Cybersecurity 2025

SWITZERLAND Law and Practice Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd

1. General Overview of Laws and Regulators 1.1 Cybersecurity Regulation Strategy Switzerland is a federation comprising 26 feder - ated states (cantons) as well as a federal govern - ment. This leads to a layered body of laws as well as, at times, a decentralised official cyber - security approach. Cybersecurity in Switzerland remains closely tied to the area of data protec - tion. Cybersecurity is frequently perceived as an off-shoot – or even a synonym – of data security, which, as the name suggests, targets the secu - rity and resilience of data processing and stor - age activities. A further manifestation of the government’s interest in cybersecurity is another governmen - tal venture, the Digital Switzerland Strategy. The Digital Switzerland Strategy sets guidelines for Switzerland’s digital transformation, and is updated annually by the Swiss Federal Coun - cil, each time with three focus topics. It is bind - ing on the federal administration and provides guidance for other stakeholders involved in digi - talisation. The first Digital Switzerland Strategy was published in 2016, and updates arrived in 2018, 2020 and 2023. On 13 December 2024, the Swiss Federal Council adopted the updated Digital Switzerland Strategy for 2025, with a focus on cybersecurity, the Swiss approach to the regulation of AI systems and the use of AI systems in the federal administration. In 2023, the Swiss Federal Council approved the new Digital Administration Switzerland Strategy 2024–27, which defines the fields of action to be prioritised in order for the Confederation, the cantons, and cities and municipalities to joint - ly determine how the digital transformation of administrations is to be driven forward. A second strategy approved by the Swiss Federal Coun -

cil is the Digital Federal Administration Strategy, which creates a framework for digital transfor - mation projects in the federal administration. 1.2 Cybersecurity Laws On a federal level, the Swiss Constitution of 18 April 1999 protects the right to privacy, in par - ticular the right to be protected against misuse of personal data (Article 13). The collection and use of personal data by private bodies are regulated at the federal level and are mainly governed by the Swiss Data Protection Act (the Federal Act on Data Protection; FADP) and its ordinances, including the Data Protection Ordinance (DPO). Data processing by public bodies is governed by the FADP for federal bodies, which includes pri - vate organisations performing public tasks such as health insurance providers, pension funds and many others, and by cantonal (for example, the Information and Data Protection Act of the Canton of Zurich) and communal laws for can - tonal and communal bodies. The FADP was revised in order to implement the revised Council of Europe’s Convention 108, and to more closely align with the EU General Data Protection Regulation (GDPR). The revised FADP and DPO entered into force on 1 September 2023. While the FADP and the GDPR are similar in their approach and purpose, there are notable differences. For example, there is a data breach notification obligation under the FADP, similar to that under the GDPR, but the trigger for notify - ing a personal data breach to the Swiss data protection authority, the Federal Data Protection and Information Commissioner (FDPIC), is “high risk”, whereas, under the GDPR, any relevant risk requires notification. On 6 February 2025, the FDPIC published non-binding guidance on

275 CHAMBERS.COM

Powered by