Switzerland is a federation comprising 26 federated states (cantons) as well as a centralised government. This leads to a layered body of laws as well as, at times, a decentralised official cybersecurity approach.

Cybersecurity in Switzerland remains closely tied to the area of data protection. Cybersecurity is frequently perceived as an off-shoot – or even a synonym – of data security, which, as the name suggests, targets the security and resilience of data processing and storage activities.

On a federal level, the Swiss Constitution of 18 April 1999 protects the right to privacy, in particular the right to be protected against misuse of personal data (Article 13). The collection and use of personal data by private bodies are regulated on a federal level and are mainly governed by the Federal Data Protection Act of 19 June 1992 (the FDPA) and its ordinances, including the Ordinance to the Federal Act on Data Protection (the FDPO).

Data processing by public bodies is governed by the FDPA for federal bodies and by cantonal (for example, the Information and Data Protection Act of the Canton of Zurich) and communal laws for cantonal and communal bodies.

The FDPA was revised in order to implement the revised Council of Europe’s Convention 108 and to more closely align with the EU General Data Protection Regulation (GDPR). After a protracted revision and parliamentary consultation process, Parliament adopted the final text of the revised FDPA on 25 September 2020. There has been no referendum against the revised FDPA, which is scheduled to enter into force on 1 September 2023. Importantly, the revised FDPA will not only bring about more impactful enforcement powers but will also impose on controllers and on processors, on certain conditions, a duty to notify data security breaches. Additional compliance and documentary measures, such as data protection impact assessments and inventories of data processing activities will also be introduced.

There is no overarching cybersecurity legislation in Switzerland to date. However, on 1 July 2020, the Ordinance on the Protection against Cyber Risks in the Federal Administration (CyRV) entered into force. The purpose of the CyRV is firstly organisational as it allocates roles and responsibilities within the federal government and looks to reinforce the governments capabilities and response in the area of cyberthreats. Of particular note is the set-up, under the CyRV, of a centralised competence centre for cybersecurity – the aptly-named National Cyber Security Centre (or NCSC). In addition, on 18 December 2020, with the aim of implementing proper information security practices within the administration, Parliament approved a draft Information Security Act.

Apart from the CyRV, cybersecurity remains mostly regulated by a patchwork of various acts and regulatory guidance, which deal explicitly or implicitly with cybersecurity in the private sector. These laws include:

• the Budapest Convention on Cybercrime (CCC), which entered into force in Switzerland on 1 January 2012, and imposes a harmonisation of Switzerland’s criminal legislation as well as speedy international co-operation mechanisms;
• the FDPA;
• the Federal Telecommunications Act of 30 April 1997 (FTA); and
• the Federal Act on Financial Market Infrastructures and Market Conduct in Securities and Derivatives Trading of 19 June 2015 (FinfrAct). The banking and financial markets legislation also leads to the financial markets regulator’s (FINMA) issuance of various circulars and regulatory notices.

However, the Swiss government has given cybersecurity increasing attention in the past few years and the absence of an overarching ad hoc law on cybersecurity may appear misleading, given the importance and national relevance of this topic. Nonetheless, this conclusion is unlikely to lead the Swiss legislator (Parliament) to issue any topical legislation on cybersecurity in the near future, the CyRV notwithstanding. On the contrary, the federal government has been following a national strategy against cyber-risks (NCS) for the years 2018–22.

The NCS is organised around reaching 247 milestones. The 2021 report on the progress of the NCS, published in August 2021, confirms that this strategy remains largely on track in terms of reaching its various milestones. The NCS purports to strengthen cybersecurity in Switzerland and combat cybercrime. It does not foresee the implementation of a dedicated cybersecurity legislation, rather focusing on modernising various pre-existing laws. The NCS is a testimonial to the growing relevance of cybersecurity in Switzerland, as well as perhaps the increased global threat posed by cyber-risks.

A further manifestation of the government’s interest in cybersecurity is another governmental venture, the Digital Switzerland strategy. The first take on this was published in 2016 and its replacement arrived in autumn 2018; a further update arrived in September 2020, and emphasised in particular environmental protection, digitalisation and data-related policy.

