Data Privacy Regulations
The primary data privacy regulations applicable to cloud computing in Switzerland are the Federal Act on Data Protection (FADP) and its implementing ordinance, the Ordinance on Data Protection (DPO), both of which entered into force on 1 September 2023. Due to its extraterritorial scope, the EU General Data Protection Regulation (GDPR) may also apply to cloud computing in Switzerland, albeit this article is limited to Swiss law.
In Switzerland, there is no dedicated legislation governing cloud computing by private entities, with one exception: As of 1 April, 2025, the Information Security Act (ISA) requires Swiss cloud computing providers and operators to report cyber-attacks on their IT resources to the National Cyber Security Centre (NCSC) within 24 hours of becoming aware of the attack (Article 74a and 74b(1)(t) ISA). However, sector-specific legislation may impose special requirements for cloud computing (for example, in the banking, insurance, and health sectors). In addition, the secrecy provisions under Swiss law must be taken into account, as these restrict the use of cloud services and may require certain technical and organisational measures to be implemented. This is the case, for example, with professional secrecy, such as that of doctors and lawyers, and with banking secrecy.
Personal Data, Sensitive Personal Data and the Requirements for its Processing
As in the EU, Swiss data privacy regulations only apply to the processing of personal data. Under the FADP, personal data is broadly defined as any information relating to an identified or identifiable natural person (Article 5(a) FADP). In principle, the term is understood in the same way as under the GDPR. Examples include a natural person’s name, address and account credentials, but also their phone number, IP address and social security number. According to Article 5(c) FADP, the following types of personal data are considered sensitive:
As there is no dedicated legislation governing cloud computing by private entities, the requirements for processing (sensitive) personal data in the cloud are the same as those outside of a cloud environment. For private entities, this means that the processing activities must comply with the data protection principles such as transparency, proportionality and data security (Article 6 and 8 FADP). Furthermore, data must not be processed against the express wishes of the data subjects and sensitive data must not be disclosed to third parties, ie, other controllers (Article 30(2) FADP). Breaching any of these principles means the processing infringes the data subject’s personality rights and is unlawful, unless justified by the data subject’s consent, a prevailing interest or the law (Article 31 FADP). In the case of sensitive personal data, any necessary consent must be given explicitly (Article 6(7)(a) FADP).
Obligations for Data Controllers and Processors
The cloud service provider usually acts as a processor for the customer as defined in Article 9 FADP. The customer can be the controller or a processor itself. In the cloud environment, there are no specific obligations for controllers and processors; instead, they must comply with the general obligations of their respective roles. As the processor, the cloud service provider may only (i) process the data in ways that the controller itself is permitted to do and (ii) assign processing to a third party with the controller’s prior approval. The main obligations of a processor include taking suitable technical and organisational measures (TOMs) for data security (Article 8 FADP) and notifying the controller of any breach of data security as quickly as possible (Article 24(3) FADP).
The main obligations of a processor include taking suitable technical and organisational measures (TOMs) for data security (Article 8 FADP) and notifying the controller of any breach of data security as quickly as possible (Article 24(3) FADP).
As the controller, the customer is responsible for ensuring that the data processing carried out by the cloud service provider on its behalf complies with data protection requirements (see above). Furthermore, the controller has to fulfil the following obligations.
Both the controller and the processor must maintain records of their processing activities (Article 12 FADP) and, under certain conditions, they must issue regulations on automated processing and log their automated processing (Article 4-5 DPO). For more details, see 2.1 Data Security and the Cloud.
Under Swiss data privacy law, there are no specific rules for cross-border data transfers in the context of cloud computing. The general requirements for cross-border data transfers of personal data apply (Article 16-18 FADP).
In principle, Switzerland permits the transfer of personal data abroad only if the destination country guarantees an adequate level of data protection, as determined by the Swiss Federal Council (Article 16(1) FADP). If such an adequacy decision is not in place, personal data may only be transferred abroad if an appropriate level of data protection is guaranteed by additional safeguards – such as by a treaty under international law, standard data protection clauses or binding corporate rules (Article 16(2) FADP).
In exceptional cases, data may even be transferred abroad without additional safeguards. These exceptions include transfers with the data subject’s explicit consent, transfers that are directly connected with the conclusion or performance of a contract and transfers of data that the data subject has made generally accessible and has not explicitly prohibited processing (Article 17 FADP).
The requirements and rules regarding data transfers are described in greater detail in 6. International Data Transfers.
In principle, there are no specific penalties for non-compliance with data privacy regulations in the cloud – with one exception, which concerns the cloud computing providers’ and operators’ duty to report cyber-attacks on their IT resources to the NCSC (Article 74a and 74b(1)(t) ISA; see 1.1 Data Privacy and Cloud Computing and 5.1 Requirements to Report Data Breaches). As of 1 October 2025, if a cloud computing provider or operator fails to comply with this obligation and also fails to submit a report within an additional period set by the NCSC, a fine of up to CHF100,000 may be imposed (Article 74g-74h ISA).
