Cybersecurity 2025

SWITZERLAND Law and Practice Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd

not expressly call for penetration testing, it can be mandatory to the extent it is a minimum secu - rity requirement in specific circumstances.

the DPO). However, certification mechanisms have so far been little used in Swiss law.

6. Cybersecurity in Other Regulations

4. Cyber-Resilience 4.1 Cyber-Resilience Legislation

6.1 Cybersecurity and Data Protection Concerning cybersecurity and data protection, see also 1.1 Laws . The only truly overarching body of laws is the federal legislation on data protection, namely the FADP and its implement - ing ordinances, in particular the DPO. The FADP and the DPO contain provisions on data security, but the Swiss legislator relies on a technologi - cally neutral approach, with the result that these rules on data security remain rather abstract and do not refer to any specific technology, or any specific standard or technical requirement, except for the obligation to keep logs of cer - tain higher-risk processing activities. Under the FADP, an intentional failure to implement certain minimum technical and organisational measures may incur liability for a criminal fine against the responsible individuals of up to CHF250,000, although there is a debate as to whether there are any binding minimum measures. The ISA of 18 December 2020, which entered into force on 1 January 2024, governs informa - tion security practices within the federal gov - ernment and its administrative bodies. Under the ISA, several ordinances further specify and implement information security requirements and also repeal (inter alia) the CyRV. Importantly, a significant feature of the ISA is the introduction of a reporting obligation for cyber-attacks for public authorities such as universities; federal, cantonal and municipal agencies; inter-cantonal, cantonal and intercommunal organisations; and providers of critical infrastructures, for example in the energy, finance, healthcare, insurance,

Concerning cyber-resilience legislation, see 1.1 Cybersecurity Regulation Strategy and 1.2 Cybersecurity Laws . 4.2 Key Obligations Under Legislation Concerning key obligations under legislation, see 1.1 Cybersecurity Regulation Strateg y and 1.2 Cybersecurity Laws . 5. Security Certification for ICT Products, Services and Processes 5.1 Key Cybersecurity Certification Legislation The FADP regulates the issue of certification in Article 13. Software and system suppliers, as well as data controllers and their subcontractors, can have their products validated by an inde - pendent, accredited body. These certifications attest to their compliance with the requirements of the FADP. In addition to ensuring compliance with data protection standards, these certifications offer a number of advantages. According to Article 22(5) of the FADP, a data controller who adheres to a code of conduct or holds a certification may be exempted from carrying out an otherwise- required data protection impact assessment. These certifications can also be used as a basis for authorising data transfers abroad, even when the recipient country does not offer a level of data protection deemed adequate (Article 12 of

283 CHAMBERS.COM

Powered by