The Federal Data Protection and Information Commissioner (FDPIC) is a body established on a federal level under the FDPA. The FDPIC supervises compliance with the FDPA and other federal data protection legislation by federal bodies, and advises private bodies. On its own initiative, or at the request of a third party, the FDPIC may carry out investigations into data processing by private bodies if their data processing is capable of affecting a large number of persons. In addition, each canton has its own data protection authority, which is generally competent to supervise cantonal and communal bodies (but not private parties, which are subject to the FDPIC’s authority).

Other regulators – for example, the FINMA – may play a role in the enforcement of data protection (see below).

It is also worth mentioning here that the key official actor in the cybersecurity area is the National Cyber Security Centre (NCSC), under the leadership of the Federal Cybersecurity Delegate. Indeed, in an effort to centralise the administrative activities in this area, other actors (such as MELANI, GovCert and CYCO) became an integral part of the NCSC. In particular, MELANI, which used to be the federal reporting and analysis centre for information assurance, and CYCO (cybercrime co-ordination unit) have been merged into the NCSC. These bodies served (and still serve, within the NCSC) early threat detection and management purposes as well as information sharing and co-ordination functions.

The FDPA sets out basic rules applicable to investigations carried out by the FDPIC.

The FDPIC has no direct enforcement powers against private bodies processing personal data. However, on its own initiative or at the request of a third party, it can carry out investigations if a suspected breach of data protection law is capable of affecting a large number of persons (ie, a system error) and in limited additional cases. In the course of an investigation, the FDPIC has the right to demand the production of documents, make inquiries and ask for a demonstration of a particular processing of personal data. However, under the current FDPA, the FDPIC cannot issue binding instructions to the controller, though this is due to change under the revised FDPA.

The FDPIC’s only instrument at this stage is issuing a non-binding recommendation to change or terminate a processing activity. If the recommendation is not followed, the FDPIC may refer the matter to the Federal Administrative Court for a decision on the subject matter of the recommendation. This Federal Administrative Court’s decision is binding but can be appealed before the Federal Supreme Court. Neither these courts nor the FDPIC can impose monetary sanctions, but they can refer the matter for criminal prosecution, which may lead to a fine of up to CHF10,000 in very limited scenarios.

Under the revised FDPA, however, the FDPIC will have direct enforcement powers, including the right to direct the controller to change, suspend or cease processing activities. Failure to comply with a binding instruction will, if referred to criminal prosecution, be liable to a fine against the responsible individuals of up to CHF250,000. Such fines can in particular be levied by the criminal courts against the responsible individual(s) in cases of non-compliance with the minimum legal data security requirements. This increase in the FDPIC’s powers under the revised FDPA and the more dissuasive criminal sanctions are seen as one of the most significant changes in Swiss data protection legislation. Indeed, it could be argued that the current FDPA does not confer sufficient enforcement abilities to the FDPIC and that this, combined with the largely symbolic fines, haves somewhat marginalised the impact of the (current) FDPA across the board.

The investigation by the FDPIC is subject to the Federal Act on Administrative Procedure (APA), which provides for due process rights for the investigated party and third parties – for example, rights to refuse to testify. The procedure before the Federal Supreme Court is regulated by the Federal Act on the Supreme Court.

There is a general view that enforcement of the FDPA has been inadequate in the past. This was one of the drivers of the revision of the FDPA. This perceived lack of enforcement is due to several factors, including the following.

• The FDPIC has no direct enforcement powers against private bodies processing personal data and, with limited resources, typically concentrates on data processing by federal bodies and, in the private sector, on significant or high-profile cases.
• There is no risk of criminal sanctions for a breach of data protection laws, except in very limited scenarios.
• In the event of a breach of data protection law, there is a risk of civil liability claims from the concerned data subjects and, depending on the circumstances, a risk of negative publicity. However, there is normally no financial risk as claims for compensation necessitate establishing a financial loss. There is no claim for compensation of non-material damage, in contrast to the GDPR, or any form of statutory damages.