Under the FADP, certain breaches of data protection obligations can result in criminal liability for individuals on condition that a data subject files a complaint. The maximum fine is CHF250,000, and fines are generally imposed on the person responsible for the violation. This includes individuals within private companies, such as directors, officers, and employees with independent decision-making power (Article 29 Criminal Code), provided they acted wilfully (Article 12 Criminal Code). If the responsible individual cannot be identified due to a lack of proper internal organisation, the company may be fined up to CHF50,000 (Article 64 FADP). The relevant breaches include (Article 60-61 FADP):
While the FDPIC cannot impose fines, it may initiate an investigation against controllers and processors (ex officio or upon notification by a data subject or other party) if there are sufficient indications that processing could violate the FADP (Article 49(1) FADP). If the FDPIC concludes that the FADP has been violated, it may order the processing to be fully or partially adjusted, suspended or terminated, and order that personal data be fully or partially deleted or destroyed (Article 51(1) FDPA). The FDPIC may also defer or prohibit disclosure abroad and order the controller and the processor to fulfil their respective obligations under the FADP, such as informing the data subjects about the processing, performing a DPIA or providing data subjects with access to their data.
Data Security Requirements
Swiss data protection law is principle-based. Controllers and processors must ensure a level of data security commensurate with the respective risks, protecting confidentiality, integrity, availability, and traceability. Rather than prescribing specific TOMs or certain technologies, the FADP and DPO expect controllers and processors to calibrate their measures to the data types, processing context and current technology. The only exceptions to this principle-based model are the obligations to issue regulations on automated processing and to maintain data processing logs. If private entities process large volumes of sensitive personal data or conduct high-risk profiling, they must:
However, in the financial, health and other regulated industries, sector-specific regulations may require specific measures. For cloud-based services in the financial sector, for example, the following TOMs are among the measures that are required (depending on certain conditions) or considered best practice:
Encryption in Transit and at Rest
Encryption of data in transit means using a secure communication protocol, for example, the TLS (Transport Layer Security) protocol. This is an encryption protocol that enables secure data exchange between the client (ie, an end device or user application) and the server. The use of TLS is visible to users – eg, by the padlock symbol that is then displayed in the address bar of most browsers.
Data at rest can be encrypted using either symmetric or asymmetric encryption. In symmetric encryption, the same key is used to encrypt and decrypt data. In asymmetric encryption, a pair of public and private keys is used: data encrypted with the public key can only be decrypted with the corresponding private key. In both cases, it is essential to select a suitable encryption method and, in particular, avoid using methods that have become obsolete over time. In January 2024, the FDPIC recommended in its guidelines on TOMs the following algorithms:
Access Control Measures
In addition to encryption, access control measures are essential in a cloud environment. Appropriate TOMs must be taken to ensure that:
While there are numerous possible measures, the following TOMs appear particularly relevant for cloud computing:
The handling of security accidents and breaches is further described in 5. Data Breach Notification.
Swiss law does not recognise “ownership” of personal data. The data subjects’ control arises from personality and data subject rights, while the controller’s control stems from contractual rights and obligations. Cloud agreements typically clarify that data ownership remains with the customer, not the cloud service provider. Furthermore, the corresponding DPA should permit the cloud service provider to process data only on the basis of documented instructions, require it to maintain strict confidentiality and prohibit any use of the data for its own purposes (eg, product development or training AI models).
In the cloud, data subjects retain all rights granted to them under the FADP, including the right to access, rectify and erase their data. Exercising these rights usually involves contacting the data controller – typically the customer – who must then co-ordinate with the cloud service provider, if necessary. When a data subject submits a request to the cloud service provider, the provider is obligated to forward this request to the customer, as stipulated by the DPA. Customers need to ensure that their cloud service provider has established processes and technical measures to efficiently handle such requests, including the extraction or deletion of data stored in the cloud. Furthermore, it is important to conclude contract terms that require cloud service providers to co-operate with the controller and assist them in fulfilling their obligations.
Data portability refers to the capacity to retrieve and transfer information seamlessly across different (cloud) service providers. In the context of cloud computing, data portability has two facets. Firstly, there is the portability necessary for customers to take their data with them when switching to another provider. Secondly, there is the right to portability under data protection law, to which data subjects are entitled under certain conditions.
For customers, achieving technical portability relies on the use of standardised data formats, application programming interfaces (APIs), and appropriate migration tools. To avoid vendor lock-in and enable orderly and efficient transitions between cloud environments, it is advisable to carry out strategic planning and agree on contract terms with the cloud service provider that explicitly address data portability and provide for migration assistance. For more details on data migration and respective assistance services, see 4.4 Exit Strategies and Data Migration.
Under Swiss law, data subjects benefit from a right to data portability for data they have provided to the controller, where automated processing is carried out with the consent of the data subject or in direct connection with a contract concluded between the data subject and the controller. Data subjects may request the controller to deliver the personal data in a conventional electronic format and, where feasible, without disproportionate effort, to transfer the data to another controller (Article 28 FADP). As controllers, customers must ensure that their cloud service provider and the respective services allow them to export the relevant data and assemble the responses to data portability requests within the necessary timeframe (in principle, 30 days; Article 18 and 22 DPO).
According to Article 6(4) FADP, data must be destroyed or anonymised as soon as it is no longer required for the purpose of processing (eg, in the case of agreements, usually for the duration of the agreement). However, data may be stored for a longer period if there is a legitimate interest in storing it (eg, to enforce legal claims, for archiving or to ensure IT security) or if the data is subject to retention obligations (eg, a ten-year retention period applies for accounting records). If further storage can no longer be justified, the data in question must be deleted from all storage media and, in principle, also from backups. In practice, however, it is accepted that data in backups is not deleted immediately but remains stored until the respective backup completes its retention cycle and is overwritten or deleted.
