Sovranità digitale in Belgio: Perché la vostra azienda ha bisogno di un'alternativa svizzera ai giganti del cloud statunitensi
In an era of escalating geopolitical tensions and increasingly stringent data protection regulations, the concept of digital sovereignty has transitioned from a niche concern to a critical boardroom issue for businesses across Belgium. The nation’s leaders are sounding the alarm: Europe has “effectively lost the internet” to American tech giants, creating a precarious dependence that exposes sensitive data to foreign jurisdictions. For Belgian companies utilising platforms like Salesforce and Microsoft, this raises an urgent question: is your data truly safe?
This comprehensive guide explores the burgeoning digital sovereignty movement in Belgium, examines the regulatory landscape that is reshaping how businesses must think about data protection, and presents a compelling case for why a Swiss sovereign solution like InvestGlass is not just an alternative, but a strategic necessity for forward-thinking organisations.
What you’ll learn in this article:
•The key drivers behind the push for digital sovereignty in Belgium
•How the US CLOUD Act directly conflicts with GDPR and impacts your data
•Why “sovereign cloud” offerings from US tech giants are not truly sovereign
•The comprehensive features and benefits of InvestGlass as a Swiss sovereign alternative
•How to make a strategic choice to protect your business and ensure compliance with NIS2, DORA, and GDPR
The Sovereignty Imperative: Belgium’s Wake-Up Call
The call for greater digital autonomy is resonating through the corridors of power in both Brussels and across the European Union. In early January 2026, Miguel De Bruycker, the Director of Belgium’s Centre for Cybersecurity, delivered a stark and sobering warning to the Financial Times. He declared that European digital sovereignty is a “failing concept” and that the continent has “effectively lost the internet” due to its overwhelming reliance on American technology for its digital infrastructure.
This dependency, De Bruycker argued, leaves the European Union vulnerable to geopolitical pressures and legal overreach from foreign governments. The timing of his comments was particularly poignant, coming shortly after US visa bans were imposed on EU officials—a move which Brussels lacked the leverage to effectively counter, precisely because of its technological dependence on American companies.
De Bruycker’s assessment was unequivocal: true data sovereignty is “currently impossible” for European organisations using US-based cloud providers. He called for a coordinated, “Airbus-like” European initiative to build competitive, sovereign digital infrastructure, rather than merely attempting to constrain American hyperscalers through regulation. This sentiment reflects a growing consensus among European policymakers and business leaders that the status quo is untenable.
The Regulatory Landscape: A Trifecta of Compliance Obligations
This call for sovereignty is underpinned by a robust and rapidly evolving regulatory landscape. Belgian businesses are now navigating a complex web of stringent data protection and cybersecurity regulations that collectively raise the stakes for compliance to unprecedented levels. Understanding these regulations is essential for any organisation seeking to protect its data and avoid significant penalties.
The General Data Protection Regulation (GDPR) remains the cornerstone of EU data protection. Enacted in 2018, it imposes strict rules on the processing, storage, and transfer of personal data belonging to EU citizens. The regulation grants individuals significant rights over their data, including the right to access, rectification, erasure, and data portability. For businesses, GDPR mandates robust security measures, data breach notification within 72 hours, and the appointment of Data Protection Officers in certain circumstances. Crucially, GDPR restricts the transfer of personal data to countries outside the EU/EEA that do not provide an “adequate” level of data protection—a provision that sits at the heart of the conflict with US law.
The Network and Information Security Directive 2 (NIS2) represents a dramatic expansion of cybersecurity obligations in Belgium and across the EU. The Belgian transposition of NIS2, known as the Law of 26 April 2024 (or NIS2-wet/loi NIS2), entered into force in October 2024 and is being actively enforced by the Centre for Cybersecurity Belgium (CCB). This is not a minor update; it is a complete overhaul of the country’s cybersecurity governance framework.
The scope of NIS2 is vast. Where the previous NIS-1 Act covered approximately 1,000 operators, the new law now encompasses an estimated 10,000 to 12,000 entities across 18 critical sectors. This includes not only traditional critical infrastructure like energy and transport but also medium-sized manufacturers, large municipalities, and, crucially, all providers of cloud computing, telecommunications, DNS, and trust services, regardless of their size.
