ARTICLE
12 June 2025

Cybersecurity Compliance For Technology And Digital Service Providers In Switzerland And The European Union

LP
Logan & Partners

Contributor

Logan & Partners logo
Logan & Partners is a Swiss law firm focusing on Technology law and delivering legal services like your in-house counsel. We are experts in Commercial Contracts, Technology Transactions, Intellectual Property, Data Protection, Corporate Law and Legal Training. We are dedicated to understanding your industry and your business needs and to deliver clear and actionable legal services.
Explore Firm Details
Cybersecurity is now a central business concern for technology and digital service providers. Regulatory frameworks in Switzerland and the European Union impose a range of obligations that businesses must meet.
European Union Privacy
Anna Levitina
Your Author LinkedIn Connections

Cybersecurity is now a central business concern for technology and digital service providers. Regulatory frameworks in Switzerland and the European Union impose a range of obligations that businesses must meet. Understanding these requirements is key to managing risks and staying compliant with applicable laws.

Switzerland: Information Security and Data Protection

In Switzerland, the legal landscape governing cybersecurity is shaped by the Federal Act on Information Security and the revised Federal Act on Data Protection.

Federal Act on Information Security

The Federal Act on Information Security applies to the Swiss public authorities, as well as private companies that provide services to them and operators of critical infrastructure. This includes businesses in sectors such as energy, finance, healthcare, transport, and information and communications technology that support essential services. The law aims to ensure that these entities have adequate safeguards against cyber threats.

Key requirements under the Federal Act on Information Security include:

  • Incident Reporting. Businesses that operate critical infrastructure must report significant cybersecurity incidents to the national authority within 24 hours of detection. Reports must contain details of the incident, its impact, and the measures taken to address it. Failure to report can lead to financial penalties.
  • Security Measures. The law expects businesses to establish risk-based information security management systems. These systems should be designed to identify and mitigate cyber risks, using recognised standards where possible.
  • Governance and Oversight. Senior management is responsible for ensuring compliance with the Federal Act on Information Security. This includes approving security policies and allocating resources for cybersecurity.

Revised Federal Act on Data Protection

The revised Federal Act on Data Protection reinforces the importance of data protection as part of overall cybersecurity. It requires businesses to take appropriate technical and organisational measures to protect personal data.

Important obligations include:

  • Data Breach Notification. Companies must notify the Federal Data Protection and Information Commissioner of data breaches that could significantly affect individuals' rights. Notification should happen as soon as possible.
  • Vendor Management. When using third-party service providers that handle personal data, businesses must ensure that those providers implement adequate security measures.
  • Data Governance. Organisations must document data processing activities and be able to demonstrate compliance with data protection principles.

European Union: Network and Information Systems Directive

The Directive on Security of Network and Information Systems applies to companies operating in sectors deemed essential or important to the economy and society. This includes cloud service providers, data centres, managed service providers, and online platforms.

Core requirements under the Directive include:

  • Risk Management. Businesses must implement appropriate security measures to protect networks and information systems. This involves carrying out regular risk assessments, maintaining secure system design, and training staff in cybersecurity practices.
  • Incident Reporting. Companies must report significant cybersecurity incidents to the relevant national authority within 24 hours of detection. A more detailed report must be submitted within one month.
  • Supply Chain Security. Organisations are required to assess the cybersecurity risks posed by their suppliers and service providers. This includes ensuring that these third parties meet appropriate security standards.
  • Management Accountability. Senior management is responsible for approving cybersecurity measures and overseeing their implementation.

Practical Steps for Compliance

Technology and digital service providers can take several practical steps to meet these regulatory obligations:

  • Conduct Cybersecurity Risk Assessments. Evaluate systems and processes to identify vulnerabilities and prioritise improvements.
  • Implement an Information Security Management System. Adopt recognised standards to formalise cybersecurity processes and policies.
  • Develop an Incident Response Plan. Define how to detect, report, and manage cybersecurity incidents to meet legal requirements.
  • Review Vendor Contracts and Security Posture. Include clear cybersecurity and incident reporting requirements in contracts with service providers.
  • Train Staff and Raise Awareness. Educate employees on cybersecurity risks, best practices, and the company's legal obligations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Anna Levitina
Anna Levitina
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More