Get a free cybersecurity assessment.
BOOK NOW
Get Started

3 Core Swiss Cybersecurity Laws & Compliance Regulations 

cybersecurity regulations

Table of Contents

Staring April 2025, if your Swiss business operates in critical sectors like energy, telecom, or transport, you’ll need to report any cyberattack to the National Cyber Security Centre within 24 hours. This move brings Switzerland closer in line with the EU’s NIS2 standards and aims to boost national cyber awareness.  

Unlike the EU, though, Switzerland doesn’t have one single cybersecurity law. Instead, it relies on a combination of data protection rules, security requirements for public bodies and infrastructure, and regulations aimed at specific sectors.  

In this article, we’ll break down the three main laws shaping cybersecurity compliance in Switzerland to help you understand how these apply to your business. 

The Main Cybersecurity Laws and Compliance Regulations in Switzerland 

Switzerland has built a layered landscape of laws and regulations. Each plays a distinct role in how businesses and public organisations should protect data, secure their systems, and deal with cyberattacks.  

Let’s take a closer look at these laws to see what they’re designed to protect, and what you need to do to stay compliant. 

FADP (Federal Act on Data Protection) for Data Collection 

The Federal Act on Data Protection (FADP) establishes how personal data is collected, used, and stored in Switzerland. The updated version came into effect on the 1st of September 2023 and is now more in line with the EU’s GDPR, though it still keeps some Swiss-specific features.  

The law applies to businesses of all sizes and requires them to: 

  • Take reasonable steps to protect personal data 
  • Keep records of how they handle data (when needed) 
  • Report serious data breaches to relevant authorities 

While the FADP mainly focuses on protecting individuals, it also pushes organisations to build security into their systems from the start. The goal is to protect customer data and strengthen trust. 

ISA (Information Security Act) for Reporting Security Incidents 

The Information Security Act (ISA) is the main law that sets how Switzerland protects its public systems and critical digital infrastructure.  

2025 came with an update that required faster reporting of cyber incidents. This means that organisations in operating in sectors like energy, transport, telecoms, and public services must inform the National Cyber Security Centre within 24 hours if they detect a serious cyberattack. This includes incidents that disrupt services, expose or alter data, or involve other harmful activity.  

The purpose of this act is to help authorities spot threats sooner and coordinate responses more quickly across the country. 

CSO (Cybersecurity Ordinance & 24‑Hour Reporting Duty) 

The Cybersecurity Ordinance (CSO) works alongside the ISA by explaining how the 24-hour incident reporting rule should run in practice, namely:  

  • Which organisations need to report 
  • What kinds of cyber incidents count 
  • When exceptions might apply 

Companies must send an initial report within 24 hours of discovering an attack and can send more details within 14 days.  

The first six months after the rule took effect were a transition period with no penalties. But starting 1 October 2025, individuals that repeatedly fail to report incidents on time could face fines of up to CHF 100,000.  

Simply put, the CSO makes the ISA’s general rule clear, specific, and enforceable. 

Sector Specific Cybersecurity Regulations 

Switzerland has different cybersecurity guidelines depending on the industry in which business operate. Understanding these can help leaders in each sector plan wisely and stay compliant. 

Financial Services – FINMA Circular 2023/1 

In December 2022, the Swiss Financial Market Supervisory Authority (FINMA) published Circular 2023/1 “Operational Risks and Resilience – Banks”, which came into force in early 2024. This new guidance puts managing IT and cyber risks at the heart of how banks and financial firms stay resilient and prepared for disruptions.  

Institutions supervised by FINMA are expected to: 

  • Adopt strong governance over cyber and ICT (information and communication technology) risk. 
  • Use internationally recognised standards for ICT management. 
  • Regularly test their defences with exercises like penetration tests and scenario drills. 

FINMA has also stressed that businesses must quickly report serious IT and cyber incidents. This is part of a wider approach that includes on‑site inspections and making sure organisations are ready to handle crisis situations. 

Telecommunications – Telecommunications Act (TCA) 

The Telecommunications Act (TCA) mainly covers how telecom networks are licensed and run. However, it also makes providers responsible for protecting their systems from risks and damage. According to Article 48a, they must take the right technical and organisational steps to keep their networks secure and running properly. 

On top of that, the Ordinance on Telecommunications Services adds more rules around keeping networks available and gives authorities the power to block domain names used in scams like phishing or malware attacks.  

Telecom providers are required to report major outages or service issues that affect many users, helping authorities stay informed and react quickly when problems arise. 

Energy and Utilities – ICT Minimum Standards & SFOE Collaboration 

To help protect energy and utility companies, like power grid operators and gas suppliers, Switzerland has introduced ICT minimum standards.  

Developed by the Swiss Federal Office of Energy (SFOE) together with the National Cyber Security Centre (NCSC), these rules set basic technical and organisational requirements for securing critical infrastructure. 