The requirements under NIS2 are rigorous. Organisations must implement comprehensive cybersecurity risk management measures, report significant incidents to the CCB within 24 hours (with follow-up reports at 72 hours and 30 days), and manage supply chain risks effectively. Perhaps most significantly, NIS2 places direct liability on senior management. Directors are required to formally approve and monitor their organisation’s cybersecurity programmes, and repeated negligence can trigger a three-year management ban. Fines for non-compliance can reach up to €10 million or 2% of global annual turnover for Essential Entities.
The Digital Operational Resilience Act (DORA) specifically targets the financial sector, establishing a comprehensive framework to manage Information and Communication Technology (ICT) risk. DORA requires financial entities—including banks, insurance companies, investment firms, and payment service providers—to ensure they can withstand, respond to, and recover from all types of ICT-related disruptions and threats. This includes stringent requirements for ICT risk management, incident reporting, digital operational resilience testing (including threat-led penetration testing), and the management of ICT third-party risk. For Belgian financial institutions, DORA creates an additional layer of compliance that intersects with and reinforces the requirements of NIS2.
These three regulations—GDPR, NIS2, and DORA—collectively create a powerful incentive for Belgian companies to scrutinise their technology stack and prioritise solutions that offer genuine sovranità dei dati. The aggressive enforcement mechanisms, the personal liability clauses, and the sheer scale of potential fines make it clear that compliance is no longer optional; it is a fundamental business imperative.
The Elephant in the Data Centre: The US CLOUD Act
While the European regulatory framework is designed to protect data, a significant threat to the digital sovereignty of Belgian businesses comes from across the Atlantic. The Clarifying Lawful Overseas Use of Data (CLOUD) Act, passed by the US Congress in 2018, is the single most significant obstacle to achieving true data sovereignty for any organisation using US-based cloud services.
The CLOUD Act grants American law enforcement agencies the authority to compel US-based technology companies to provide requested data, regardless of where that data is physically stored. This extraterritorial reach is the crux of the problem. It means that even if your company’s data resides in a data centre in Dublin, Frankfurt, or Amsterdam, it remains subject to US jurisdiction if your cloud provider is a US company. Microsoft, Salesforce, Amazon Web Services (AWS), and Google Cloud Platform (GCP) are all subject to the CLOUD Act.
A Direct Conflict with GDPR
The CLOUD Act creates a direct and, in many legal opinions, irreconcilable conflict with the GDPR. Article 48 of the GDPR explicitly states that any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable if it is based on an international agreement, such as a Mutual Legal Assistance Treaty (MLAT), in force between the requesting third country and the EU or a Member State.
The CLOUD Act is specifically designed to bypass these traditional, slower MLAT processes. It allows US authorities to issue warrants directly to US companies, demanding data without necessarily going through the diplomatic channels that GDPR requires. This places US companies, and by extension their European customers, in an impossible legal bind:
•If they comply with a US warrant under the CLOUD Act, they risk breaching GDPR by transferring personal data to a third country without a valid legal basis. This can result in significant fines under GDPR (up to €20 million or 4% of global annual turnover).
•If they refuse to comply with the US warrant, they face legal penalties under US law.
The European Data Protection Board (EDPB) has made its position clear: service providers subject to EU law cannot legally base data transfers to the US solely on CLOUD Act requests. Yet, the practical reality is that US companies are ultimately bound by US law, and the CLOUD Act gives the US government a powerful tool to access data held by these companies, wherever it may be located.
The Illusion of “Sovereign Cloud”
In response to growing sovereignty concerns in Europe, major US cloud providers have launched a series of marketing initiatives designed to reassure their customers. Microsoft has promoted its “EU Data Boundary,” Amazon has announced an “AWS European Sovereign Cloud,” and Google offers “Sovereign Controls.” These offerings typically promise to keep European data within the EU, process it using EU-based personnel, and provide enhanced encryption and access controls.