In the banking and financial markets sector, the regulator, FINMA, supervises the relevant actors (namely banks, insurance companies, financial institutions, collective investment schemes and fund management companies) and plays a role in the cybersecurity realm. Indeed, given the importance of the financial industry in Switzerland, data security and cybersecurity are core concerns.

In case of a breach of the sectoral rules, FINMA has a varied toolbox of enforcement means. These include the revocation of licences to practise, fines or even custodial sentences. FINMA also occasionally and for preventive purposes relies on a “name and shame” strategy, meaning that the author of any offence against the regulatory rules is publicly named.

Switzerland has implemented the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) through the FDPA, and, upon entry into force of the revised FDPA, will have finalised its implementation.

In addition, Switzerland is not a member of the EU or of the EEA and under no obligation to implement the EU General Data Protection Regulation (GDPR), but the EU is Switzerland’s most important partner, and ensuring a level playing field for Swiss and EU-based companies is an important policy objective. The revision of the FDPA therefore largely aligns with the GDPR and the revised FDPA will be largely compatible with the GDPR, such that a company that complies with the GDPR should generally be in compliance with the revised FPDA. Moreover, it is expected that the European Commission will not revoke its finding that Switzerland’s data protection legislation provides an adequate level of data protection under the GDPR.

For data processing in relation to criminal prosecution, and in the framework of police and judicial co-operation, Switzerland transposed, on 30 January 2019, EU Directive 2016/680 into domestic Swiss legislation through the revision of the FDPA. It expedited the adoption of this piece of legislation, with the relevant changes having entered into force on 1 March 2019.

Firstly, the FDPA does not provide an official role for NGOs and SROs. Such organisations would not, for example, have a right to bring a civil claim against a company perceived to be in breach of privacy laws. However, there are a number of organisations that promote privacy, including several consumer protection organisations, though they do not perform these tasks on the basis of a legal mandate. Furthermore, NGOs and SROs may request the FDPIC to open investigations if a suspected privacy breach is capable of affecting a large number of persons (ie, a system error) and in limited additional cases.

The NCSC is the key official actor in the cybersecurity area (see 1.2 Regulators).

GovCERT.ch, whose parent organisation is the NCSC, is the Computer Emergency Response Team (CERT) for Switzerland. Its tasks comprise the support of the critical IT infrastructure in Switzerland in dealing with cyberthreats. It maintains close relationships with other CERT organisations, thereby seeking to promote the exchange of cyberthreat-related information.

Moreover, the Federal Intelligence Services (FIS), through their Prophylax programme, seek to raise awareness around economic espionage and cyber-attacks. The Prophylax programme is first of all addressed to local companies, international organisations based in Switzerland as well as local universities and higher education schools. It aims to protect the industrial and education sectors against involuntary leaks.

Furthermore, the FDPIC retains strong prerogatives given the absence of stand-alone cybersecurity legislation.

Given the federal system in Switzerland, it should also be borne in mind that other cantonal or inter-cantonal bodies serve a purpose of information sharing. This is notably the case of the inter-cantonal Swiss Criminality Prevention Service (or SKP PSC, under its German or French and Italian-language moniker). This service seeks to facilitate inter-cantonal police co-ordination as well as crime prevention measures.

As mentioned above, the FDPIC retains a central role in the area of cybersecurity. It can investigate cases brought to its attention and can also do so on its own initiative, within its limited powers noted above. The revised FDPA should bring about stronger enforcement powers for the FDPIC (see 1.3 Administration and Enforcement Process).

FINMA is the competent authority in the banking and financial sectors. As part of its statutory mission and in the course of supervising regulated financial entities, FINMA may also request compliance with applicable data protection and data security regulations.

OFCOM is the responsible federal office for the proper implementation of the legal and technical requirements in the communications realm and plays a particularly important role in the area of telecommunications. In the area of unfair competition, the State Secretariat for Economic Affairs (SECO) acts for the Swiss Confederation in civil and criminal proceedings if matters of public interest are at stake.