Data retention and deletion in the cloud are primarily governed by contractual agreements such as the cloud service agreement and the DPA, which define how long data is stored and when it must be deleted. Customers can often configure retention periods within the cloud platform, setting rules to retain or delete data automatically after a specified time. Many cloud service providers offer lifecycle management tools that enforce these schedules without manual intervention. When a customer terminates a service, providers usually commit to deleting data within a fixed timeframe; however, archived backups may be retained beyond that period for legal or security reasons.
Customers must conduct thorough due diligence when selecting a cloud service provider – most importantly, verify the provider’s ability to meet the relevant data protection and security requirements, particularly those set out in the FADP. To assess how data will be processed and what risks there are, it is necessary to have at least a basic understanding of the cloud services being procured and their underlying technology. Furthermore, the provider’s contractual framework, including the DPA, should be reviewed to ensure it includes clear roles and responsibilities, sufficient TOMs and effective remedies in case of breach. The DPA must at least cover the minimum legal requirements (see 4.3 Data Processing Agreements and the Cloud).
Especially in regulated sectors, it is important to assess the provider’s (i) certifications (eg, ISO 27001, ISAE 3402), (ii) incident response procedures, and (iii) historical performance in managing data protection issues.
For high-risk use cases (eg, use of new technologies or large-scale processing of sensitive data), the controller must conduct a DPIA and, if the residual risk remains high, consult the FDPIC (Article 22-23 FADP). Furthermore, a transfer impact assessment (TIA) is necessary when personal data is transferred to a country that does not have an adequate level of data protection and standard contractual clauses are used as the transfer mechanisms (see 6.1 Cross-Border Transfer Regulation).
Data protection requirements are usually only addressed selectively in the cloud service agreement (the main contract), for example, by including provisions such as the following:
Additionally, the data processing agreement (DPA), typically included as an annex to the main agreement, serves to reflect data protection requirements (the content and minimum standards for a DPA are described in 4.3 Data Processing Agreements and the Cloud).
According to data protection law, a customer is usually considered a controller while its cloud service provider is considered a processor (or sub-processor), as the latter carries out processing on behalf of the former. This requires the conclusion of a DPA, which states the parties’ relevant rights and obligations in relation to this data processing. Under Swiss law, a DPA must contain at least:
In practice, however, it is common to include further content in light of the GDPR’s requirements, for example, the obligations of the processor to:
DPAs in the cloud environment are structured in a similar manner to standard DPAs. Particularities may arise from the fact that the providers of the most common cloud services are large, multinational companies such as AWS, Google or Microsoft. These cloud service providers use comparatively comprehensive and detailed DPAs, which are difficult for the average customer to negotiate due to the dominant market position of these providers. However, they offer contractual addenda that can be agreed upon to reflect additional requirements (such as those of the health or financial sector), which at least allows for some flexibility.
Exit strategies aim to enable a smooth in-sourcing or transition to a third-party cloud service provider if the customer wants to stop using or is no longer permitted to use the current provider’s services. Reasons for this may include the provider discontinuing its business or services, the customer having business reasons to change provider, or regulatory requirements. Typical termination and exit strategies for cloud service agreements focus on ensuring continuity of business operations and data protection.
To this end, cloud service agreements should pre-define formats for data exports, prohibit data deletion until the customer confirms successful transfer, and bind the cloud service provider to securely erase all data upon completion. Furthermore, the agreement should include migration assistance by the provider – ie, provision of migration tools, training, technical consulting and other services that enable and facilitate the transition, as well as the applicable conditions (eg, rates, duration, co-operation duties, etc).
The actual migration of services and data from one cloud service provider to another often requires careful planning, including compatibility checks, bandwidth considerations and security precautions during transmission. Customers must ensure that encryption keys and access credentials are appropriately managed to prevent data loss or unauthorised access during the migration process. Depending on the circumstances, it may be advisable to run a table-top or limited live migration to test feasibility and timing and to keep a read-only shadow for business-critical datasets during the transition.
Reporting Obligations Under the ISA
Swiss cloud computing providers and operators must report certain cyber-attacks on their IT resources to the NCSC (Articles 74a-74f ISA). Cyber-attacks are defined as any wilfully caused event involving the use of IT resources that results in the confidentiality, availability or integrity of information being compromised or the traceability of its processing being affected (Article 5(e-f) ISA). A cyber-attack must be reported if it:
As of 1 October 2025, failure to comply with this obligation and to subsequently submit a report within the additional period set by the NCSC may result in a fine of up to CHF100,000 (Article 74g-74h ISA).
Reporting Obligations Under the FADP
In addition, the reporting obligation under the FADP must be observed. The controller must notify the FDPIC of any breach of data security that is likely to lead to a high risk to the data subject’s personality or fundamental rights (Article 24(1) FADP). A breach of data security is defined as a breach of security that leads to the accidental or unlawful loss, deletion, destruction or modification or unauthorised disclosure or access to personal data (Article 5(h) FADP). Whether a high risk is likely to exist must be determined based on the severity and the likelihood of possible impairments to the personality and fundamental rights of the data subjects. According to the FDPIC, the following factors should be considered to evaluate the risk:
The controller must also inform the data subject if the FDPIC so requests or if this is required for their protection (Article 24(4) FADP), in particular where data subjects should take mitigating measures (for example, changing login credentials). Failure to comply with the reporting obligation to the FDPIC or to the data subject is not punishable by a fine. However, this may trigger an investigation and subsequent administrative measures by the FDPIC.
