Swiss Cyber Command Replaces Microsoft 365 With openDesk by October 2026

Switzerland’s military cyber specialists plan to equip every workplace in Cyber Command with the German open-source suite openDesk by October 2026, accelerating a break from Microsoft that the rest of the federal administration is still studying. The move affects the unit responsible for defending Swiss military networks, not the entire Swiss Armed Forces, but its security implications extend well beyond a relatively small software deployment.
The timetable was first reported by the Swiss online magazine Republik and subsequently confirmed to the publication by the Federal Chancellery. Cyber Command and its Cyber and Electromagnetic Actions service are moving faster than the civilian government because they regard dependence on Microsoft’s cloud-connected products as an operational risk, not merely a procurement issue.
That distinction matters. Switzerland is not simply replacing Word with another word processor to trim licensing costs. It is testing whether a national-security organization can keep its communications, documents and collaboration infrastructure under its own technical and legal control.

Swiss cyber operators monitor secure servers and plan migration from foreign cloud services to sovereign infrastructure.A Microsoft 365 Rollout Meets a Military Red Line​

The Swiss Federal Administration began rolling out Microsoft 365 broadly in October 2024 under the Cloud Enabling Office Automation program, known as CEBA. The project replaced Microsoft Office LTSC Professional Plus 2021 and ultimately installed Microsoft 365 on tens of thousands of government workstations.
Officially, the government maintained an important boundary: email and sensitive data would remain on infrastructure operated by the Swiss Confederation rather than being stored in Microsoft’s public cloud. Even so, Microsoft 365 applications and supporting services remain connected to Microsoft-controlled technology, creating questions about telemetry, authentication, updates and other data exchanges that are harder for customers to inspect independently.
For a civilian office, that may be treated as a contractual, compliance or risk-management problem. For an organization handling highly classified military information, Cyber Command argues that the standard must be stricter.
Simon Müller, the head of Cyber Command, has described Microsoft 365 as a capable product while arguing that it is unsuitable for an organization with the military’s highest confidentiality requirements, according to Republik. The concern is not an allegation that Microsoft is deliberately passing Swiss military documents to Washington. It is that Cyber Command cannot independently eliminate every potential call-home path or guarantee continued access under every geopolitical scenario.
The push began under former Armed Forces chief Thomas Süssli. In a letter disclosed by Republik in October 2025, Süssli asked the Federal Chancellery to provide an alternative for sensitive military work rather than applying the administration-wide Microsoft strategy unchanged.
His demand landed awkwardly because the Chancellery had already spent years preparing the Microsoft 365 migration. It also exposed a fundamental difference between ordinary government IT and defense infrastructure: a system can satisfy current data-protection rules while still creating a strategic dependency that military planners consider unacceptable.

The CLOUD Act Is Only Part of the Risk​

The U.S. CLOUD Act frequently appears in European debates about American technology providers. It clarifies that service providers subject to U.S. jurisdiction may be required to produce data within their possession, custody or control in response to valid legal process, regardless of where that data is stored.
That does not mean the U.S. government can casually browse any Microsoft 365 tenant, nor does it automatically place locally stored Swiss documents within American reach. Legal jurisdiction, the customer’s configuration and whether Microsoft possesses or controls the requested information all matter.
Cyber Command’s problem is broader than a single statute, however. Its security model must account for technical access, foreign legal orders, commercial policy changes, sanctions and the possibility that a critical service could be restricted during an international crisis. Even a low-probability event carries unusual weight when the affected organization is expected to remain operational during precisely that kind of crisis.
This is where the often-discussed “kill switch” risk enters the argument. Cloud subscriptions and externally controlled identity services can give a supplier—or the government with jurisdiction over it—leverage that does not exist when an organization operates auditable software on infrastructure it controls.
Europe’s concern grew after U.S. sanctions affected technology access for officials associated with the International Criminal Court. Whatever the legal justification for an individual restriction, the episode demonstrated that access to mainstream productivity and communications services can become entangled with foreign policy.
For Cyber Command, continuity cannot depend solely on assurances about how a vendor behaves under normal conditions. The unit needs to know whether it can patch, operate and restore its collaboration environment without requiring permission or functioning services from abroad.