In contrast to the relevant laws of most European countries, the current FDPA protects information pertaining to legal entities much in the same way it protects information pertaining to individuals, though this will change upon entry into force of the revised FDPA, which will do away with this specificity. The FDPIC therefore considers that a disclosure of information pertaining to legal entities to countries without such protection requires adequate safeguards. Also, because data security is seen as a subset of data protection, the scope of data security provisions encompasses any legal entity personal data as well, thus heightening cybersecurity considerations accordingly. More generally, this is currently a striking difference between the Swiss data protection and data security system by comparison to its EU counterparts.

Moreover, Switzerland has avoided any ad hoc cybersecurity legislation, rather following sector-specific legislating efforts, and cybersecurity remains fundamentally closely tied to the area of data protection.

Lastly, the Swiss legislator has historically defended a so-called “technologically neutral” approach. This means that Swiss laws only seldom address a specific technology. This avoids any lag between technological evolution and the legal landscape and makes Swiss legislation more resilient over time. However, it does come with the drawback that the legislation is not always sufficiently precise, thus resulting in enforcement uncertainty.

The most important development remains the abovementioned revision process of the FDPA.

The Swiss government’s efforts to bolster and centralise cybersecurity and cyberdefence activities are also a promising and ongoing development (see 1.5 Information Sharing Organisations and Government Cybersecurity Assistance concerning the National Cyber Security Centre). In that respect, many commentators, including the NCSC itself, have been sounding the alarm as it appears that Swiss companies as well as public bodies (often on the municipal level) have not been taking cyber threats seriously enough.

In addition, in December 2019, the government announced that it was considering introducing a general duty on operators of critical infrastructures to notify cyber-attacks. Consequently, in December 2020, the Swiss Federal Council (federal executive body) launched a drafting process which resulted in a consultation process ending in mid-April 2022. This should lead to the introduction of a cyber-attack notification duty upon operators of critical infrastructures.

Public attention remains high. This stems from the stream of data breaches locally and internationally, the increased awareness around data protection worldwide, but also results from some cybersecurity considerations affecting national security.

In this latter category, the ongoing global debate about the participation of certain hardware providers in the roll-out of 5G networks as well as, more generally, trade tensions between East and West have brought national security discussions to the forefront.

The participation of a Swiss company, formerly named Crypto AG, in a decades-long international espionage scheme made the headlines in early February 2020. It appears that a provider of encryption technology had been co-operating with US and German services and included a backdoor into its technology, which technology it provided to an important number of foreign states.

It is too early to foresee any long-term consequences of this matter on the Swiss legal and regulatory landscape, though it will likely lead to questioning Switzerland’s international policy in regard to cybersecurity, cyber-espionage and international co-operation as well as governmental access to and use of encryption technology.

See 1.7 Key Developments.

See 1.1 Laws.

The only truly overarching body of laws is the federal legislation on data protection, namely the FDPA and its implementing ordinances, in particular the FDPO. The FDPA and the FDPO contain provisions on data security. Because the Swiss legislator relies on a technologically neutral approach, these rules on data security remain rather abstract and do not refer to any specific technology, or any specific standard or technical requirement.

So far, and in the foreseeable future, Parliament will not be removing data security from the data protection legislation and will not draft any stand-alone cybersecurity act. Consequently, data protection legislation should remain at the centre of everyone’s cybersecurity considerations and the FDPIC will play an important role going forward (which role will be upheld and bolstered upon entry into force of the revised FDPA – see 1.3 Administration and Enforcement Process). Moreover, under the upcoming revised FDPA, an intentional failure to implement technical and organisational measures determined as a minimum standard by the Swiss Federal Council in the revised FDPO will be liable to a fine against the responsible individuals of up to CHF250,000.

The TCA, and its surrounding ordinances and technical guidelines, includes a notification duty to the OFCOM in case of security incidents and, more generally, contains requirements governing the security and the availability of telecommunications services and networks.