Sector-Specific Reporting Obligations
Further to these general obligations, sector-specific provisions may impose additional reporting duties. For example, under Article 29(2) of the Financial Market Supervision Act (FINMASA), insurers and financial market operators are required to report material cyber-attacks to the Financial Market Supervisory Authority (FINMA).
Cloud service providers are legally obligated and typically also required under the DPA to notify customers of a detected data breach as soon as possible. This notification should include details about the extent of the breach, the data that has been affected, and the remedial steps being taken (Article 24(3) FADP). Under the DPA, cloud service providers are typically also required to co-operate fully with customers and assist them in investigating and remedying data breaches. However, as controllers, customers remain responsible for assessing the impact on data subjects and fulfilling notification obligations under data protection law (see 5.1 Requirements to Report Data Breaches and 5.3 Notifying Data Breaches).
In practice, data breaches in the cloud are typically investigated through co-ordinated efforts between the cloud service provider and the customer, usually based on pre-defined incident response procedures. However, due to their proximity to the incident and technical expertise, cloud service providers typically take the lead in investigating the incident, utilising forensic tools, audit logs, and security monitoring systems to determine the cause and scope of the data breach. Following the (first) investigation, remediation measures must be taken, including isolating compromised systems, patching vulnerabilities and improving security controls to prevent a recurrence.
Timelines and Content of Notifications
Cloud computing providers and operators must report cyber-attacks on their IT resources to the NCSC within 24 hours of becoming aware of the attack (Article 74e(1) ISA). The report must contain information on the organisation subject to the reporting obligation, the type and nature of the cyber-attack, its impact, the measures taken, and, if known, the planned further course of action. If not all the necessary information is available at the time of reporting, the organisation must supplement the report as soon as new information becomes available. Information that could incriminate the reporting individual does not need to be disclosed (Article 74e ISA).
If a data breach has to be reported under the FADP, this must be done “as quickly as possible” (Article 24(1) FADP). In practice, the 72-hour period specified in the GDPR is used as a guideline. As per Article 15(1) DPO, the report to the FDPIC must include:
If not all this information is available at the time of notification, it can be submitted later as soon as it becomes available.
Regarding the duty to inform data subjects, the FADP makes no mention of a timeline. However, to ensure that the information has its intended risk-reducing effect – in particular by enabling data subjects to take swift action – the notification should also be provided as quickly as possible (Article 24(1) FADP). Essentially, the controller must provide the same information as required for the notification to the FDPIC, but in simple and comprehensible language. However, the time and duration of the breach, the categories and amount of personal data concerned and the categories and the number of data subjects are not required (Article 15(3) DPO).
Co-Ordination With Cloud Service Providers
The ISA applies to the cloud service provider and operator, who can independently fulfil their duty to report a cyber-attack without needing input from the customer; however, under the FADP, the notification of a data breach must be co-ordinated between the data controller and the provider. The obligations to report to the FDPIC and to inform the data subjects lie solely with the controller. However, the controller depends on the processor not only to be informed about the data breach, but also to subsequently obtain assistance in fulfilling the reporting obligation (and dealing with the data breach). To this end, it is advisable to include appropriate obligations to provide assistance to the controller in the DPA.
Mechanisms for Cross-Border Transfers
As there are no specific rules for international data transfers in the context of cloud computing, the general data protection regulations apply. In principle, Switzerland permits transfers of personal data abroad only if the destination country guarantees an adequate level of data protection (Article 16(1) FADP). The list of countries deemed to offer adequate protection is maintained by the Federal Council (not the FDPIC, as under the previous law) and published in Annex 1 DPO. In addition to all EEA member states, these include Argentina, Uruguay, the United Kingdom, and the USA (provided that the recipient is certified under the Swiss–US Data Privacy Framework), but – unlike under the GDPR – not Japan or Korea.
Where a country is not listed as adequate (including US recipients without Swiss–US Data Privacy Framework certification), transfers are only permissible with additional safeguards. This is the case if an appropriate level of data protection is guaranteed by (Article 16(2) FADP):
As per Article 17 FADP, in certain exceptional cases, transfers may be justified on the basis of:
However, these exceptions are a precarious basis for international data transfers and should therefore not be used for routine transmissions.
Regulation of Cross-Border Transfers in Data Processing Agreements
In practice, the standard contractual clauses (SCCs) are the most important transfer mechanism. The EU-SCCs have been approved by the FDPIC, provided they are used alongside a Swiss addendum that adjusts the references to the GDPR and the EU member states and specifies the competent supervisory authority, applicable law and place of jurisdiction.
International data transfers are usually addressed in the DPA, which incorporates the SCCs with the Swiss addendum. To secure onward transfers by the cloud service provider, the customer should contractually require the provider to agree to the SCCs (with the necessary addendum) with its recipients. Additionally, the customer may contractually oblige the cloud service provider to carry out a transfer impact assessment in such cases and to submit it to the customer upon request.