However, as legal experts, data protection authorities, and even the European Data Protection Supervisor (EDPS) have pointed out, these initiatives are largely an “illusion of control.” The fundamental problem remains: as long as the parent company is headquartered in the United States, it is subject to the CLOUD Act. Jurisdiction follows ownership, not data location.
A US company cannot simply declare a subsidiary or a data centre to be “sovereign” and thereby exempt itself from US law. If the US government issues a warrant under the CLOUD Act, the US parent company is legally obligated to comply, regardless of where the data is stored or what marketing label has been applied to the service.
The EDPS Ruling: A Landmark Warning
The theoretical conflict between the CLOUD Act and GDPR became a concrete, practical reality in March 2024, when the European Data Protection Supervisor (EDPS) issued a landmark ruling against the European Commission itself. The EDPS found that the Commission had infringed several key data protection rules through its use of Microsoft 365.
The ruling was damning. The EDPS found that the Commission had failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA was afforded an essentially equivalent level of protection as guaranteed within the EU. Furthermore, the Commission had not sufficiently specified in its contract with Microsoft what types of personal data were being collected and for which explicit and specified purposes.
The corrective measures imposed were significant. The EDPS ordered the Commission to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision. The Commission was given until December 9, 2024, to demonstrate compliance.
Wojciech Wiewiórowski, the EDPS, stated: “It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures.”
This ruling serves as a critical warning for all European organisations, including Belgian businesses. If the European Commission itself—with all its legal resources and expertise—cannot use Microsoft 365 in a compliant manner, what chance does a typical Belgian SME or even a large enterprise have? The message is clear: relying on US-based cloud providers for critical and sensitive data carries inherent and unavoidable legal and security risks.
The Swiss Solution: True Sovereignty with InvestGlass
For Belgian businesses seeking a genuine path to digital sovereignty, the solution lies in choosing a provider that is legally and geographically shielded from US jurisdiction. This is where InvestGlass, a 100% Swiss-owned and operated company, emerges as the definitive sovereign alternative to Salesforce, Microsoft Dynamics 365, and other US-based CRM and automation platforms.
Why Switzerland?
Switzerland occupies a unique position in the global data protection landscape. It is not a member of the European Union, nor is it subject to US law. Switzerland has a long and distinguished history of political neutrality and a robust legal framework for data protection that is recognised by the EU as providing an “adequate” level of protection.
Swiss data protection law, the Federal Act on Data Protection (FADP), has been significantly updated to align with GDPR principles, ensuring that data processed in Switzerland enjoys a high level of protection. Crucially, Swiss companies are not subject to the US CLOUD Act. This means that data hosted in Switzerland by a Swiss company is legally insulated from the extraterritorial reach of US law enforcement.
This legal certainty is invaluable. By choosing a Swiss provider, Belgian businesses can ensure that their data is governed solely by Swiss and European law, without the risk of it being accessed by a foreign government under a law like the CLOUD Act.
InvestGlass: A Comprehensive Sovereign Platform
InvestGlass is more than just a CRM; it is a complete, integrated ecosystem designed from the ground up for regulated industries, with a particular focus on financial services. The platform combines customer relationship management, portfolio management, marketing automation, onboarding digitale, and client portal capabilities into a single, unified solution.
The core philosophy of InvestGlass is to provide businesses with complete control over their data and their digital operations. All data is hosted in Switzerland by default, protected by Swiss law, and managed by a Swiss team. This provides Belgian companies with the legal certainty and peace of mind that their data is secure from foreign government access.
Key Features of the InvestGlass Platform:
Digital Onboarding: Streamline client acquisition with customisable, logic-based forms that adapt to the user’s responses. Automate Know Your Customer (KYC) and Anti-Money Laundering (AML) processes, including identity verification, document collection, and risk assessment. InvestGlass’s onboarding digitale tools reduce manual effort, accelerate time-to-onboard, and ensure compliance with regulatory requirements.
