Answer ... The Data Protection Act and corresponding Data Protection Ordinance establish the rules and minimum requirements for data security and the processing and transfer of personal data. The Data Protection Act is being revised and major changes are expected.

Further, although Switzerland is not an EU member state, the EU General Data Protection Regulation may have implications for Swiss fintech businesses which offer cross-border services.

If a fintech business requires a licence or enters into agreements with regulated financial institutions, additional requirements apply (eg, the FINMA circulars on operational risks and outsourcing).

Answer ... Switzerland’s numerous cybersecurity laws include the following:

• the Data Protection Act, which primarily settles the minimum requirements for the protection of personal data; and
• the Telecommunications Act and its corresponding ordinances and directive, which serve as grounds to provide a qualitative and competitive cyber-infrastructure. The Telecommunications Act aims to limit cyber-risks. The Federal Office for Communication is responsible for the provision and enforcement of a reliable communication environment. The Telecommunications Act also contains a chapter regarding important national interests, including various security-relevant provisions. Communication services must ensure that the communication system functions flawlessly.

If a fintech business requires a licence or enters into agreements with regulated financial institutions, additional requirements apply (eg, the FINMA circulars on operational risks and outsourcing).

There are no particular fintech specific laws, but as fintech solutions regularly affect sensitive data, fintech businesses must adhere to data protection laws and provide the required security measures.