Data localisation requirements stipulate that personal data must be stored and processed within a specific country or region. Switzerland imposes no general localisation obligation on cloud computing. However, sectoral frameworks – especially in the finance and health sectors – and public procurement preferences can effectively push for data storage and processing in Switzerland, or at least within the EU/EEA. For customers, this means ensuring that the cloud service provider discloses the location of its data centres and sub-processors, and selecting providers that can offer regional data centres, along with contractual guarantees on data residency. Providers, in turn, must implement technical and organisational measures to segregate and control data flows to ensure compliance with localisation requirements. While data localisation may enhance trust through closer oversight, it may also increase costs, reduce flexibility, and restrict access to global innovation.
Conflicts of law are only indirectly addressed in cross-border data transfers, in that the requirements for such transfers depend on the applicability of different laws and the varying levels of protection they offer: If an importing country guarantees an adequate level of data protection from Switzerland’s perspective, personal data may be transferred without further ado. Otherwise, the Swiss level of protection must be achieved through specific safeguards (see 6.1 Cross-Border Transfer Regulation).
In recent years, the main challenge and risk associated with international data transfers has been government access to data – both in terms of assessing whether a country has an adequate level of data protection and, if not, whether a transfer is still possible. This is particularly true for cloud computing, since storing data in the cloud may increase the risk of it being accessed by foreign law enforcement agencies and intelligence services. However, even if such access is (theoretically) possible and the data-importing country does not provide adequate data protection, using a cloud service provider in that country is not ruled out. Usually, the risk of such access by public authorities is evaluated in a TIA and mitigated further by additional protective measures, such as encryption and customer-side key management. If access by public authorities appears highly unlikely in the given circumstances, using a cloud service provider in such a country is permissible.
In Switzerland, compliance audits in cloud environments are generally based on contractual provisions in the cloud service agreement or the DPA. The FADP does not grant the controller (ie, the customer) a statutory right to audit but obliges the controller to ensure that the processor (ie, the cloud service provider) is able to guarantee data security. This requires the controller to obtain a contractual right to audit the processor. In practice, customers only conduct audits when there is a specific reason, such as a data leak or a similar incident. Otherwise, they usually rely on third-party certifications (eg, ISO 27001) or reports from regular audits carried out on behalf of the provider (eg, based on the standard ISAE 3402).
Audits generally examine whether the cloud service provider complies with its legal, contractual and certification obligations. Emphasis is usually placed on data security and the provider’s TOMs. The specific focus of compliance audits otherwise depends on the customer’s sector of activity and whether the audit is carried out within the framework of a certification or audit standard. Any audit concludes with a report, which is made available to the customer, the provider, and possibly third parties such as the provider’s potential customers. The integrity and accuracy of the audit report are generally ensured by engaging independent auditors and relying on recognised standards. Whether and how audit findings are addressed is largely a contractual issue: DPAs typically require the provider to remedy any deficiencies within a specified timeframe and, where applicable, to bear the costs of the audit.
Although the FADP does not impose statutory penalties for non-compliance with audit requirements, failure to maintain appropriate controls may result in an investigation by the FDPIC and potential administrative actions. In regulated sectors, this may also result in an investigation by the relevant supervisory authority, such as FINMA, and corresponding administrative measures. If the cloud service provider, acting as a processor, fails to comply with the contractual audit rights, contractual consequences may arise, such as termination of the contract, indemnification or the imposition of a contractual penalty.
Seefeldstrasse 123
8008 Zurich
Switzerland
+41 58 658 58 58
+41 58 658 59 59
david.vasella@walderwyss.com www.walderwyss.comIntroduction to the Information Security Act With a Focus on the Reporting Obligation of Cyber-Attacks by Critical Infrastructures
Cloud computing has emerged as one of the defining technologies of the digital age. Its ability to provide scalable, flexible, and cost-efficient IT resources makes it an attractive option not only for private businesses but also increasingly for public administrations. Governments worldwide are adopting cloud-based solutions to improve service delivery, reduce infrastructure costs, and foster innovation in e-government initiatives. In Switzerland, too, the use of cloud computing by federal authorities has expanded. The framework for the use of cloud solutions by the Federal Administration is defined in the document “Cloud Strategy”, which was adopted by the Swiss Federal Council in December 2020. The federal administration is pursuing a so-called “hybrid multi-cloud” strategy. It relies primarily on its own data centres and services from federal private clouds, but may also use public cloud services from commercial cloud providers.
Public bodies handle highly sensitive information, ranging from personal data of citizens to classified government records and critical infrastructure data. Thus, ensuring confidentiality, availability, integrity, and traceability is one of the core responsibilities of the federal administration in its information management.
Introduction to the Information Security Act
In January 2024, the Federal Act on Information Security (ISA) and its implementing ordinances (Information Security Ordinance (ISO), Personnel Security Screening Ordinance (PSSO), Industrial Security Procedure Ordinance (ISPO) and Federal Identity Management Systems and Directory Services Ordinance (IAMO)) came into force in Switzerland. This new regulatory framework replaces the former patchwork of sector-specific rules, which had proven inadequate in the face of modern cyber-risks. Past attacks on federal information systems revealed significant gaps, caused, among other things, by outdated and fragmented regulations. The ISA and its implementing ordinances address these weaknesses by unifying information security standards into a single, coherent framework. These provisions outline fundamental requirements for federal information security and establish procedures to enhance Switzerland’s overall resilience against cyber-risks. The following overview first summarises the general provisions of the ISA and then focuses on the newly introduced reporting obligation for cyber-attacks on critical infrastructures, which is highly relevant for cloud providers in Switzerland.
