Switzerland Said No. The UK Said Hold My Beer. The Palantir Case Study Every Business Owner Needs to Read.
This week, we have covered the CLOUD Act's legal implications for UK businesses, examined why your cloud stack is not neutral plumbing, and walked through a practical exposure audit. Today, we look at the case study that ties the whole series together.
Two countries. Same company. Same technology. Same risks. Opposite decisions.
What Switzerland Found
Over roughly seven years, at least nine Swiss federal agencies either refused or quietly declined Palantir's products. The most comprehensive assessment came from the Swiss Armed Forces, who commissioned a 20-page risk evaluation of Palantir's logistics module.
The evaluators reached three findings that any UK business owner should sit with.
First, US jurisdiction creates a sovereignty problem. Because Palantir is US-headquartered, its data is potentially reachable by the American government and intelligence services. The evaluators explicitly identified this as a sovereignty risk. Not a theoretical risk. Not a future risk. A current architectural reality baked into the relationship between a US company and its government.
Second, leaks cannot be technically prevented. The assessment concluded that technical measures alone are insufficient to guarantee data would not leave Palantir's systems. This is an architecture problem, not a configuration problem. You cannot patch it with a settings change.
Third, vendor lock-in threatens operational independence. The Army would become dependent on Palantir specialists on-site, limiting its ability to act independently in a crisis. Classic vendor dependency: the more deeply you integrate, the harder it becomes to operate without the vendor's staff in the room.
The recommendation to the Army chief was unambiguous: consider alternatives.
Switzerland then set a direction towards what they called absolute autonomy. Swiss servers. Swiss encryption. Swiss cloud. Swiss AI. The Canton of Zurich banned American cloud services outright for government use. Privatim, the Swiss data protection conference, passed a resolution in November 2025 declaring international cloud services unsuitable for sensitive government data.
What the UK Did Instead
The United Kingdom looked at the same company and signed contracts worth more than £900 million.
The NHS Federated Data Platform is a £330 million, seven-year contract awarded to a Palantir-led consortium (with Accenture and PwC) in November 2023. This platform is designed to hold and analyse patient data across England's hospital trusts. The NHS FDP went through a formal open tender process.
The Ministry of Defence enterprise agreement, signed in September 2025, was a direct award worth approximately £240 to £250 million. No competition. Parliament is still asking why it was handed over without one. On 10 February 2026, James Cartlidge MP tabled an Urgent Question in the Commons, and Minister Luke Pollard confirmed the direct award while facing questions about procurement without competition and the revolving door of former MoD officials moving to Palantir-adjacent roles.
Beyond these two flagship contracts, Palantir's involvement extends into policing, nuclear weapons support, and border planning. Total UK government spending on Palantir technology now exceeds £500 million on record, and the real figure is likely higher given classified defence procurements.
The Adoption Problem Nobody Predicted
Here is where the case study gets uncomfortable for the UK government's position.
Fewer than a quarter of England's 215 hospital trusts were actively using the NHS Federated Data Platform by end of 2024. Multiple trusts have publicly questioned or rejected the platform.
Milton Keynes University Hospitals reported seeing no benefit from FDP pilots. Leeds Teaching Hospitals wrote privately to NHS England that adoption would "lose functionality rather than gain it." NHS Greater Manchester stated that no FDP products "exceed the NHS Greater Manchester local capability." The NHS Chief Data and Analytical Officer Network published an open letter noting many trusts "already have similar tools in use that presently exceed the capability" of the FDP.
In February 2026, the British Medical Association called for a "complete break" from Palantir in the NHS. BMA Chair Tom Dolphin stated that, given the company's track record including controversies involving immigration enforcement, the risks to patient trust, data security, and NHS independence meant there should be no further contracts awarded.
This is not a fringe position. This is the UK's largest medical professional body, representing over 190,000 doctors, calling for a complete termination of the relationship.
Why the Divergence Matters for Your Business
The Switzerland-UK divergence is not just a curiosity for government policy wonks. It exposes a pattern that applies directly to commercial organisations.
Switzerland asked the uncomfortable questions before signing. They assessed US jurisdictional reach. They evaluated architectural data leakage risk. They identified vendor dependency as an operational threat. They documented their findings and acted on them.
The UK treated the decision as a procurement exercise. The questions were about capability, cost, and delivery timescales. The sovereignty risk was either not assessed, not documented, or not considered decisive.