The FinfrAct is a modern law regulating the operation of the financial market infrastructures. It is notable as it takes into account the dependency of said infrastructures on information technology and the ensuing cyber-risks. It seeks to ensure that all relevant actors have robust and resilient systems that permit business continuity and data integrity. As mentioned above, FINMA is essential to the proper implementation of the FinfrAct.

For the data protection regulator, the FDPIC, see 2.4 Data Protection Authorities or Privacy Regulators.

In addition, the Federal Office of Communications (OFCOM), acting under the supervisory oversight of the Federal Communications Commission (ComCom), is the regulator in charge of the telecommunications and information society sectors. OFCOM plays a role in the area of cybersecurity as telecommunications legislation contains rules on telecommunications network security and availability and telecommunications secrecy, both of which may be a concern from a cyber-risk standpoint. OFCOM issues intermittent technical regulations relating to the security and availability of telecommunications services and infrastructures.

Moreover, there is a duty to notify OFCOM regarding issues with telecommunications networks that affect a significant number of users.

In addition, the following authorities may also be competent, albeit indirectly, in the cybersecurity area:

• FINMA, in the financial sector;
• the Federal Office of Civil Aviation is competent in the case of safety-related data breaches in the aviation sector;
• the Federal Nuclear Safety Inspectorate, whose competence is given in case of sector-related data breaches;
• the Federal Department of the Environment, Transport, Energy and Communications, especially in regard to the national railway industry.

See 1.5 Information Sharing Organisations and Government Cybersecurity Assistance.

The National Cyber Security Centre’s (NCSC) predecessor, MELANI, played a helpful role as an information-sharing platform and demonstrated the need for an increased governmental support to the area of cybersecurity. The NCSC is also competent to request the blocking of “.ch” and “.swiss” top-level domains if these are suspected of being used for cybercrime purposes (such as malware distribution and phishing activities).

Given the setting up of the NCSC and the ongoing implementation of the 2018–2022 national strategy for the protection of Switzerland against cyber-risks, Switzerland is currently at a promising turning point in its cybersecurity practice on a federal level. This strengthening of the federal government’s cybersecurity activities also meets a growing public need for more potent cyber-risk mitigation measures.

The FDPIC, as mentioned in 1.2 Regulators, plays a key role in the area of cybersecurity. At this time, the FDPIC cannot open an investigation unless a suspected privacy breach is capable of affecting a large number of persons and in limited additional cases, including if a mandatory notification to the FDPIC has not been made. Nonetheless, the FDPIC is a valuable contact point for all matters relating to data security and is slated to receive further enforcement powers under the revised FDPA.

Upon entry into force of the revised FDPA, the FDPIC will enjoy broader powers and will be able to investigate virtually any breach of data protection regulations.

FINMA, as the financial markets supervisory authority, frequently adopts and adapts various circulars and notices. In particular, FINMA Circular 2008/21 on the Operational Risks at Banks is central to all banks’ cybersecurity practices as it lays out principles and guidelines on proper risk management surrounding client-identifying data (CID). FINMA Circular 2018/3 on Outsourcing by Banks and Insurers is another essential text as it contains rules on the security of data in an outsourcing context. Both these FINMA documents were recently lightly revised (taking into account the needs and limitations of small banks), the latest versions having entered into force on 1 January 2020.

See 2.2 Regulators.

De jure, there is no obligation to abide by any particular technical standards. This is in no small part the result of Switzerland’s technologically neutral approach. In practice, however, companies regularly look to the international standards as a benchmark or as a best practice requirement. This is common in the financial sector, for instance, and is also in line with the requirements of the FDPA as one can presume – as a rule of thumb – that compliance with the international standards, such as the ISO 27001 standards, would provide shelter from data security concerns under the FDPA. Moreover, the revised FDPO will likely introduce minimum standards for technical and organisational measures.

In addition, the FDPA allows the certification of data processing systems or programs as well as private persons or federal bodies that process personal data. This certification, though extremely rare in practice, in effect requires compliance with ISO 27001 as a prerequisite. The reliance on certification mechanisms is expected to gain more traction with the advent of the revised FDPA, which looks to promote such approaches.

