European cloud market, giving them unmatched influence over how and where enterprise data is stored and processed. For Portuguese organisations using platforms like Salesforce for customer relationship management or Microsoft 365 for productivity and collaboration, this dominance creates a web of legal, operational, and strategic risks that are often underestimated.
The CLOUD Act: A Legal Time Bomb
The Clarifying Lawful Overseas Use of Data Act, commonly known as the CLOUD Act, represents perhaps the most significant legal threat to European data sovereignty. Enacted in 2018, this US legislation allows American authorities to compel access to information held by American cloud providers irrespective of where in the world that data is housed. This extraterritorial reach means that data stored by a Portuguese bank on Salesforce’s servers in Frankfurt is still accessible to US law enforcement under the CLOUD Act.
The conflict between the CLOUD Act and the European Union’s General Data Protection Regulation (GDPR) is fundamental and irreconcilable. GDPR requires strict protection of personal data and prohibits transfers to jurisdictions without adequate data protection. The CLOUD Act, by contrast, asserts US jurisdiction over data regardless of location. This legal collision places European organisations in an impossible position: comply with US data requests and violate GDPR, or refuse US requests and face potential legal consequences in America.
Microsoft’s Admission: A Watershed Moment
In a French court proceeding that sent shockwaves through the European technology community, Microsoft admitted that it could not guarantee that data would not be transmitted to the US government when legally required to do so. This admission, reported by The Register in November 2025, laid bare the fundamental limitation of any sovereignty measures offered by US cloud providers. As Mark Boost, CEO of UK-based cloud provider Civo, observed: “You can put a data centre in Paris or London, but if the company is still governed by US law, the data ultimately sits under US jurisdiction.”
This reality has not been lost on European regulators. The €1.2 billion fine imposed on Meta in 2023 for unlawful transfers of EU user data to the United States demonstrated the willingness of European authorities to enforce data protection rules against even the largest American technology companies. For Portuguese organisations, the message is clear: reliance on US cloud providers carries significant regulatory risk.
Operational Risks: When Foreign Decisions Disrupt Domestic Operations
Beyond legal concerns, dependence on US vendors creates operational vulnerabilities that can disrupt business continuity. US companies can be forced to halt services or restrict access for political or legal reasons, with little recourse for affected customers. The October 2025 AWS outage, which disrupted public services across Europe, demonstrated how external decisions made thousands of miles away can impact domestic operations.
Microsoft’s suspension of email access for certain international organisations under government pressure highlighted another dimension of this risk. When critical business infrastructure depends on foreign providers, organisations surrender control over their operational continuity to forces beyond their influence or control.
Vendor Lock-in: The Hidden Cost of Convenience
Long-term contracts, proprietary software, and ecosystem dependency make it expensive for organisations to switch providers. This vendor lock-in effect weakens negotiating leverage and limits innovation. True sovereignty means not only legal compliance but also the freedom to choose and move between providers without prohibitive switching costs.
For Portuguese organisations that have built their operations around Salesforce or Microsoft ecosystems, the prospect of migration may seem daunting. However, the long-term risks of continued dependency increasingly outweigh the short-term costs of transition.
The European Response: Building a Sovereign Digital Future
Portugal’s concerns about digital sovereignty are shared across the European continent. The growing mistrust of US hyperscalers is palpable, with data sovereignty now among the primary questions salespeople at Microsoft, AWS, and Google receive when in conversation with European customers. This shift in sentiment has catalysed a continent-wide response to reclaim digital autonomy.
GAIA-X: Europe’s Answer to US Cloud Dominance
The GAIA-X initiative represents Europe’s most ambitious effort to create a federated, secure, and sovereign data infrastructure. The 2025 GAIA-X Summit, held in Porto, Portugal, marked a major milestone for Europe’s digital future with the formal release of new frameworks for trusted digital ecosystems. As Thierry Carrez, General Manager of the OpenInfra Foundation, noted: “Right now the digital sovereignty concerns are at an all-time-high in Europe.”
