On May 26, 2026, the consultancy Swiss Economics published a regulatory impact assessment (Regulierungsfolgenabschätzung) of Switzerland's proposed revision to the VÜPF — the Ordinance on the Surveillance of Post and Telecommunications. Commissioned by the Geneva innovation foundation FONGIT, the study put a price tag on a debate that until now had been argued mostly in the language of rights: up to roughly 10 billion francs in lost annual revenue, nearly 7 billion francs in cumulative tax shortfalls, and on the order of 53,000 jobs at risk by 2035. The report lands weeks before the Federal Council's planned second consultation, expected at the end of Q2 2026.
What the revision actually changes
The VÜPF (SR 780.11) is the implementing ordinance under Switzerland's surveillance act, in force since March 2018. The proposed revision does not create new police powers so much as conscript a far wider set of private companies into executing existing ones. Under the draft, communication providers — including encrypted email, messaging, and VPN services — would be required to retain IP and connection metadata for six months, identify their users against official documents such as an ID or driver's licence, and, under the contested Article 50a, strip away 'the encryption provided by them or on their behalf' to hand authorities readable data. End-to-end encrypted messages exchanged directly between users remain exempt, but the obligations would reach services with as few as 5,000 users.
Civil society flagged the constitutional stakes early. A February 4, 2026 open letter coordinated by European Digital Rights (EDRi) and signed by 19 organisations — including Statewatch, Amnesty International Switzerland, and Privacy International — warned that the regime authorises access to subscriber data and IP addresses without prior court authorisation, risks Switzerland's EU data-adequacy status, and conflicts with European Convention on Human Rights proportionality standards.
Steelmanning the case for expansion
The Federal Department of Justice and Police is not acting frivolously. Investigators face a genuine problem: serious crime — trafficking, fraud networks, child sexual abuse material — increasingly runs over encrypted, anonymised channels that leave little for a lawful warrant to reach. Metadata retention and reliable subscriber identification are, in many cases, the difference between a prosecutable case and a dead end. Switzerland already permits targeted, judicially supervised surveillance; the government's argument is that the ordinance is merely catching up to how communication now works, closing exemptions that let some providers hold no usable records at all. That is a legitimate law-enforcement interest, and any serious critique has to engage it rather than wish it away.
Why the proportionality fails
The trouble is that the means are sweeping where the justification is specific. The Swiss Economics assessment is blunt about the asymmetry: the obligations would hit 'providers of secure communication, cloud, and data protection services' particularly hard — precisely the sector Switzerland spent a decade cultivating as a competitive advantage. Blanket six-month retention applied to nearly every provider is the kind of indiscriminate measure the Court of Justice of the EU has repeatedly struck down, most notably in Digital Rights Ireland (2014) and the Tele2/Watson line of cases, on the ground that mass retention of an entire population's metadata is disproportionate regardless of investigative convenience.
The market has already begun voting. Proton, the Geneva-based maker of Proton Mail and Proton VPN, has warned that the revision would make Swiss surveillance 'much stricter than in the USA and the EU' and cost the country its competitiveness as a business location — and has started relocating infrastructure toward the EU, citing legal uncertainty. Threema, the Swiss encrypted messenger, sits in the same crosshairs. When the firms a jurisdiction markets itself on begin hedging their location, the regulatory signal has already done damage that no final text can fully undo.
The numbers reframe the trade-off
What the FONGIT study adds is a denominator. Swiss Economics models a central estimate near CHF 10 billion in annual revenue at risk, within a wide band running from roughly 5 to 39 billion, alongside ~7 billion in cumulative tax losses and tens of thousands of jobs through 2035. The ranges are large precisely because the harm is diffuse and confidence-driven: it depends on how many providers relocate, how investment reallocates, and how much of Switzerland's privacy-tech premium evaporates. But even the low end dwarfs any plausible investigative efficiency gain. A surveillance mandate that nets a modest number of additional cases per year while jeopardising a multi-billion-franc digital sector is not a close call on proportionality.
A narrower path exists
None of this requires Switzerland to abandon lawful access. A proportionate ordinance would tier obligations to genuine scale and risk rather than a 5,000-user floor, preserve prior judicial authorisation for IP and subscriber requests, drop the Article 50a decryption duty that pressures providers to weaken their own security, and limit retention to what targeted investigations actually need. The Federal Council has already shown it can pause — it ordered this very impact assessment and slowed the process after the first consultation. The second consultation is the moment to convert that caution into a redrafted ordinance that protects investigations without dismantling the trust economy Switzerland built. The figures published on May 26 make the cost of getting it wrong unusually legible.