There is no “reasonable security” test in Switzerland, nor any framework applied in that respect.

The FDPA contain a reference to “adequate technical and organisational measures” to protect personal data, though this is generally understood as a reference to the use of state-of-the-art technologies, as further detailed in the FDPO.

The FDPO sets out technical and organisational measures as follows:

• general measures imposed on anyone processing personal data – these measures include protection against accidental or unauthorised destruction, accidental loss, technical faults, forgery, unlawful copying or alteration;
• special measures such as entrance control (to premises containing personal data), personal data carrier control, control of transport, disclosure, storage, usage, access and input;
• the maintenance of records of any automated processing of sensitive personal data or personality profiles (with a one-year retention period);
• a processing policy in certain cases of automated data files.

The revised FDPA and, it is expected, the final text of the revised FDPO will remain generally in line with the above, though the revised FDPA expressly asks that the technical and organisational measures must enable the avoidance of data security breaches.

In the financial sector, FINMA Circular 2018/3 on Outsourcing and FINMA Circular 2008/3 on Operational Risks at Banks call for the targeted undertakings to ensure proper resilience and business continuity, as well as adequate incident management plans.

Outsourcing, as well as the use of cloud services, is broadly permitted, though the provider must ensure adequate data security. To that effect, many cloud service providers have sought data security and cybersecurity certifications, though whether they in practice implement proper cybersecurity practices is often difficult for the clients of such services to ascertain. In addition, the parties involved in outsourcings or cloud services may have to implement additional safeguards in case of cross-border disclosures of personal data.

In its 2018–22 national strategy for the protection of Switzerland against cyber-risks, the government stressed the value of effective international co-operation and networking. This strengthening of the international co-operation remains a work in progress and a strategic priority for the government.

That said, Switzerland has been involved with or appears to closely follow the standardisation work internationally, among others with the UN World Summit on the Information Society (WSIS), the International Telecommunications Union (ITU), plus the OECD’s and the WEF’s work on improving digital security.

As a side note, Geneva has been emerging as a hub for internet governance. For instance, the Geneva Internet Platform, which is an initiative of the Swiss authorities, positions itself as a centre for digital policy debates around many ICT topics, including cybersecurity. It serves permanent missions based in Geneva and supports Geneva-based institutions in their digital policy activities.

Under the FDPA and FDPO, there is no general reporting obligation, nor is there an affirmative security requirement. In addition, there is no obligation to notify the data subjects themselves, though arguably controllers would have to do this based on the principles of good faith and transparency, if not under any contractual obligation to do so. There may nonetheless be a public reporting duty, also arising from such principles of good faith and transparency, if it appears unfeasible or unreasonable to reach out to each data subject individually.

In any case, reporting of cyber incidents to the NCSC is well-advised and helps disseminate information about potential cyber-risks across the industry.

Going forward, the revised FDPA will impose reporting requirements on controllers and processors. Controllers will have to report to the FDPIC any data breaches resulting in high risks for the rights and freedoms of the data subjects. Controllers will also inform the data subject if this is necessary for the protection of the data subject or if the FDPIC so requests (some limitations do, however, apply). A processor shall notify the controller as soon as possible of any data security breach. In addition, the Swiss Federal Council (the federal executive arm) initiated, in December 2020, steps towards introducing a breach notification obligation in cases of cybersecurity incidents affecting critical infrastructures (see 1.7 Key Developments).

At the time of writing, there are no specific affirmative security requirements for material business data and material non-public information.

In any case, as noted in 4.1 Personal Data, reporting of cyber incidents to the NCSC is well-advised and helps disseminate information about potential cyber-risks across the industry.

As mentioned in 4.1 Personal Data, in December 2020 the government initiated steps that may lead to a breach notification obligation in cases of cybersecurity incidents affecting critical infrastructures.

Moreover, the Federal Office for National Economic Supply (FONES) published a minimum ICT standard document as well as an ICT self-assessment tool directed at operators of critical infrastructures. This document rests, in part, on the requirements of the quite ubiquitous NIST Framework to which it refers.