Customer Relationship Management (CRM): At its core, InvestGlass provides a powerful CRM to organise contacts, manage relationships, and track all interactions with clients and prospects. The CRM is designed to be highly flexible, allowing users to customise fields, workflows, and views to match their specific business processes. All client data is stored in a single, secure repository, providing a 360-degree view of each relationship.
Sistema di gestione del portafoglio (PMS): For financial services firms, InvestGlass offers a sophisticated Portfolio Management System. This tool allows users to manage investments, track performance across multiple asset classes, generate reports, and ensure compliance with regulations like MiFID II and LSFIN. The PMS integrates seamlessly with the CRM, providing a unified view of client relationships and their investment portfolios.
Marketing Automation: Create targeted marketing campaigns, automate communications, and nurture leads with precision. InvestGlass’s marketing tools allow users to segment audiences, personalise messages, schedule email campaigns, and track engagement. This helps businesses to build stronger relationships with their clients and prospects while reducing manual marketing effort.
Client Portal: Provide clients with a secure, branded portal where they can access documents, statements, reports, and communicate directly with their advisors. The client portal enhances transparency, improves client satisfaction, and reduces the administrative burden on staff.
Automation and Workflow: InvestGlass includes powerful automation and Robotic Process Automation (RPA) capabilities. Users can create automated workflows to handle repetitive tasks, trigger actions based on specific events, and ensure that processes are followed consistently. This improves efficiency, reduces errors, and frees up staff to focus on higher-value activities.
Compliance and Reporting: The platform is built with compliance in mind. InvestGlass provides tools to help businesses meet the requirements of GDPR, FINMA (the Swiss Financial Market Supervisory Authority), DORA, NIS2, MiFID II, and other relevant regulations. Auditable trails of all activities, robust access controls, and data encryption ensure that sensitive information is protected.
By choosing a Swiss sovereign solution like InvestGlass, Belgian companies can align their technology stack with the stringent requirements of GDPR, NIS2, and DORA, mitigating compliance risks and demonstrating a clear commitment to data protection to their clients and regulators.
InvestGlass vs. US Hyperscalers: A Sovereignty Showdown
When evaluating CRM and business automation platforms, Belgian businesses must now consider data sovereignty as a primary criterion, alongside functionality and cost. The following table provides a direct comparison between InvestGlass and the two dominant US-based alternatives: Salesforce and Microsoft Dynamics 365.
| Caratteristica | InvestGlass | Salesforce | Microsoft Dynamics 365 |
| Sovranità dei dati | True Swiss Sovereignty – Hosted in Switzerland, immune to US CLOUD Act | US Jurisdiction – Subject to CLOUD Act, regardless of data centre location | US Jurisdiction – Subject to CLOUD Act, regardless of data centre location |
| Primary Legal Jurisdiction | Svizzera | Stati Uniti | Stati Uniti |
| Esposizione alla legge CLOUD | None – Swiss company, not subject to US law | High – US company, fully subject to CLOUD Act | High – US company, fully subject to CLOUD Act |
| GDPR Compliance | Strong – Aligned with GDPR, no conflict with US law | Compromised – CLOUD Act creates inherent conflict with GDPR | Compromised – EDPS ruling highlights non-compliance risks |
| Focus sulla conformità | GDPR, FINMA, DORA, NIS2, MiFID II, LSFIN | Primarily US regulations; GDPR claims undermined by CLOUD Act | Primarily US regulations; GDPR claims undermined by CLOUD Act |
| Opzioni di hosting | Swiss Cloud, Private Cloud, On-Premise | Public Cloud (AWS, Azure, GCP) | Public Cloud (Microsoft Azure) |
| Target Audience | Financial Services, Regulated Industries, Governments, SMEs | General Purpose CRM, Large Enterprises | General Purpose CRM, integrated with Microsoft ecosystem |
| Platform Architecture | All-in-one integrated platform (CRM, PMS, Onboarding, Portal, Automation) | Modular, requires multiple clouds and integrations | Modular, deeply integrated with Microsoft 365 and Azure |
| Personalizzazione | Highly flexible, no-code tools for easy customisation | Complex, often requires expensive consultants (Salesforce Partners) | Complex, often requires specialised developers |
| Cost Structure | Predictable, all-in-one pricing | Complex, multi-tiered licensing with hidden costs | Complex, licensing tied to Microsoft ecosystem |
Il caso di InvestGlass
The comparison table makes the case clear. While Salesforce and Microsoft Dynamics 365 are powerful platforms with extensive features, their fundamental weakness for European businesses is their US jurisdiction. No amount of marketing, no “EU Data Boundary,” and no “Sovereign Cloud” label can change the fact that they are subject to the US CLOUD Act.
