Which cyber security laws will be relevant in Switzerland and the EU in 2025?

Due to the increasing threat of cyberattacks on companies and public administration, legislators in Switzerland and the EU have issued new laws and regulations for cybersecurity, which will come into force in 2024/2025. Top management (board of directors, managing directors, IT managers) must clarify whether their organisation is affected by the new cyber security laws and what new cyber security measures are required. The following article provides a brief overview. (Author: Dr Daniel Burgwinkel, krm.swiss)

Switzerland: Information Security Act (ISG)

The Information Security Act (ISG) has been in force since 1 January 2024 and sets out requirements for the secure handling of data in public administration and for private service providers that process data in this context. A revision of the ISG is planned for 2025, which will cover additional industries/sectors. The Cybersecurity Ordinance (CSV) details the ISG and defines the CSV-specific security requirements. From 2025, the following industries/sectors will be in scope (as of 11/2024) and organisations must check whether there is an obligation to report cyber incidents:

• Universities
• Federal, cantonal and municipal authorities as well as intercantonal, cantonal and intercommunal organisations
• Organisations with public law responsibilities in the areas of safety and rescue, drinking water supply, wastewater treatment and waste disposal
• Companies that are active in the fields of energy supply, energy trading, energy measurement or energy control
• Banks, insurance companies
• Healthcare facilities, Medical laboratories and pharmaceutical companies
• Manufacturers of hardware or software whose products are used by critical infrastructures
• You can find more industries at the end of this article *

The NIS2 Directive came into force in October 2024 and each EU country is adapting its national laws to comply with it. The directive sets EU-wide standards for cybersecurity in a total of 18 critical sectors. Swiss companies operating in the EU or working with EU partners may also be affected by these requirements. The NIS2 Directive sets out clear security requirements for sectors that are considered particularly critical. This new regulation affects organisations operating in the following sectors:

• Energy
• Banking
• Healthcare
• Drinking water, waste water
• Public administration
• Waste management
• Chemical industry
• Food
• Manufacture of medical devices
• You can find more industries at the end of this article **

Industry-specific regulations

In addition to national cybersecurity legislation (ISG, NIS2), there are industry-specific regulations that include requirements for IT security. These include, for example, TISAX for the automotive industry and DORA for the financial industry. However, global companies in particular require their suppliers in Switzerland to fulfil these standards.

Checklist for cyber security laws in 2025

You should clarify the following questions now to make your organisation fit for cyber security in 2025:

Switzerland

• Is my organisation directly affected by the Information Security Act (ISG) and the Cybersecurity Ordinance (CSV)?
• Are my customers and suppliers affected by the ISG/CSV and what measures do we need to implement to ensure a secure supply chain?

EU NIS2:

• Is my organisation in the EU directly affected by NIS2?
• Does a subsidiary fall under the NIS2 sectors?
• Does the export of goods to the EU exceed certain thresholds?
• Is my organisation (in CH or EU) indirectly affected by NIS2, e.g. do my customers fall under NIS2 and require me as a supplier to provide proof of cyber security measures?

How we support you with cyber security and legal compliance

A targeted approach is crucial to ensure cyber protection. Baggenstos and krm.swiss support you in understanding and implementing legal requirements.

• Check your relevant framework conditions: We analyse which laws and regulations apply to your company in Switzerland and the EU.
• Positioning: What safety measures have already been implemented and where is there still potential for optimisation?
• Organisation: We support you with the introduction of organisational measures for comprehensive protection.
• Technology: Our team will advise you on the implementation of technical protection measures.
• Procedure and scheduling: Together we create a realistic plan for implementation.

Conclusion: Cybersecurity - an indispensable basis for trust and business success

The new legal requirements in Switzerland and the EU show that cyber security is far more than just technical protection - it is a cornerstone of trust for your customers and partners. A proactive approach is crucial to fulfil requirements and strengthen your digital resilience.

Why Baggenstos?

Baggenstos supports you in understanding and implementing legal requirements in cyber security. We accompany you from the analysis to the implementation of suitable measures - including workshops to optimally protect your IT. Current dates can be found on our website. Thanks to our collaboration with krm.swiss, we can analyse regulations and develop tailor-made solutions for a secure, legally compliant organisation.

Your contact persons

Othmar Frey, CSO at Baggenstos is at your side as a competent contact person and supports you personally with all questions relating to cyber security and the implementation of the new requirements.

Dr. Daniel Burgwinkel, Partner at krm.swiss, advises organisations on the implementation of legally compliant data management and is a lecturer in cyber security and data management.

Related articles

• Modern Workplace - Baggenstos
• Security: Overview - Baggenstos

Quellen

• BSI - NIS Directive

* Industries/sectors

• Universities
• Federal, cantonal, and municipal authorities as well as inter-cantonal, cantonal, and inter-municipal organizations
• Organizations with public-law tasks in the areas of security and rescue, drinking water supply, wastewater treatment, and waste disposal
• Companies active in energy supply, energy trading, energy measurement, or energy control
• Banks and insurance companies
• Healthcare facilities (see cantonal hospital lists)
• Medical laboratories (see Epidemics Act)
• Pharmaceutical companies (manufacturing, marketing, and importing medicines)
• Health insurers (covering illness, accidents, occupational and income disability, old age, and invalidity)
• Swiss Radio and Television Corporation
• News agencies of national importance
• Providers of postal services
• Railway companies as well as cable car, trolleybus, bus, and shipping companies
• Civil aviation and national airports
• Maritime shipping and port operators
• Companies that supply the population with essential goods for daily needs, whose failure or impairment would lead to significant supply shortages
• Providers of telecommunications services
• Registry operators and registrars of internet domains
• Services and infrastructures that enable the exercise of political rights
• Cloud computing, search engines, digital security and trust services, and data centers, provided they are headquartered in Switzerland
• Manufacturers of hardware or software whose products are used by critical infrastructures

** Sectors

• Energy
• Transport
• Banking
• Financial market infrastructures
• Healthcare
• Drinking water
• Waste water
• Digital infrastructure
• Management of ICT services (business-to-business)
• Public administration
• Space
• Postal and courier services
• Waste management
• Chemical industry
• Food
• Manufacture of medical devices and in-vitro diagnostics
• Manufacture of data processing equipment, electronic and optical products
• Manufacture of electrical equipment
• Mechanical engineering
• Manufacture of motor vehicles and parts
• Vehicle construction
• Provider of online marketplaces
• Provider of online search engines
• Provider of platforms for social network services
• Research facilities