Denial of service (or DoS) attacks remain an ongoing threat, often leading – especially in the form of so-called “distributed DoS, DDOS” – to the total incapacitation of the victim’s IT systems and network.

The NCSC issued guidelines on recommended preventive measures and countermeasures to address DDoS attacks. The NCSC is a good first contact point in case of DoS attacks.

In the financial and banking sector, Annex 3 of FINMA Circular 2008/21 Operational Risks at Banks, there is a notification duty in certain cases of data breach. This Circular provides that the banks must have a clear communication strategy in case of serious incidents pertaining to client-identifying data (CID); this communication strategy must specify when it is necessary to notify FINMA, criminal prosecution authorities, the clients concerned and the media.

There has been no specific legislative effort directed at IoT and supply chain actors. This has to do mostly with Switzerland’s technologically neutral approach to legislative action. Therefore, the general requirements under the FDPA in terms of data security play a predominant role, though sector-specific rules may come into play as well. However, the advent and expansion of IoT technologies is a driver of the 2018–22 national strategy for the protection of Switzerland against cyber-risks, in particular in regard to security standards for IoT devices, and this may become in time the focus of new legislative efforts. Lastly, the Digital Switzerland strategy (see 1.1 Laws) mentioned the need for the industry to implement state-of-the-art cybersecurity measures to accompany the growth of IoT on the Swiss market.

There is no general duty to report data security incidents or breaches. As mentioned above (see in particular 4.1 Personal Data), the situation will change in the future under, on the one hand, the revised FDPA and, on the other hand, as a result of governmental motions to introduce a reporting obligation in case of data security incidents affecting critical infrastructures.

The provisions of the revised FDPA impose breach notification duties, on certain conditions, on the controller and the processor.

Sectoral rules and regulations may still come into play. This is notably the case in the banking sector, where FINMA Circular 2008/21 contains wording on reporting and external communication of data security incidents.

See 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.

In the banking sector, the data covered is CID (client-identifying data).

There are no specific systems covered given the fact that, firstly, there is currently no overarching reporting obligation and, secondly, that the Swiss legislator typically opts for a technologically neutral approach thereby eschewing any discussion around a specific technology (although exceptions exist).

There are no specific cybersecurity and data breach notification rules pertaining to medical devices. However, Swissmedic, the competent sectorial authority, ensures that it makes the general public aware of health risks arising from medical devices.

There are no specific cybersecurity and data breach notification rules pertaining to industrial control systems and SCADA.

There are no specific cybersecurity and data breach notification rules pertaining to IoT. However, various authorities serve as valuable contact points. In particular, the FDPIC and the NCSC play an important role – the former for matters pertaining to data protection and data security, the latter for any voluntary notification of a cyber incident.

Security requirements around IoT are also a priority for the government, which mentioned in its Digital Switzerland strategy (see 1.1 Laws) the need for the industry to implement state-of-the-art cybersecurity measures to accompany the growth of IoT on the Swiss market.

There are no specific mandatory requirements pertaining to security software life cycle, certifications, patching or the disclosure of vulnerabilities. This is mainly due to the technologically neutral approach of Swiss legislation. However, duties to patch faulty security software or disclosure vulnerabilities may arise from the general principles of data protection legislation and such topics could therefore call for a case-specific assessment. In addition, certifications may start to play a bigger role under the revised FDPA.

See 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.

There is currently no “risk of harm” or similar threshold applicable in Switzerland.

Swiss law offers the competent authorities certain means to monitor telecommunications, including emails and other information.

From a cybersecurity standpoint, the Federal Act on the Intelligence Services (IntelSA) of 25 September 2015 gives the Swiss Federal Intelligence Services (FIS), broad powers to intercept and monitor communications and networks on grounds of national interests, including safeguarding democratic and constitutional principles as well as national and international security.

The IntelSA gives broad powers to the FIS, such as:

• covert surveillance of telecommunications, including telecommunications monitoring, recording and localisation of the targeted person;
• covert intrusion into computer systems and computer networks, even when located abroad; and
• recording of cross-border cable-based networks.