GAIA-X aims to turn trust into a tangible competitive advantage, making European digital sovereignty an industrial reality rather than a mere aspiration. The initiative provides a framework for European organisations to collaborate on data sharing while maintaining control over their information and complying with European values and regulations.
National Initiatives: From France to the Netherlands
Individual European nations are also taking action. France’s “Cloud de Confiance” initiative establishes strict criteria for sovereign cloud services, while Germany’s T-Systems Sovereign Cloud offers an alternative to US hyperscalers. The Dutch parliament has called for ditching US tech in favour of homegrown options, reflecting growing political will to address digital sovereignty concerns.
The EU’s forthcoming European Union Cybersecurity Certification Scheme (EUCS) will establish new standards for trusted infrastructure, providing organisations with clear criteria for evaluating the sovereignty credentials of cloud providers.
Market Response: The Rise of European Alternatives
The market is responding to this shift in sentiment. Search data shows that interest in “European alternatives” has risen by 660% year over year, particularly for queries like “EU Teams alternative,” “EU secure email,” and “AWS alternative Europe.” Chief Information Officers and procurement teams are no longer exploring sovereignty for optics; they are doing it for risk mitigation.
Why Switzerland Offers a Unique Advantage for Data Sovereignty
While European alternatives to US cloud providers are emerging, Switzerland occupies a unique position in the global data protection landscape. The country’s robust data protection measures, combined with its tradition of neutrality and privacy, make it an ideal jurisdiction for organisations seeking true digital sovereignty.
Swiss Data Protection: A Gold Standard
Switzerland’s Federal Act on Data Protection (FADP) provides comprehensive protection for personal data, with recent updates bringing it into alignment with GDPR while maintaining Switzerland’s distinctive approach to privacy. Unlike EU member states, Switzerland is not subject to EU-wide data sharing arrangements or the jurisdiction of EU institutions, providing an additional layer of independence.
Crucially, Switzerland is not subject to the US CLOUD Act. Data stored in Switzerland by Swiss companies cannot be compelled by US authorities without going through proper Swiss legal channels, which provide robust protections against foreign government access.
Neutrality and Stability: The Swiss Tradition
Switzerland’s centuries-long tradition of neutrality provides assurance that data stored in the country will not become a pawn in geopolitical disputes. The country’s political stability, strong rule of law, and independent judiciary further enhance its attractiveness as a jurisdiction for sensitive data.
For Portuguese organisations seeking to protect their data from foreign government access while maintaining compliance with European regulations, Switzerland offers the best of both worlds: a jurisdiction that respects European values and data protection principles while remaining independent of both US and EU political pressures.
InvestGlass: The Swiss Sovereign CRM Alternative
In this landscape of uncertainty and risk, InvestGlass emerges as a compelling solution for Portuguese businesses and government institutions seeking to safeguard their digital sovereignty. As an independent Swiss company headquartered in Geneva, InvestGlass operates under the robust data protection laws of Switzerland, ensuring that customer data is not subject to the US CLOUD Act or the jurisdiction of other foreign governments.
A Comprehensive Platform for Modern Business
InvestGlass is far more than a simple CRM system. It represents a complete digital suite that combines customer relationship management, portfolio management, digital onboarding, marketing automation, and client portal functionality in a single, integrated platform. This all-in-one approach eliminates the need for multiple disparate systems, reducing complexity, improving efficiency, and minimising the attack surface for potential security breaches.
The platform’s no-code/low-code interface empowers businesses to customise their workflows without requiring extensive technical expertise. From banking CRM requirements to insurance compliance workflows, InvestGlass can be tailored to meet the specific needs of any organisation.
True Data Sovereignty: Swiss Hosting and On-Premise Options
What truly sets InvestGlass apart from US competitors is its commitment to genuine data sovereignty. By default, all data is hosted in secure Swiss data centres, subject only to Swiss law. However, for organisations with the strictest data residency requirements, InvestGlass offers a full on-premise deployment option. This allows businesses to host the entire platform on their own servers, providing complete control over data and infrastructure.