The ISA applies primarily to federal authorities. Cantonal authorities are not generally bound by the Act but must comply with selected provisions where they process federal information or access federal IT systems. The ISA also affects the private sector: providers of digital services and products must ensure compliance if they conclude outsourcing arrangements with public entities and may be directly addressed by the reporting obligation if they fall under the definition of operators of critical infrastructure (see below).
Key obligations for federal authorities under the ISA are:
Depending on the level of protection required, TOMs may include personal security checks, the establishment of security zones, or the implementation of identity and access management systems. The ISA and its implementing ordinances provide only a general framework for such measures and for the classification of information into security levels. It is then the responsibility of each authority, through ordinances and internal directives, to define the specific safeguards and protection levels applicable to the information they handle.
When authorities and organisations subject to the ISA engage third parties, for example, when outsourcing IT operations to cloud service providers, they must incorporate the ISA requirements into the contracts and ensure that compliance with these measures is effectively monitored.
Reporting of cyber-attacks
While the ISA mainly governs federal authorities, it also serves the broader goal of strengthening Switzerland’s cyber-resilience. To this end, the Act introduced a reporting obligation for cyber-attacks to the National Cyber Security Centre (NCSC). Adopted later than the rest of the ISA, this duty entered into force on 1 April 2025. It is intended to centralise incident data, assess the overall threat landscape, and enable the NCSC to issue timely warnings so that potential targets can take protective measures.
The obligation to report cyber-attacks applies to operators of critical infrastructures and therefore extends beyond the general scope of the ISA. The institutions subject to this obligation are listed in Article 74b, paragraph 1 ISA and comprise authorities at all federal levels (including when performing cantonal duties) as well as private-sector companies that provide services essential to the functioning of the economy or the well-being of the population. Examples include nationally significant news agencies (Article 74b paragraph 1 (k) ISA), financial and banking institutions (letter (e)), and pharmaceutical companies (letter (h)). If an institution also offers non-critical services, only incidents involving its critical services fall under the reporting obligation (Article 74b, paragraph 2 ISA). The Cyber Security Ordinance (CySO) defines in detail the reporting requirements, preconditions and exemptions.
Digital service providers and manufacturers of digital products
Remarkably, the reporting obligation applies directly not only to operators of critical infrastructures but also to digital service providers and manufacturers of digital products used in such infrastructures.
According to Article 74b paragraph 1 (t) ISA, digital service providers covered by the obligation comprise operators of cloud computing, search engines, digital security and trust services, and data centres, provided they are based in Switzerland and offer their services to third parties for remuneration (Article 12 paragraph 1 (e) CySO). The category of “digital security and trust services” is interpreted broadly and, in line with Regulation (EU) 910/2014, covers services such as electronic signatures, seals, and timestamps, the delivery of electronic registered mail, authentication certificates, and storage services for electronic signatures, seals, and certificates.
Based on the territoriality principle, the reporting obligation applies to the above categories of IT service providers only if they have their registered seat in Switzerland. The NCSC has clarified that a branch in Switzerland, as a legally dependent business establishment of a foreign provider, does not fulfil this requirement. Foreign entities with a branch in Switzerland are therefore not subject to the reporting obligation. Providers with a registered seat in Switzerland are exempt when they offer their services free of charge. In practice, this means that even if IT services (eg, cloud services) are performed by a Swiss company, the company is not subject to the reporting obligation if the customer contract is concluded with a foreign parent company and the Swiss subsidiary provides the services to its parent without remuneration.
Manufacturers of hardware or software used by critical infrastructures are also directly subject to the reporting obligation under Article 74b paragraph 1 (u) ISA, provided that the products allow remote maintenance access or are used for control and monitoring of operational systems and processes, or public safety functions. With this provision, the Swiss legislature addresses that risks do not only arise when manufacturers have direct access to a critical infrastructure’s IT environment, but also where equipment is manipulated before delivery to end customers, enabling attackers to access the systems at a later date.
A significant safety risk arises when products are used in highly sensitive areas, such as controlling and monitoring physical equipment or processes, or in the public safety sector, including emergency services and police investigations. Given the associated safety concerns, the obligation applies to all manufacturers, regardless of whether their registered seat is in Switzerland or abroad, provided that the cyber-attack has an impact in Switzerland (Article 74b paragraph 3 ISA).
One might ask why IT service providers with remote access to federal IT systems (such as maintenance or support providers) are not also directly subject to the reporting obligation, although the potential impact of cyber-attacks on them appears comparable to that on product manufacturers. The legislative materials do not provide a clear rationale for this distinction. It can be assumed, however, that the legislature regarded the risk posed by stand-alone maintenance providers as less critical, whereas compromised hardware or software products may trigger systemic effects across multiple affected institutions. Moreover, as maintenance providers are often smaller companies, the cost-benefit ratio of imposing a direct obligation may have been considered disproportionate.
IT service providers that fall outside the scope of Article 74b of the ISA are still indirectly impacted by the reporting obligations if they provide services to critical infrastructures. They are contractually required to inform their customers about security incidents that are responsible for reporting these incidents to the NCSC. In practice, this means that while maintenance and support providers do not report to the NCSC directly, they still form part of the reporting chain.