Unlike the USA, Switzerland protects personal information not (predominantly) as a privacy right, but rather as a matter of data protection. In other words, it is the (personal) data and not the individual that is the subject matter of Swiss data protection legislation.

It is a logical next step to treat cybersecurity as a subset of data protection. Indeed, as things currently stand, Swiss law assimilates cybersecurity and data security, which is a core principle of data protection (see above 1.1 Laws and 2.1 Key Laws). There is, therefore, a clear intersection between cybersecurity and data protection.

Going forward, despite the low likelihood of any ad hoc cybersecurity legislation, it is probable that the legislator and the authorities will progressively dissociate the notion of cybersecurity from the area of data protection. Indeed, the protection of personal data is only one among many concerns that cybersecurity must address. For instance, the need, for national security reasons, to protect critical infrastructures may be properly addressed through cybersecurity, though there is arguably little relevance of data protection legislation in that respect (ie, only to the extent that personal data comes into play).

Moreover, the report of the Swiss national strategy on the protection of Switzerland from cyber-risks (in both its 2012 and 2018 versions) considers that cybersecurity concerns the protection of information and communication infrastructures against attacks and disruptions, thereby showing a move away from a data protection environment to a more transversal understanding of the notion of cybersecurity.

There is no general obligation to disclose cybersecurity information with the government. However, sharing of information is generally encouraged and the companies wishing to share the information can approach the bodies mentioned above (see 1.5 Information Sharing Organisations and Government Cybersecurity Assistance) or their sectoral regulators, if any.

See above 1.5 Information Sharing Organisations and Government Cybersecurity Assistance.

To date, there have been no leading or seminal decisions on the specific matter of cybersecurity.

The most significant regulatory intervention came after several leaks in the banking sector during the post-2008 financial crisis. These data leaks were typically not the result of cyber-attacks, but they did lead to a reinforcement of the regulatory landscape; at that time, FINMA revised its Circular 2008/21 to bring increased attention to matters of data security and risk management.

See 8.1 Regulatory Enforcement or Litigation.

The matter is not relevant in this jurisdiction.

Though some basic collective action schemes do exist (with no immediate possibility for the claimants to move for damages), class actions are not permitted in Switzerland.

There is some ongoing discussion to provide for class actions in civil proceedings. Proponents to such class actions received a setback in 2020, with the Swiss government deciding against including class actions in the revision of the Swiss Civil Procedure Code. However, in December 2021, the Federal Council launched a new process towards the introduction of class actions into the Swiss Civil Procedure Code. Class actions are a hotly debated topic, both as a matter of principle as regarding the specificities of such legal instrument, and it is uncertain whether, or in what form, they will make it into the law.

The legal due diligence exercise from a cybersecurity perspective should firstly address any general data protection law considerations, being specified that data security forms an integral part thereof. As a second step, it is necessary to ascertain whether the target of the due diligence process performed any IT systems resilience testing, such as penetration testing. The results of such testing should be disclosed and analysed. In addition, the target of the due diligence should properly document any data breach, and this should include any remedial steps taken and their outcome.

Because of the eminently technical nature of cybersecurity measures, a technical due diligence, performed by IT cybersecurity auditors, is recommended. In any case, the contractual documentation around corporate transactions tends to be qualified regarding any cyber-risks.

There is no public disclosure obligation upon organisations to publish their cybersecurity risk profile or experience.

As a more general consideration, the policy discussions in Switzerland in recent years have shown that cybersecurity is progressively evolving from what once was a purely technical consideration into a mainstream legal topic. Cybersecurity is now not only part of the legal discussions surrounding data protection and data security (in various areas, such as finance and telecommunications), but is also a focus of other branches of the law, such as insurance law.

Moreover, the policy discussions on the federal level are not expected to lead, in the short term, to any overarching cybersecurity law. However, the topic remains highly dynamic and strongly dependent on international developments. Given Switzerland’s size and geographical location, prompt legal developments in the area of cybersecurity are a real possibility.