This flexibility is a game-changer for industries where data sovereignty is not merely a preference but a legal and ethical imperative. Banks, insurance companies, government agencies, and healthcare organisations can all benefit from InvestGlass’s sovereign architecture.
Key Features for Portuguese Organisations
InvestGlass offers a comprehensive suite of features designed to meet the needs of modern Portuguese businesses:
Customer Relationship Management: A powerful CRM system that enables organisations to manage customer interactions, track sales pipelines, and build lasting relationships. The platform supports the complete customer lifecycle, from initial contact through ongoing engagement.
Portfolio Management System: For financial services organisations, InvestGlass provides sophisticated portfolio management capabilities, enabling advisers to monitor investments, generate reports, and ensure compliance with regulatory requirements.
Digital Onboarding: Streamlined onboarding workflows that automate KYC (Know Your Customer) processes, reducing friction for new customers while ensuring compliance with regulatory requirements. The platform supports identity verification, document collection, and risk assessment.
Marketing Automation: Integrated marketing tools that enable organisations to create, execute, and measure marketing campaigns. From email marketing to lead nurturing, InvestGlass provides the tools needed to engage customers effectively.
Client Portal: A secure portal that enables customers to access their information, submit requests, and communicate with their advisers. The portal enhances customer experience while reducing administrative burden.
Artificial Intelligence: InvestGlass incorporates AI capabilities to enhance productivity, automate routine tasks, and provide insights that help organisations make better decisions.
Operational Resilience: A Global Presence
InvestGlass SA operates throughout the world with teams in six locations, ensuring that customers receive support across time zones. This global presence, combined with robust service level agreements, provides the operational resilience that modern businesses require.
Comparing InvestGlass, Salesforce, and Microsoft: A Sovereignty Perspective
For Portuguese organisations evaluating their technology options, a direct comparison of InvestGlass with US alternatives illuminates the stark differences in sovereignty credentials.
| Criterion | InvestGlass | Salesforce | Microsoft Dynamics |
| Headquarters | Geneva, Switzerland | San Francisco, USA | Redmond, USA |
| Primary Jurisdiction | Swiss Law | US Law | US Law |
| Subject to US CLOUD Act | No | Yes | Yes |
| Default Data Location | Switzerland | US (with EU options) | US (with EU options) |
| On-Premise Deployment | Full platform available | Not available | Limited (Dynamics 365 on-premises) |
| GDPR Compliance | Full compliance, no jurisdictional conflict | Compliance efforts, but CLOUD Act conflict | Compliance efforts, but CLOUD Act conflict |
| Data Sovereignty Guarantee | Yes, through Swiss jurisdiction | Cannot guarantee (admitted in court) | Cannot guarantee (admitted in court) |
| Open API Architecture | Yes | Yes | Yes |
| All-in-One Platform | CRM + PMS + Onboarding + Portal + Marketing | CRM-focused, requires additional products | CRM-focused, requires additional products |
This comparison reveals that while Salesforce and Microsoft offer powerful platforms with extensive features, they cannot match InvestGlass’s sovereignty credentials. For Portuguese organisations where data protection is paramount, this difference is decisive.
The Path Forward: Implementing Digital Sovereignty in Portugal
Transitioning towards digital sovereignty requires a strategic approach that balances immediate operational needs with long-term security objectives. Portuguese organisations should consider the following steps:
Step 1: Conduct a Sovereignty Audit
Begin by mapping your current technology landscape to understand where your data resides and which jurisdictions have potential access. Identify systems that handle sensitive data, including customer information, financial records, and proprietary business data.
Step 2: Assess Risk Exposure
Evaluate the legal, operational, and reputational risks associated with your current technology providers. Consider the implications of the CLOUD Act, potential service disruptions, and vendor lock-in effects.
Step 3: Develop a Migration Strategy
Create a phased plan for transitioning critical systems to sovereign alternatives. Prioritise systems that handle the most sensitive data or pose the greatest risk exposure.