openDesk Trades Polish for Inspectability​

openDesk is produced by Germany’s Centre for Digital Sovereignty of Public Administration, or ZenDiS, on behalf of the German federal government. Rather than recreating Microsoft 365 as one monolithic application, it combines established open-source components behind a common identity and web portal.
The suite provides browser-based document editing, spreadsheets, presentations, email, calendars, file storage, project management, chat and video communication. Its components include tools such as Element for real-time collaboration, OpenProject for project management and an identity platform built around Univention technology and Keycloak.
The Community Edition can be downloaded and operated independently, while an Enterprise Edition adds professional support for public-sector deployments. openDesk is designed for Kubernetes environments, allowing an organization such as Cyber Command to run it in infrastructure under its own authority.
That architecture gives the Swiss military several advantages:
  • Cyber Command can inspect source code and investigate unexpected behavior rather than relying exclusively on a proprietary vendor’s documentation.
  • Administrators can host critical services in Swiss-controlled data centers and choose which external connections are permitted.
  • Components can be replaced or modified without waiting for a single supplier’s product roadmap.
  • The organization retains a viable operating path if its commercial or political relationship with a foreign vendor changes.
Open source does not automatically make software secure. Public code can contain vulnerabilities, and a self-hosted deployment transfers responsibility for patching, monitoring, backups and incident response to the customer. The practical benefit is control and verifiability, not immunity from attack.
Cyber Command is unusually well positioned to accept that trade. Its personnel already operate sensitive systems internally and have the engineering expertise to integrate or replace components. A public agency without that staff could find the same freedom expensive and difficult to maintain.

Zurich’s Findings Show Why This Is Not Yet a Government-Wide Template​

The City of Zurich previously examined openDesk and concluded that a near-term wholesale migration was not realistic for its administration. Among the shortcomings identified in reporting by Republik were its browser-focused interface, the absence of a complete Teams-style enterprise telephony replacement and uncertain migration costs.
User expectations are another obstacle. Employees who have spent decades with Outlook, Word, Excel and Teams depend on workflows, macros, document formats, add-ins and integrations that are not replaced merely by providing functionally similar applications.
Cyber Command can tolerate gaps that would produce widespread disruption in a large civilian administration. It can limit the initial deployment, build missing integrations and impose stricter operating procedures because security takes priority over convenience.
This makes the October milestone a meaningful test but not definitive proof that Switzerland’s approximately 54,000 federal Microsoft 365 workstations can be converted in the same way. A successful military deployment would demonstrate technical viability for a specialist organization; it would not erase the compatibility, training and support costs of a federal-scale migration.
The Federal Chancellery is conducting pilots and preparing a feasibility study on reducing dependence on Microsoft. That report had reportedly been expected by the end of June 2026, but consideration by the Federal Council was postponed until after the summer break, with communication anticipated in mid-August.

Digital Sovereignty Now Has a Deployment Deadline​

The Swiss Parliament added political weight to the project in December 2025 by allocating 10 million Swiss francs for military participation in European open-source alternatives, including openDesk. Support crossed traditional party lines, reflecting a growing view that control over government software has become part of national resilience.
Cost is still present in the calculation. Microsoft and other hyperscale cloud providers can change subscription prices, bundle features and retire products according to commercial priorities. Open-source infrastructure has substantial staffing and migration expenses, but it gives the operator more influence over when and why those costs arise.
The result is not a clean divorce from American technology across the Swiss defense establishment. Switzerland continues to purchase major U.S. systems, most visibly the Lockheed Martin F-35A fighter aircraft, and openDesk itself will run on layers of hardware and software with international supply chains.
Cyber Command is drawing a narrower line: classified collaboration should not depend on a foreign company’s cloud strategy when a self-operated alternative is achievable. By October 2026, Switzerland should have its first concrete evidence of whether openDesk can cross that line without undermining day-to-day work.
If the deployment holds, the pressure on the Federal Chancellery will shift from asking whether Microsoft alternatives exist to determining which government workloads still genuinely require Microsoft.

References​

  1. Primary source: bluewin.ch
    Published: 2026-07-14T12:12:07.654919
  2. Related coverage: cybernews.com
 

Back
Top