A hosting jurisdiction’s posture is not a one-time choice. The legislative frame, the case-law layer, and the treaty surface all evolve, and the customer who selected an offshore civil-liberties jurisdiction in 2020 is operating in a different jurisdictional reality in 2026 — sometimes meaningfully different, sometimes barely so. The discipline of monitoring the drift and updating the working assumption is part of operating an offshore deployment over the long working life of a publication.
This article reads the jurisdictional drift in Iceland and Switzerland over 2024-2026, the EU treaty layer that pressed against both, and the practical implications for an editorial-register customer. It is the operational counterpart to the comparative jurisdictional dossier that anchors the threshold question; the comparative reads the steady-state posture, this article reads the velocity.
Why jurisdictional drift matters
A working publication’s hosting decision typically rests on three assumptions: the destination jurisdiction’s domestic legal frame, the destination jurisdiction’s posture toward foreign disclosure orders, and the treaty layer that allows or refuses cross-jurisdictional cooperation between the destination and the publication’s adversary jurisdiction. Each of the three drifts on a different cadence. The domestic frame drifts on the slow cadence of national legislatures and case-law accumulation; the foreign-disclosure posture drifts on the medium cadence of high-profile cases and prosecutor practice; the treaty layer drifts on the fast cadence of intergovernmental negotiation, where new instruments can be agreed in months and entered into force in a year or two.
The customer who treats the choice as one-time misreads the surface. The customer who treats it as a continuously-monitored decision — with annual review of the relevant statutes, the relevant case-law, and the treaty changes affecting the destination — is operating against the actual shape of the legal surface. This article is the annual-review companion for 2024-2026; the next one, written when 2027 closes, will cover what changed next.
Iceland: the steady state and the post-2020 layer
Iceland’s domestic legal frame for civil-liberties hosting has been broadly stable through the 2024-2026 window. The Icelandic Modern Media Initiative (Resolution 23/138 of the Althingi, 2010) remains the foundational instrument; the Whistleblower Protection Act (passed 2020, in force from 2021) remains the most recent major addition; the Icelandic Information Act and the Höfundalög (Icelandic copyright statute) have not seen revisions that materially change the hosting customer’s working assumptions.
What has shifted is at the case-law layer. A small number of decisions in 2024 and 2025 by the Icelandic District Court, on cases brought against Icelandic-hosted publications by foreign rights-holders, have continued the pattern that anchored the IMMI framing — foreign press-suppression orders and DMCA-shaped notices have been refused enforcement absent a domestic Icelandic legal vehicle. The cases are not individually high-profile but cumulatively reinforce the practical posture: an Icelandic-hosted publication faces a meaningful procedural threshold before any foreign disclosure or removal can be enforced through Icelandic authority.
Iceland’s relationship to the EU has been the structural variable. As an EEA member but not an EU member, Iceland incorporates EU directives selectively and on a delay; the EU instruments discussed in the treaty section below — particularly the e-Evidence Regulation and NIS2 — apply to Iceland in modified form and on a lag. The practical implication is that an Icelandic-hosted publication is governed by a slower-moving regulatory layer than an EU-hosted one, which is part of what makes Iceland the conservative answer in the comparative.
The Whistleblower Protection Act’s effect at the mail-server layer (the act extends source-protection obligations to mailhost operators) has been tested in two 2025 cases and held up; the email forensic-evidence framing for Iceland-hosted mail rests partly on those decisions.
Switzerland: the revFADP cycle and the BÜPF question
Switzerland’s most consequential development in the 2024-2026 window was the entry into force of the revised Federal Act on Data Protection (revFADP) on 1 September 2023. The revFADP brings Swiss data-protection law into alignment with the GDPR’s general principles while preserving the Swiss-specific positions on cross-border transfer (Switzerland is not bound by the GDPR’s adequacy mechanic in the same way an EU member is) and on national-security-exception scope. The first eighteen months of revFADP enforcement, from late 2023 through early 2025, produced the case-law layer that hosting customers now consult — a small body of decisions, all from the Federal Data Protection and Information Commissioner’s office and from the Federal Administrative Tribunal, that have set the working interpretation.
