Cybersecurity 2025

SWITZERLAND Trends and Developments Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd

ing Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Direc - tives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (the Artificial Intelligence Regulation, AI Regulation, AI Act or AIA) came into force on 1 August 2024. Its provisions will take effect in stages until August 2027 (Article 113 of the AI Act). The AI Act is the comprehensive regulatory framework by which the EU (or the EEA, the AIA is of EEA relevance) regulates the use of AI sys - tems (AI systems, AIS). Despite its name, the AI Act is not a comprehensive regulation of AI or market behaviour law, but rather a product safety law. It is based on the established princi - ples of product regulation in the European single market. The AI Act is initially applicable in the EU. How - ever, it will be incorporated into EEA law and will then also apply to Norway, Iceland and Liechten - stein. The AI Act is currently at the EEA review stage; it will only be formally incorporated into EEA law after a decision by the Draft Joint Com - mittee. Moreover, a Swiss company may there - fore be subject to the AI Act if it sells an AIS to or in the EU (as a developer, importer or distribu - tor); sells another product in the EU that uses an AIS as a component; or generates output that is used in the EU. Unlike the GDPR, the AI Act itself does not con - tain any provisions for fines, but in Article 99 it requires member states to introduce provisions for fines, as well as other enforcement measures. Fines can be imposed on all actors – ie, on all entities involved in the value chain. Depending on the type of violation, the fines can reach up to EUR35 million or 7% of the turnover.

In Switzerland, however, there is currently no overarching regulation on the use of AI (see 6.2 Cybersecurity and AI in the Swiss Law & Prac - tice chapter in this guide). At the end of 2023, the Federal Council commissioned the Fed - eral Department of the Environment, Transport, Energy and Communications (DETEC) to explore possible approaches for regulation within the framework of the Interdepartmental Coordina - tion Group on EU Digital Policy, by the end of 2024, and a report was published on 11 Febru - ary 2025. As a result, AI is currently governed in Switzer - land by general laws, depending on the legal object affected by the use of AI, such as: • the data protection law (if personal data is processed during training or use); • the secrecy protection law (if secret informa - tion is used for training or as input); • the employment contract law (if the personal data of applicants and employees is pro - cessed and if AI affects the employer’s duty of care); • public labour law (eg, when duties to cooper - ate take effect or when monitoring behaviour is discussed); • personal rights (eg, when conversations or team calls are recorded); • unfair competition law (when AI-generated content can be misleading); • copyright law (eg, when AI is trained with works or uses works as input, and when the protection of output is under discussion); • criminal law (when recording non-public con - versations or when using AI for punishable behaviour in general); • product liability and other liability laws; and • other areas of law.

291 CHAMBERS.COM

Powered by