On June 2, 2026, the text of a new federal popular initiative, "For the digital security of Switzerland," was published in the Federal Gazette, opening an 18-month window for the Swiss Digital Pact association to gather the 100,000 valid signatures it needs by December 2, 2027. The proposal would insert a new Article 57a, "Digital Security," into the Federal Constitution, tasking the Confederation with ensuring effective security across the country's digital space — public and private — and guaranteeing its enforcement. It is a sweeping, top-down constitutional mandate, and its timing is pointed: it arrives precisely as the state's flagship digital project, the Swiyu e-ID wallet, has slipped its launch to December 1, 2026.
The case for writing security into the constitution
The strongest argument for the initiative is real. Switzerland's digital governance is fragmented across the Confederation, 26 cantons, and thousands of municipalities, with no single constitutional anchor obliging the federal government to secure critical digital infrastructure. Proponents argue that ransomware against hospitals, supply-chain compromises, and the exposure of citizen data are systemic risks that the current patchwork addresses only reactively. A constitutional duty, on this view, would give the Confederation durable authority and political cover to set baseline security standards — much as it already does for physical infrastructure. When the state itself is about to hold a population-scale identity credential, the demand for a clear security mandate is not unreasonable.
But the timing exposes the real problem
The difficulty is that Switzerland's digital security gap is not a gap in constitutional authority. It is a gap in execution — and the Swiyu rollout is the proof. The e-ID Act was approved by voters on September 28, 2025, but by the narrowest of margins: 50.39% yes to 49.61% no, on 49.55% turnout, according to the federal e-ID office. That near-tie was itself a verdict on trust. The 2021 e-ID proposal, which would have let private companies issue the credential, was crushed 64.4% to 35.6%; the 2025 version won only because the state took over issuance and promised stronger privacy guarantees.
Those promises are now running late. In February 2026, the Swiss Federal Audit Office published its second audit of the e-ID program and flagged that the end-to-end encryption concept for user data — due by the end of 2025 — had not been finalized, alongside gaps in police issuance integration and verifier accountability. The Federal Council pushed the public launch from summer to December 1, 2026, and Federal Councillor Beat Jans directed the Federal Office of Justice to address the criticisms first. In other words, the state could not ship its own secure app on time under existing law. A new constitutional clause would not have written the missing encryption spec.
A constitutional mandate is a blunt instrument
From a pro-innovation standpoint, the initiative's breadth is its weakness. Article 57a would oblige the Confederation to "ensure and enforce" security across all public and private digital infrastructure — language broad enough to justify wide-ranging mandates on private operators, cloud providers, and software vendors, with the substance left to future legislation and ordinances. Constitutional text is hard to amend and easy to over-read. A duty framed as "guaranteeing" security invites mandatory standards, certification regimes, and potentially state-preferred or state-run tools, precisely the kind of top-down architecture that the e-ID debate showed Swiss voters distrust.
Proportionate regulation works the other way around. The European Union's NIS2 Directive and the Cyber Resilience Act, whatever their flaws, tie obligations to risk tiers and defined sectors rather than to an open-ended constitutional guarantee. Switzerland already has a functioning toolkit: the revised Federal Act on Data Protection (in force since September 2023), the National Cyber Security Centre, and sector regulators such as BAKOM and FINMA. The lesson of Swiyu is that these institutions need adequate funding, firm deadlines, and independent audit follow-through — not a new constitutional headline that promises security in the abstract while the concrete project misses its own encryption milestone.
The government-app dimension
There is a deeper tension for anyone watching government app mandates. As states move identity, payments, and public services onto official apps, the security of those apps becomes a public-trust question, not a procurement footnote. Switzerland's relative caution — a non-linkable design that issues multiple technically distinct e-IDs so transactions cannot be correlated, plus a public register of data queries — is genuinely better than the centralized digital-ID models seen elsewhere. That restraint, won at the ballot box by a single percentage point, is the asset worth protecting. A constitutional security mandate, if read expansively, could just as easily be invoked to justify making such apps compulsory or to centralize control in the name of safety.
What proportionate looks like
The initiative deserves a serious debate rather than reflexive dismissal; its diagnosis of fragmented accountability lands. But the better response to the Swiyu delay is to finish Swiyu properly — publish the encryption design, meet the December 2026 date, and let the Audit Office verify it — while strengthening cyber obligations through risk-calibrated statute. Switzerland's credibility on digital trust was bought at 50.39%. Spending it on a broad constitutional guarantee the state cannot yet honor in practice would be the wrong trade.