The substantive direction of the revFADP case-law has been customer-favourable. The Tribunal has consistently held that the procedural threshold for foreign-jurisdiction disclosure requests under the new regime is at least as high as the threshold under the prior FADP, and the Federal Data Protection and Information Commissioner has issued guidance reinforcing that fishing-expedition disclosure remains unenforceable. The 2019 ProtonMail v UVEK decision (A-550/2019), which anchored the prior regime, has been cited in revFADP-era case-law as continuing-good-law on the procedural threshold for mail-server compliance.
The BÜPF question — the Federal Act on the Surveillance of Postal and Telecommunications Traffic, with its accompanying ordinance VÜPF — has been the contested layer. Parliamentary discussion in 2024 and 2025 concerning expansions of the BÜPF’s scope to cover hosted services more broadly produced a draft revision that, as of the 2026-05 reading, has not entered into force. The draft would have extended provider-side data-retention obligations to a broader class of operators; the Federal Council’s June 2025 working position narrowed the scope back toward the existing telecommunications-only frame, and the parliamentary path is unresolved. The customer’s working assumption for 2026 is that the existing BÜPF frame applies; a customer whose threat model includes the broader-scope variant should monitor the parliamentary discussion through 2026 and into 2027.
Switzerland’s 2024 transparency-reporting practice across major Swiss-hosted services has been visible enough to produce comparative readings — ProtonMail’s annual reports, Proton’s broader expansion-into-services reports, and the smaller Swiss hosting providers’ reports collectively show a low rate of foreign-jurisdiction disclosure compliance, consistent with the case-law direction.
The EU treaty layer
Three EU-level developments in 2024-2026 affect the editorial-register customer’s working assumption about cross-jurisdictional cooperation between the EU and the destinations OffshorePress operates from.
The e-Evidence Regulation (EU Regulation 2023/1543) entered into force on 18 August 2026. The regulation establishes a “European Production Order” mechanism that allows EU prosecutors to compel content data from service providers across EU member states without going through the slower mutual-legal-assistance pipeline. The mechanism applies to providers offering services in the EU; whether and how it applies to non-EU providers (Switzerland, Iceland) is a separate question that the regulation’s text leaves to bilateral negotiation. Switzerland’s posture, as of the early-2026 working position, is that the regulation does not directly bind Swiss-domiciled providers; Iceland’s posture is similar. The customer’s working assumption is that the regulation does not produce direct compulsion at Swiss or Icelandic mailhosts in 2026, but the bilateral question is unresolved and a 2027 update may shift the assumption.
NIS2 (the Network and Information Security Directive, Directive (EU) 2022/2555) entered force in late 2024 and produced national-implementation legislation in EU member states through 2024-2025. NIS2 imposes operational-security obligations on a broader class of digital service providers than its predecessor; the practical effect on civil-liberties hosting is incidental rather than direct, but a customer running services that touch EU users may find their hosting choice intersecting with the customer’s own NIS2 obligations. Neither Switzerland nor Iceland is bound by NIS2, but a customer whose deployment serves EU users is the customer whose own NIS2 compliance posture interacts with the hosting choice.
The Cybercrime Convention’s Second Additional Protocol (CETS 224, signed 2022, opened for ratification 2023) extends cross-border cooperation in evidence-gathering — particularly subscriber-information requests — between the convention’s parties. Both Switzerland and Iceland are convention parties; both have signed but not yet ratified the Second Additional Protocol as of early 2026. The protocol’s ratification timeline through 2026-2028 is one of the variables a customer should monitor; if either jurisdiction ratifies, the cross-border subscriber-information mechanism becomes a faster and lighter-procedural-threshold alternative to the standard mutual-legal-assistance pipeline.
Practical implications
For most editorial-register customers, the 2024-2026 drift has not changed the practical posture. The conservative jurisdictions remain conservative, the case-law direction has been customer-favourable in both Iceland and Switzerland, and the EU treaty pressure has not produced direct compulsion at the operator side. The customer who selected an Iceland or Switzerland hosting deployment in 2020 is operating in a 2026 jurisdictional reality that broadly matches the working assumption of 2020.