Cyber-attack
Article 5 (d) and (e) ISA define a cyber-attack as any deliberately triggered event involving the use of IT resources that compromises the confidentiality, availability, or integrity of information or affects the traceability of its processing. The focus on intentional acts expressly excludes negligent misconfigurations, such as employee errors leading to unintended data loss. Subject to Article 74d ISA, not every cyber-attack must be reported; the duty is limited to attacks with a serious impact, namely, where the attack:
The rationale for the last condition is that if a cyber-attack remains undetected for a prolonged period (eg, 90 days), industrial espionage or preparations for further attacks cannot be ruled out. Information on attacks that are deliberately designed to evade detection is therefore important for warning other operators of critical infrastructures.
Determination of whether a cyber-attack must be reported lies with the obliged entities. Further guidance is provided in the CySO. Article 14 CySO defines, for example, that the functionality of critical infrastructure is considered at risk if employees or third parties are affected by system interruptions, or if the affected institution can only maintain its activities with the help of emergency plans. The manipulation or leakage of information occurs when business-related information is viewed, modified or disclosed by unauthorised persons, or a report of data security breaches has been made in accordance with the Federal Data Protection Act (FDPA).
Nonetheless, there may remain grey areas in determining whether a reporting obligation exists. If there is uncertainty, the NCSC suggests reporting the incident and also encourages voluntary reports in cases where the statutory criteria are not met or the operator falls outside the scope of Article 74a ISA.
Reporting process and subsequent procedure
Reports can be submitted via the NCSC’s platform, the “Cyber Security Hub”. The platform is not publicly accessible and requires prior registration (access can be requested). It allows for the quick forwarding of information to other authorities where other reporting obligations may apply, including the Swiss Financial Market Supervisory Authority (FINMA) or the Federal Data Protection and Information Commissioner (FDPIC). Alternatively, reports may be made via e-mail or phone to the NCSC. Obliged entities may also outsource the reporting process to third-party service providers (eg, their IT providers) (Article 17 paragraph 2 CySO).
A report must contain details on the institution responsible for reporting, the timeline of the cyber-attack, details of the attacker, nature and execution of the cyber-attack, its impact (eg, severity of the impact on the availability, integrity, and confidentiality of information and the impact of the cyber-attack on the functioning of the organisation or authority), the measures taken, and, if known, the planned further course of action. If not all necessary information is known at the time of reporting, the reporting institution shall provide the missing information as soon as possible. Information that could incriminate the reporting individual does not need to be disclosed (Article 74e ISA).
Reports must be filed within 24 hours of discovering a cyber-attack (Article 74e, paragraph 1 ISA), including Sundays and public holidays. Given the increasing reliance on outsourced IT services, this raises the question of whose knowledge triggers the deadline: that of the outsourcing provider or that of the entity subject to the reporting duty (eg, a federal authority). The NCSC has clarified that the decisive factor is the knowledge of the obliged entity – in contrast to FINMA’s stricter position on reporting periods under the Financial Market Supervision Act (FINMASA) (see below).
Following a report, the reporting entity is entitled to support from the NCSC in handling the incident. The NCSC’s national computer security response team analyses the cyber-attack and provides assessments and recommendations. This support, however, is limited to first-response measures and only to the extent that it does not compete with services available on the market.
In principle, the NCSC has no authority to order specific security measures or remedies for operators of critical infrastructures following a cyber-attack. The legislature deliberately refrained from granting such competences to avoid discouraging companies and authorities from reporting out of fear of mandatory remedial measures.
An exception exists with respect to vulnerabilities in hardware and software products. If the NCSC becomes aware of such vulnerabilities (not limited to cyber-attacks), it sets a reasonable deadline for remediation. If the deadline is not met, federal authorities may exclude these manufacturers from a procurement procedure or revoke awarded contracts, and the NCSC may publish information about the vulnerability (Article 73b, paragraph 3 ISA).
Violation of the reporting obligation is not per se subject to fines or criminal prosecution. From 1 October 2025, however, if the NCSC suspects a breach, it will notify the affected entity and set two deadlines for reporting (Article 74g ISA). Failure to comply with these deadlines may result in a fine of up to CHF100,000 (Article 74h ISA).
Forwarding of report details
To promote reporting, the NCSC generally treats submitted information as confidential. The Federal Act on Freedom of Information in the Administration, which grants public access to administrative records, does not apply to information contained in reports. The NCSC may, however, forward details of cyber-attacks to other cybersecurity authorities and organisations. Such information must be anonymised unless the reporting entity consents otherwise. Without prior consent, the NCSC may transmit details to law enforcement authorities if the report reveals a serious crime, or to the Federal Intelligence Service if the information is relevant to its statutory tasks (eg, early detection and prevention of threats to internal or external security) (Article 73d ISA). With the consent of the affected institution, the NCSC may also publish information about cyber-incidents (Article 73c ISA).
At the request of the reporting entity, the NCSC may also forward the report to other authorities to help fulfil additional reporting obligations.
Relationship with reporting obligations under the FDPA and FINMASA
Additional reporting obligations may arise – eg, from the FDPA and the FINMASA.