The requirements include: 

  • Doing regular risk assessments 
  • Using strong authentication 
  • Keeping system logs 
  • Monitoring activity 
  • Having clear plans for responding to incidents 

Beyond tech, the standards also focus on good management, staff training, and regularly reviewing security risks. 

Penalties for Non-compliance with the Swiss Cybersecurity Regulations 

Failing to meet your cybersecurity responsibilities in Switzerland can lead to more than just reputational damage. Depending on the sector and the regulation, businesses can face significant penalties, as follows: 

  • Missing the 24-hour reporting window for critical infrastructure  

If your organisation is part of Switzerland’s critical infrastructure (energy, telecoms, or transport) you’re required to report serious cyber incidents within 24 hours. Starting 1 October 2025, if you ignore this rule, you could face fines of up to CHF 100,000 under the Information Security Act (ISA) and Cybersecurity Ordinance (CSO). 

  • Not meeting the basic data protection rules 

The revised Federal Act on Data Protection (FADP) expects businesses to take reasonable steps to protect personal data. If someone in your company knowingly ignores these obligations (e.g. failing to secure sensitive data or disobeying official orders) they can be held personally responsible, with fines reaching up to CHF 250,000. However, if no specific person can be identified, the company as a whole can be fined up to CHF 50,000

  • Non-reporting in the financial sector  

If you’re a licensed financial institution in Switzerland and you fail to report a serious IT incident to FINMA or the NCSC, the consequences can be steep. Depending on the situation, penalties under the FINMA Act can go up to CHF 500,000. Other measures might include extra supervision, tighter audits, or even bans from holding certain roles. 

  • Criminal liability for serious breaches 

In some cases, non-compliance could lead to criminal penalties. If someone intentionally hides incidents or fails to follow legal reporting obligations, they could face prosecution. Fines for such offences can be up to CHF 100,000 under Swiss criminal law

Compliance Checklist for Swiss Businesses 

To stay on the right side of Swiss cybersecurity laws, it’s important to take proactive steps both to prevent cybersecurity incidents and to deal with them in a timely manner.  

Below, we have ten steps you can take to make sure your business is compliant: 

  1. Know which laws apply. Identify if your business falls under sector-specific rules, like FINMA, TCA, ISA/CSO, and keep track of how these laws evolve so you don’t fall behind. 
  1. Assign responsibility. Designate someone to oversee cybersecurity and compliance. This will let you focus on other important tasks, while making sure that you’re always aware of how the cybersecurity landscape evolves. 
  1. Report incidents fast. If required, notify the NCSC or FINMA within 24 hours, or even sooner. Don’t wait for the issue to resolve itself. By reporting you can help your own business recover and law enforcement take quicker steps to combat cybercrime. 
  1. Secure personal data. Always follow FADP rules for handling and protecting personal information. Cybercriminals strike unexpectedly, and no one is safe. 
  1. Document your processes. Keep clear records of how you manage data and systems. This will help you identify and contain a threat quicker if an attack does occur. 
  1. Train your team. Cybersecurity is not all about technology, it’s about people too. Educate staff on cyber risks, reporting duties, and good security habits.  
  1. Test your defences. Run regular penetration tests and audits. This will help you patch vulnerabilities before attackers get the chance to exploit them. 
  1. Have an incident plan. Be ready to respond quickly to cyberattacks. You never know when one might hit, and during critical moments every second counts. A good incident response plan will keep your team organized and focused. 
  1. Review access controls. Use strong authentication and limit data exposure. This applies both to internal team and third-party vendors. 
  1. Stay up to date. Monitor regulatory updates and adjust your practices accordingly. Awareness is one of the most important steps in preventing cyberattacks.  

Achieve Regulatory Compliance with CyberGlobal Switzerland 

Keeping up with cybersecurity regulations can be challenging, but with the right partner, staying compliant is quite an easy task. 

At CyberGlobal Switzerland, we combine the right tools with the right people to help your business stay ahead of every important cybersecurity update. Our experts have deep knowledge of local regulations and work closely with you to ensure your organisation remains secure and fully compliant at all times. 

And because we see cybersecurity not just as a service, but as a necessity for everyone, we designed our GRC services in Switzerland to grow with your business, no matter your industry or budget. 

Reach out to us today, and together we can keep your business safe and compliant! 

Secure your business with CyberGlobal

Our cybersecurity experts can help you achieve regulatory compliance in Switzerland.
Contact Us

Victoria Neagu

With over a decade of experience, Victoria Neagu translates complex cybersecurity issues into clear, practical guidance for modern businesses.

93% of data breaches occur in less than one minute, yet it takes companies an average of 207 days to identify a breach.

Protect your business now. Contact us to fortify your defenses and stay ahead.