Step 4: Evaluate Sovereign Alternatives
Assess potential sovereign solutions against your requirements. Consider factors including functionality, scalability, support, and total cost of ownership alongside sovereignty credentials.
Step 5: Implement and Monitor
Execute your migration plan while maintaining business continuity. Establish monitoring processes to ensure ongoing compliance with data protection requirements.
The Business Case for Sovereignty: Beyond Compliance
While regulatory compliance provides a compelling rationale for digital sovereignty, the business case extends far beyond avoiding fines. Organisations that embrace sovereignty gain several strategic advantages:
Trust and Reputation: In an era of increasing data breaches and privacy scandals, organisations that can demonstrate genuine commitment to data protection build trust with customers, partners, and regulators.
Negotiating Power: By avoiding vendor lock-in with US hyperscalers, organisations retain the flexibility to negotiate better terms and switch providers when necessary.
Innovation Freedom: Sovereign solutions often provide greater customisation options, enabling organisations to innovate without constraints imposed by proprietary platforms.
Risk Mitigation: By removing exposure to foreign government access and potential service disruptions, organisations reduce their overall risk profile.
Alignment with European Values: As European institutions increasingly prioritise digital sovereignty, organisations that embrace sovereign solutions position themselves favourably for public sector contracts and partnerships.
Conclusion: Embracing Sovereignty for a Secure Digital Future
Portugal stands at a pivotal moment in its digital journey. The nation’s ambitious digitisation goals must be balanced against the imperative to maintain control over sensitive data and critical infrastructure. The current dependence on US cloud providers like Salesforce and Microsoft exposes Portuguese organisations to legal, operational, and strategic risks that cannot be adequately mitigated through contractual arrangements or technical measures alone.
The solution lies in embracing truly sovereign alternatives. InvestGlass, as a Swiss-based platform operating under robust Swiss data protection laws, offers Portuguese organisations a path to digital sovereignty without sacrificing functionality or innovation. Its comprehensive suite of CRM, portfolio management, digital onboarding, and marketing automation tools provides everything modern businesses need, all while ensuring that data remains under the control of its rightful owners.
As Europe continues to build its sovereign digital infrastructure through initiatives like GAIA-X, and as individual nations strengthen their data protection frameworks, the organisations that act now to secure their digital sovereignty will be best positioned for success. For Portuguese businesses and government institutions, the choice is clear: embrace sovereignty today to secure a prosperous and independent digital future.
Frequently Asked Questions (FAQs)
1. What is digital sovereignty and why does it matter for Portuguese businesses?
Digital sovereignty refers to the right of a nation or organisation to exercise complete control over its digital data, infrastructure, and technologies in accordance with its own laws and values. For Portuguese businesses, digital sovereignty matters because it protects against foreign government access to sensitive data, ensures compliance with European data protection regulations, and reduces operational risks associated with dependence on foreign technology providers.
2. How does the US CLOUD Act affect Portuguese organisations using Salesforce or Microsoft?
The US CLOUD Act allows American authorities to compel US technology companies to provide access to data regardless of where that data is physically stored. This means that even if a Portuguese organisation’s data is stored in an EU data centre, it remains accessible to US authorities if the provider is a US company. This creates a direct conflict with GDPR and exposes organisations to regulatory and legal risks.
3. What makes Switzerland a better jurisdiction for data protection than the United States?
Switzerland offers several advantages for data protection. It has robust data protection laws aligned with European standards, a long tradition of privacy and neutrality, and crucially, it is not subject to the US CLOUD Act. Data stored in Switzerland by Swiss companies cannot be compelled by US authorities without going through proper Swiss legal channels, which provide strong protections against foreign government access.
4. How does InvestGlass compare to Salesforce in terms of features?
InvestGlass offers a comprehensive all-in-one platform that includes CRM, portfolio management, digital onboarding, marketing automation, and client portal functionality. While Salesforce is primarily focused on CRM with additional products available separately, InvestGlass provides an integrated solution that reduces complexity and improves efficiency. Both platforms offer powerful features, but InvestGlass adds the crucial advantage of Swiss data sovereignty.
