Cybersecurity 2025

SWITZERLAND Law and Practice Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd

transport, communication and IT sectors. In- scope organisations must report cyber-attacks to the NCSC within 24 hours, where the relevant thresholds and definitions are met. This obliga - tion will come into force on 1 April 2025. As a more general consideration, the policy discussions in Switzerland in recent years have shown that cybersecurity is progressively evolving from what once was a purely techni - cal consideration into a mainstream legal topic. Cybersecurity is now not only part of the legal discussions surrounding data protection and data security (in various areas, such as finance and telecommunications), but is also a focus of other branches of the law, such as insurance law. Moreover, the policy discussions at the federal level are not expected to lead, in the short term, to any overarching cybersecurity law. However, the topic remains highly dynamic and strongly dependent on international developments. Giv - en Switzerland’s size and geographical location, prompt legal developments in the area of cyber - Concerning cybersecurity and AI, see also 6.1 Cybersecurity and Data Protection . In Switzer - land, there is currently no overarching regulation on the use of AI. The FDPIC has published statements and non- binding guidelines on how to address data pro - tection matters in these areas. For example, the FDPIC pointed out that the FADP is directly applicable to AI-based data processing, and the FDPIC expects manufacturers, providers and users of AI systems to ensure transparency concerning the purpose, functionality, and data sources of AI-based processing. security are a real possibility. 6.2 Cybersecurity and AI

Further, sector-specific regulations address par - ticular data protection issues. For example, the Swiss government has also created a general frame of reference for the use of AI within the federal administration, and FINMA issued bind - ing guidelines on outsourcing and data security for the financial and insurance sector. The following FADP safeguards can be applied to AI systems. • Privacy by design/privacy by default: The data controller is obliged to implement techni - cal and organisational measures to ensure that processing complies with data protection requirements right from the outset. • Obligation to carry out an impact assess - ment: Where the planned processing is likely to pose a high risk to data subjects or their fundamental rights, the data controller must first carry out a data protection impact analy - sis. A high risk exists in particular in the case of large-scale processing of sensitive data or systematic surveillance of large parts of the public domain. • Transparency obligation for automated deci - sions: The data controller must inform the data subject of any decision taken exclusively on the basis of automated personal data processing that has legal effects on the data subject or significantly affects him or her. The data subject also has the right to express his or her point of view and to demand that the decision be reviewed by a natural per - son. These measures do not apply where the data subject has expressly consented to the decision being taken by automated means, or where the decision is directly related to the conclusion or performance of a contract and the data subject’s request is met. If the automated decision is made by a federal body, such body must qualify it as such. The

284 CHAMBERS.COM

Powered by