Last review date: 11 December 2024

☒  omnibus — all personal data

☒  sector-specific

Mainly telecommunications and financial services laws as well as laws relating to the life science sector include selected additional requirements. More recently, the legislator increasingly refers to the generally applicable omnibus law.

Last review date: 11 December 2024

• Federal Act on Data Protection (FADP) of 25 September 2023
• Ordinance on Data Protection of 31 August 2022

Last review date: 11 December 2024

There are no specific general cybersecurity laws in Switzerland applicable to private companies yet. However, there are laws for certain industries that contain reporting obligations such as the Federal Act on the Swiss Financial Market Supervisory Authority which is relevant for financial institutions.

Moreover, the Information Security Act, which governs in detail information security for governmental bodies and public companies was revised and a reporting obligation of cyberattacks for critical infrastructures was introduced whereby the term "critical infrastructures" is phrased broadly and may also include private companies (such as for example cloud service providers). The exact date of the entering into force of this new obligation is, however, not yet clear. It was planned that the revision will enter into force on 1 January 2025 but so far no confirmation of this date was published by the authorities.

Last review date: 11 December 2024

There is no specific act protecting non-personal data. However, certain laws contain selective provisions to protect non-personal data such as:

• The Banking Act, which protects bank customer data (which can also be non-personal data) under the banking secrecy provision;
• The Swiss Criminal Code, which protects amongst others: data subject to professional secrecy as well as trade secrets;
• The Telecommunications Act, which protects certain telecommunications related information under the telecommunications secrecy.

Last review date: 11 December 2024

Not relating to data privacy but relating to cybersecurity.

The Information Security Act was revised and a reporting obligation of cyberattacks for all critical infrastructures was introduced. The term "critical infrastructures" is defined in a manner to also include private companies (such as e.g., cloud service providers domiciled in Switzerland).However, it is not yet clear when this new reporting obligation will enter into force.

According to the new reporting obligation, cyberattacks would have to be reported, if they:

• jeopardize the functionality of the critical infrastructure concerned;
• have led to a manipulation (e.g., data encryption in a ransomware attack) or to an outflow of information;
• remained undetected for an extended period of time, especially if there are indications that it was carried out in preparation for further cyberattacks; or
• are associated with blackmail, threats or coercion, i.e., in the case of criminally relevant circumstances.

The report must be made within 24 hours. Anonymous reporting is possible.

If a company reports, it is entitled to the support of the Federal Office for Cyber Security in incident management.

Accordingly, the risk of non-compliance with the reporting obligation is rather low and the act does not provide for immediate fines. However, if the Federal Office for Cyber Security finds indications of a violation of the reporting obligation, it will set a deadline within which the company shall comply. If the company has not complied within a second deadline, a fine of up to CHF 100,000 (approx. USD 120,000) could be imposed. Liability would primarily be with the individual responsible within the company.