InvestGlass, by contrast, offers a platform that is comparable in functionality but is built on a foundation of true Swiss sovereignty. For Belgian businesses operating in regulated industries, or for any organisation that handles sensitive client data, this difference is not merely a technical detail—it is a fundamental strategic advantage.
Practical Steps for Belgian Businesses
The transition to a sovereign technology stack is not something that happens overnight, but it is a journey that Belgian businesses must begin now. Here are some practical steps to consider:
1.Conduct a Data Audit: Understand where your data is stored, who has access to it, and what legal jurisdictions it is subject to. Identify all US-based cloud providers in your technology stack.
2.Assess Your Risk Exposure: Evaluate the potential impact of the CLOUD Act on your business. Consider the sensitivity of the data you hold, your regulatory obligations under GDPR, NIS2, and DORA, and the reputational risk of a data breach or non-compliance.
3.Evaluate Sovereign Alternatives: Research and evaluate European and Swiss alternatives to your current US-based tools. For CRM and business automation, InvestGlass is a leading sovereign option.
4.Develop a Migration Plan: Create a phased plan to migrate your most sensitive data and critical applications to sovereign platforms. Prioritise systems that hold personal data, financial data, or other regulated information.
5.Engage with Your Providers: If you are currently using US-based providers, engage with them to understand their data handling practices and their response to the CLOUD Act. Be sceptical of marketing claims about “sovereignty” and demand concrete legal assurances.
6.Train Your Staff: Ensure that your staff understand the importance of data sovereignty and the regulatory requirements they must comply with. This is particularly important for senior management, given the personal liability clauses in NIS2.
7.Document Your Compliance: Maintain thorough documentation of your data protection measures, risk assessments, and compliance activities. This will be essential in the event of an audit by the CCB or other regulatory authorities.
Conclusion: The Strategic Choice for Belgian Businesses
The landscape of digital regulation in Belgium and across Europe has fundamentally shifted. The convergence of GDPR, NIS2, and DORA, combined with the clear and present danger posed by the US CLOUD Act, makes digital sovereignty a non-negotiable priority for any organisation that handles sensitive data. Relying on US-based cloud providers like Salesforce and Microsoft for critical business applications is no longer a tenable or defensible strategy.
The warnings from Belgium’s own cybersecurity chief, the landmark EDPS ruling against the European Commission, and the ever-expanding scope of European data protection law all point in the same direction: European businesses must take control of their digital destiny.
The path forward is clear: embrace true sovereign solutions. InvestGlass offers a powerful, comprehensive, and secure platform that is not only compliant by design but is also legally insulated from the extraterritorial reach of US law. By making the strategic switch to a Swiss sovereign CRM, Belgian businesses can:
•Protect their data from foreign government access under the CLOUD Act.
•Mitigate compliance risk by aligning with GDPR, NIS2, and DORA requirements.
•Build trust with clients who are increasingly concerned about data privacy.
•Gain a competitive advantage by demonstrating a commitment to the highest standards of data protection.
•Future-proof their operations against an increasingly uncertain geopolitical landscape.
The choice is yours. But in the new era of digital sovereignty, the businesses that thrive will be those that recognise the risks of technological dependence and take decisive action to secure their data, their clients, and their future.
Domande frequenti (FAQ)
1. What is digital sovereignty and why does it matter for Belgian businesses?
Digital sovereignty refers to the ability of a nation or organisation to have control over its own digital infrastructure, data, and technological destiny. For Belgian businesses, it matters because it determines which laws govern your data. If you use US-based cloud providers, your data is subject to US laws like the CLOUD Act, which can conflict with your obligations under GDPR, NIS2, and DORA. True digital sovereignty means your data is protected by the laws of a jurisdiction you trust, such as Switzerland.