5. Can InvestGlass be deployed on-premise for maximum data control?
Yes, InvestGlass offers a full on-premise deployment option that allows organisations to host the entire platform on their own servers. This provides complete control over data and infrastructure, making it ideal for organisations with the strictest data residency requirements, such as banks, government agencies, and healthcare providers.
6. What industries are best suited for InvestGlass?
InvestGlass is designed for industries where data security and regulatory compliance are paramount. This includes retail and private banking, insurance, financial services, government, and any organisation that handles sensitive customer data. The platform’s flexibility and comprehensive feature set make it adaptable to a wide range of use cases.
7. What is GAIA-X and how does it relate to digital sovereignty in Portugal?
GAIA-X is a European initiative to create a federated, secure, and sovereign data infrastructure for Europe. The 2025 GAIA-X Summit was held in Porto, Portugal, highlighting the country’s engagement with European digital sovereignty efforts. GAIA-X provides a framework for European organisations to share data while maintaining control and compliance with European values and regulations.
8. How difficult is it to migrate from Salesforce or Microsoft to InvestGlass?
Migration complexity depends on the extent of customisation and integration in your current systems. InvestGlass offers open API architecture that facilitates data migration and integration with existing systems. The platform’s no-code/low-code interface also simplifies the process of recreating custom workflows. InvestGlass provides implementation support to help organisations transition smoothly.
9. What did the Art Resilia study reveal about Portugal’s digital sovereignty?
The Art Resilia study, published in November 2025, analysed approximately 215,692 hosts and 129,747 domains in Portuguese cyberspace. It revealed that only 5% of the infrastructure supporting Portuguese digital assets is located within Portugal, with the remainder subject to foreign legislation. The study also found that one-third of organisations analysed had security problems, highlighting the urgent need for improved digital sovereignty.
10. How can Portuguese organisations begin their journey towards digital sovereignty?
Organisations should start by conducting a sovereignty audit to understand where their data resides and which jurisdictions have potential access. This should be followed by a risk assessment, development of a migration strategy, evaluation of sovereign alternatives like InvestGlass, and phased implementation. The key is to prioritise systems handling the most sensitive data while maintaining business continuity throughout the transition.
Looking Ahead: The Future of Digital Sovereignty in Portugal
The trajectory of digital sovereignty in Portugal and across Europe points towards an increasingly sovereign future. Several trends are shaping this evolution and will influence how organisations approach their technology decisions in the coming years.
Regulatory Evolution
European regulators continue to strengthen data protection frameworks. The Digital Services Act, Digital Markets Act, and Data Governance Act are creating a comprehensive regulatory environment that prioritises European digital autonomy. Portuguese organisations that align with these frameworks now will be better positioned as regulations continue to evolve.
Technology Maturation
European and Swiss sovereign alternatives are rapidly maturing, offering functionality that increasingly matches or exceeds US competitors. Platforms like InvestGlass demonstrate that sovereignty need not come at the cost of capability. As these platforms continue to develop, the case for sovereign solutions becomes ever more compelling.
Geopolitical Considerations
The volatile geopolitical relationship between the United States and Europe, particularly following political changes in 2025, has heightened awareness of the risks associated with dependence on US technology. This awareness is driving both public policy and private sector decision-making towards sovereign alternatives.
Market Demand
The 660% year-over-year increase in searches for European alternatives reflects a fundamental shift in market demand. Organisations are actively seeking sovereign solutions, creating opportunities for providers like InvestGlass to expand their presence in markets like Portugal.
For Portuguese organisations, the message is clear: digital sovereignty is not a future concern but a present imperative. Those who act now to secure their digital independence will be best positioned to thrive in an increasingly complex and regulated digital landscape. InvestGlass stands ready to support Portuguese businesses and government institutions on this journey, offering the sovereign foundation upon which a secure digital future can be built.