Your business faces a smaller version of the same choice every time you select a cloud vendor. Do you assess the jurisdictional implications? Do you evaluate who controls the encryption keys? Do you consider what happens if you need to leave?
The CMA's cloud services market investigation found fewer than 1% of UK cloud customers switch providers annually. Once you are in, you are in. The Swiss assessment recognised this and treated vendor lock-in as a strategic risk. Most UK businesses treat it as a sunk cost.
The Contradiction at the Heart of European Sovereignty
To be fair, no country has this completely right. France is the most instructive comparison.
France banned all non-European videoconferencing from government use on 26 January 2026. Zoom, Teams, Google Meet: all gone, replaced by the sovereign Visio platform. France has legislated sovereign hosting requirements through the Loi SREN, making ANSSI SecNumCloud qualification mandatory for sensitive government data.
And yet. On 15 December 2025, France quietly renewed its intelligence agency's contract with Palantir for another three years. The DGSI has used Palantir's Gotham platform since the 2015 Paris attacks. Every attempt to build a sovereign alternative has failed to reach operational readiness.
This is not hypocrisy. It is the reality of deep vendor dependency. France built a dependency it cannot exit, despite building the legal framework to prevent exactly this. The lesson for businesses is that exit planning is not optional, and it becomes harder the longer you wait.
The UK Governance Gap
Switzerland acted on an assessment. France, despite contradictions, has built a legal framework. The UK has done neither.
There is no UK equivalent of France's SecNumCloud qualification. No UK government migration programme away from US cloud platforms. No NCSC guidance explicitly addressing CLOUD Act risk for commercial organisations. No ICO enforcement action testing the conflict. The UK government occupies both sides of the CLOUD Act simultaneously: issuing 20,000+ orders under the bilateral agreement while remaining exposed to reciprocal access.
For UK businesses, this absence of government direction means the responsibility falls entirely on you. There is no regulator telling you what to do. There is no framework you can point to and say "we followed the guidance." You have to assess the risk yourself, document your position, and make a governance decision.
That is simultaneously a burden and an opportunity. The businesses that do this first define the standard for their sector.
How to Turn This Into a Competitive Advantage
Reference the Swiss assessment in your governance documents. You do not need to match Switzerland's rigour. You need to show you are aware that a peer country's military found US vendor dependency to be a sovereignty, security, and operational risk, and that you have assessed your own position in light of that finding.
Use the divergence in sales conversations. "Switzerland's military rejected this class of vendor risk. We have assessed ours and taken specific steps." That framing positions your organisation as thoughtful and prepared.
Build a proportionate response, not an extreme one. Nobody expects a 30-person firm to build its own sovereign cloud. But identifying your crown jewels, checking your encryption key control, and having a documented exit plan puts you ahead of every competitor who has not thought about it.
How to Sell This to Your Board
The Switzerland case study is the most powerful single piece of evidence for board-level conversations about data sovereignty.
The narrative: "Switzerland's military assessed the same class of US vendor risk that exists in our cloud stack. They found it unacceptable for sensitive data. The UK government proceeded anyway. The BMA has now called for a complete break. We need to decide our position."
The question for the board: "Have we assessed the jurisdictional risks of our cloud providers, and are we comfortable with our current posture if a client, regulator, or journalist asks?"
The proportionate ask: "We are not proposing a migration. We are proposing that the board formally acknowledges the risk, reviews our CLOUD Act exposure audit (completed Thursday), and approves a documented position. This takes ten minutes on the agenda and protects us if the question comes."
What This Means for Your Business
Read Tuesday's CLOUD Act analysis if you have not already. It provides the legal framework behind the Swiss assessment.
Complete Thursday's exposure audit if you have not started. The Swiss assessment worked because it was documented, specific, and honest. Yours should be the same.
Brief your board or trustees using the Swiss comparison. It is the most compelling illustration available of why this is a governance issue, not an IT issue.
Set a review date. The Swiss assessment was a point-in-time evaluation. Yours should be too, with a scheduled annual review.
Watch what happens next. The BMA's call for a complete break from Palantir, the CMA's cloud market investigation, and the ICO's updated transfer guidance all suggest the UK regulatory environment is moving. Being ahead of that movement is cheaper than reacting to it.
Listen to the Full Discussion
The Switzerland-UK comparison is discussed in detail in Season 2, Episode 7 of The Small Business Cyber Security Guy podcast.
Tomorrow: Noel's weekend opinion piece on why Europe is leaving while the UK sleepwalks.