2. What is the US CLOUD Act and how does it affect my company’s data?
The Clarifying Lawful Overseas Use of Data (CLOUD) Act is a US federal law passed in 2018. It allows US law enforcement to compel US-based technology companies (like Microsoft, Salesforce, Amazon, and Google) to hand over data stored on their servers, regardless of where in the world that data is physically located. This means that even if your data is stored in an EU data centre, it can still be accessed by US authorities if your provider is a US company.
3. Is my data safe if it’s stored in an EU data centre by a US company?
No, this is a common and dangerous misconception. The US CLOUD Act applies based on the jurisdiction of the company, not the location of the data. If your cloud provider is a US company, your data is subject to US law, even if it is stored in Belgium, Germany, or any other EU country. The “EU Data Boundary” and “Sovereign Cloud” offerings from US providers do not change this fundamental legal reality.
4. What makes InvestGlass a truly “sovereign” solution?
InvestGlass is a 100% Swiss company, headquartered in Geneva. All data is hosted in Switzerland by default and is protected by Swiss data protection law. Switzerland is not part of the EU or the US, and Swiss companies are not subject to the US CLOUD Act. This means that data held by InvestGlass is legally insulated from the extraterritorial reach of US law enforcement, providing genuine data sovereignty.
5. Is InvestGlass only suitable for financial services companies?
While InvestGlass has deep expertise and a comprehensive feature set tailored for the financial services industry (including banks, asset managers, insurance companies, and wealth advisors), its flexible platform is suitable for any regulated industry or business that prioritises data security and sovereignty. This includes government agencies, healthcare providers, legal firms, and any organisation that handles sensitive client data.
6. How does InvestGlass help with compliance under NIS2 and DORA?
InvestGlass helps Belgian businesses meet the core requirements of NIS2 and DORA by providing a secure, sovereign platform for managing sensitive data. Its features for digital onboarding, CRM, portfolio management, and automation include robust access controls, data encryption, auditable trails of all activities, and tools for managing third-party risk. By hosting data in Switzerland, InvestGlass also eliminates the compliance risks associated with the CLOUD Act.
7. What are the key requirements of the NIS2 Directive in Belgium?
The NIS2 Directive in Belgium (Law of 26 April 2024) significantly expands the number of regulated entities to an estimated 10,000-12,000 across 18 sectors. Key requirements include comprehensive cybersecurity risk management, incident reporting to the CCB within 24 hours, supply chain risk management, and direct cybersecurity responsibility for senior management. Fines can reach up to €10 million or 2% of global turnover, and directors can face personal liability, including management bans.
8. How difficult is it to migrate from Salesforce or Microsoft Dynamics to InvestGlass?
InvestGlass provides a streamlined onboarding process and tools to facilitate data migration. The platform is designed to be intuitive and user-friendly, with no-code tools that allow for easy customisation without the need for expensive consultants or developers. The InvestGlass team provides support throughout the migration process to ensure a smooth transition.
9. Can I host InvestGlass on my own servers (on-premise)?
Yes, InvestGlass offers flexible deployment options to meet the needs of different organisations. You can choose a fully managed Swiss cloud (the default option), a private cloud hosted in a location of your choice, or an on-premise installation on your own infrastructure for maximum control. This flexibility allows you to tailor the deployment to your specific security and compliance requirements.
10. How does the cost of InvestGlass compare to Salesforce and Microsoft Dynamics?
InvestGlass typically offers a more cost-effective and predictable pricing model compared to the complex, multi-tiered licensing structures of Salesforce and Microsoft Dynamics. These US platforms often involve hidden costs for additional features, user licenses, storage, and consulting services. InvestGlass provides an all-in-one platform that includes CRM, PMS, onboarding, portal, and automation capabilities, reducing the need for multiple expensive point solutions and simplifying budgeting.