Under the FDPA, a controller must notify the FDPIC of any data security breach that is likely to pose a high risk to the personality or fundamental rights of data subjects (Article 24, paragraph 1 FDPA). This may lead to overlapping reporting obligations under the FDPA and the ISA. Unlike the ISA or the General Data Protection Regulation (GDPR) applicable in the EU, the FDPA does not provide for a fixed reporting deadline; the notification shall be made “as quickly as possible”. This open wording allows for some flexibility and recognises that time may be needed to investigate the issue. In practice, Swiss scholars recommend applying the GDPR 72-hour deadline as a guideline, while missing information may be resubmitted as soon as possible.
Article 29, paragraph 2 FINMASA requires supervised entities to immediately report to the FINMA any incident of substantial importance to the supervision. Such incidents also include material cyber-attacks. FINMA Guidance 05/2020 defines a material cyber-attack as an attack from the internet and similar networks on the integrity, availability and confidentiality of the technology infrastructure, particularly in relation to critical and/or sensitive data and IT systems which impair on the one hand individual protection – ie, the protection of creditors, investors and insured persons, and on the other hand, the stability of the financial markets.
The definition of a material cyber-attack differs from that of a reportable cyber-attack under the ISA. However, it is reasonable to interpret both terms similarly, as both are essentially aimed at incidents that significantly impact the operation of critical IT systems and the protection of sensitive data. In Guidance 03/2024, FINMA clarified that timeliness takes precedence over assessing severity: an initial report to FINMA must be filed even if the materiality threshold has not yet been confirmed. In contrast, such a requirement is not expressly provided for in the ISA, the CySO, or the accompanying documents, and it remains to be seen whether the NCSC will apply equally strict standards.
Entities governed by the FINMASA include insurers, banks, financial service providers, financial market infrastructures and their auditors. There is therefore some overlap with entities subject to reporting obligations under the ISA, which applies, inter alia, to companies subject to the Banking Act, the Insurance Supervision Act or the Financial Market Infrastructure Act. Under FINMASA, an initial notification to the FINMA shall be made within 24 hours, followed by a detailed report within 72 hours via FINMA’s electronic survey and application platform (EHP). Submission of the ISA report to the FINMA may replace the initial report, but the 72-hour report via the EHP remains mandatory, regardless of whether the ISA report has already been forwarded. While the reporting deadlines generally apply only on official banking days, serious cyber-incidents must be reported within 24 hours, even outside banking days.
Notably, the regimes differ not only in their notification periods but also in how reporting deadlines are triggered. Under the FDPA, the clock starts once the controller becomes aware of the breach. A processor’s (eg, cloud provider’s) knowledge is not automatically attributed to the controller; instead, Article 24, paragraph 3 FDPA imposes a separate duty on processors to inform the controller “as quickly as possible”. The controller’s deadline only begins once this notification is received. Nevertheless, controllers remain responsible for ensuring that the processors have appropriate measures in place and are able to notify in a timely manner. This approach is consistent with the attribution of knowledge under the ISA (see above).
FINMA, however, applies a stricter standard. According to Guidance 03/2024, the notification period under FINMASA starts with the first detection of the attack, whether by the obliged entity or its service provider. FINMA justifies this approach with the need to ensure equal treatment between institutions that have functions outsourced and those that do not. This practice should be carefully considered when determining the timing of notifications to FINMA, as relying on the NCSC’s forwarding mechanism may not always be sufficient to ensure compliance with FINMA’s requirements. Consequently, it should be kept in mind to agree on short notice periods when drafting outsourcing agreements between critical infrastructures and IT providers.
Conclusion and outlook
The ISA marks a significant step in unifying Switzerland’s information security framework and enhancing national resilience against cyberthreats. Although the Act itself mainly governs federal authorities, its reporting obligation reaches beyond this circle and applies directly to critical infrastructures, digital service providers, and manufacturers of digital products. For cloud computing in particular, the ISA is highly relevant: cloud providers may be bound contractually to the provisions of the ISA in federal outsourcing arrangements and may themselves qualify as critical infrastructures subject to the reporting obligation.
In view of the reporting obligation, the ISA is only one piece of a broader regulatory puzzle. Depending on the sector, entities may be simultaneously subject to reporting obligations under multiple legal frameworks, such as the FDPA or FINMASA. These frameworks differ in definitions, thresholds, and deadlines – sometimes significantly. For example, while the ISA starts the reporting clock when the obliged entity becomes aware of an attack, FINMA’s stricter standard counts from the first detection, including by an outsourcing provider.
For organisations that use or provide cloud services, this interplay of regimes creates both operational and contractual challenges. Outsourcing agreements must not only embed ISA requirements but also align with stricter reporting standards under FINMASA. More broadly, institutions should map their specific notification duties, assign responsibilities internally, and define how information flows between cloud providers, customers, and authorities.
While focusing on reporting duties, the ISA does not provide for comprehensive measures to ensure the cyber-resilience of digital products in general. Unlike the EU Cyber Resilience Act, which establishes binding security requirements for the design and lifecycle of digital products, Swiss law does not impose substantive product-level obligations. If vulnerabilities in hardware and software products are detected, the NCSC has only a very limited scope for action to foster the closing of security gaps. Recognising this shortcoming, the Federal Council mandated in August 2025 the preparation of draft legislation on the cyber-resilience of digital products, to align with international standards (especially those of the EU) and close vulnerabilities in the Swiss framework.
Seefeldstrasse 123
8008 Zurich
Switzerland
+41 58 658 58 58
+41 58 658 59 59
david.vasella@walderwyss.com www.walderwyss.com