Where the drift matters is at the threshold edges. A customer whose threat model places weight on the slowest-possible cross-jurisdictional cooperation should monitor the Cybercrime Convention’s Second Additional Protocol ratification timeline. A customer whose deployment serves EU users should monitor the e-Evidence Regulation’s bilateral negotiation and the customer’s own NIS2 posture. A customer in Switzerland should monitor the BÜPF revision’s parliamentary path through 2026-2027.
The discipline that compounds: an annual review, conducted by the customer’s counsel where possible and by the customer’s editor where counsel is not available, against the published case-law and the published parliamentary record of both jurisdictions plus the EU. The cost is small (a half-day’s work, typically); the benefit is that the customer’s working assumption is current with the surface the customer is actually operating against.
How to monitor the drift
The sources for monitoring jurisdictional drift in Iceland and Switzerland are reasonably well-defined. For Iceland, the Althingi’s published bill register, the Icelandic Information Commissioner’s annual reports, the Icelandic District Court’s published decisions on hosting and source-protection cases, and the IMMI Foundation’s periodic dispatch on the framework’s status are the working canon. For Switzerland, the Federal Data Protection and Information Commissioner’s published guidance, the Federal Administrative Tribunal’s published decisions, the parliamentary record of BÜPF and revFADP-related discussion, and Proton’s annual transparency reports are the working canon. For the EU treaty layer, the Council of Europe’s published treaty status pages (Cybercrime Convention and its protocols), the EU’s e-Evidence regulation implementation register, and the European Data Protection Board’s published guidance on transfer mechanisms are the working canon.
Most of these sources publish in English. A few — particularly the Icelandic statutes and some Swiss parliamentary discussion — publish in their national languages with delayed English translations. The customer’s annual-review discipline accommodates the delay by reviewing the prior year’s record, which by the review date is in stable English form.
When jurisdictional drift triggers a migration
The threshold for a hosting migration driven by jurisdictional drift is high. A migration is a significant operational commitment — the migration runbook walks the fourteen-day sequence — and an annual-review cadence rarely surfaces drift large enough to justify it. The cases that have justified migrations in editorial-register practice over the past decade share a pattern: a jurisdiction the customer was operating from has shifted in a substantial direction (a new statute that extends provider-retention obligations, a treaty ratification that materially shortens the cross-border-cooperation pipeline, a high-profile case that signals a procedural-threshold change), and the customer’s adversary profile has not changed enough to absorb the shift.
For Iceland and Switzerland through 2024-2026, no shift of that magnitude has occurred. A customer who selected one of the two jurisdictions in 2020 and is operating in 2026 is operating against the same working assumption. The customer who selected Switzerland in 2020 specifically because of the pre-revFADP regime and who reads the revFADP regime as a substantive shift may be in the small population of customers for whom a re-evaluation is warranted; for most customers, the revFADP entry into force has not changed the working posture.
The OffshorePress operational posture
OffshorePress’s operating principles document the operator’s posture: where a domestic Icelandic or Swiss legal vehicle compels disclosure, the operator complies with the domestic frame; where a foreign request arrives without the requisite domestic vehicle, the operator does not comply. The 2024-2026 drift has not changed the posture; the operator’s annual review (the operating principles are reviewed and dated annually, with material changes reflected in the principles’ published cadence) has not surfaced drift large enough to require principle-level revision.
The customer’s adjacent posture — a warrant canary, an annual review of the customer’s own threat model against the published case-law, a documented migration plan in case the threshold is later crossed — remains the customer’s choice. The hosting layer’s operational posture is the layer’s; the customer’s editorial-register posture is the customer’s.
Closing
Jurisdictional drift is the slow-moving variable in offshore hosting and the variable that the editorial-register customer is most likely to forget once the initial deployment is in place. The 2024-2026 drift in Iceland and Switzerland has been customer-favourable on balance — case-law direction, statutory revisions, parliamentary discussion all broadly continuing the pattern that anchored the original choice — but the discipline of monitoring is not optional. The brief is to treat the hosting jurisdiction as a continuously-monitored decision rather than a one-time selection; the cost is small and the cost of skipping it compounds.
Payment for hosting in Monero, Lightning, on-chain Bitcoin, or cash by post. The financial-surface decoupling matters for the same reason: the customer’s payment posture is also a continuously-monitored decision, and the payment-rails comparative covers the operational discipline that compounds with jurisdictional discipline over the working life of the publication.