NIS2 Switzerland: What Swiss companies need to know now

The most important thing in brief:

NIS2 Switzerland: Background & Significance

Die NIS2 Policy (Network and Information Security Directive), published in December 2022, aims to improve the level of cyber resilience to raise in the EU. It replaces the previous NIS Directive and came into force on October 18, 2024 in force. EU Member States had to transpose them into national law by that date.

For Switzerland, the relevance is particularly evident in the following areas:

• Supply chains & partner relationships: Swiss companies that supply products or services to EU companies may be affected by supply chain rules.‍
• Subsidiaries in the EU: Branches or subsidiaries in the EU that exceed sector or turnover/employee thresholds must implement NIS2 requirements and, if necessary, register.‍
• Parallel to national legislation: Switzerland implements its own Information Security Act (ISG), whose revision from January 1, 2025 It also provides for stricter requirements for critical infrastructures.

Current situation in Switzerland

• that ISG Has been since January 1, 2024 in force and applies primarily to authorities, critical infrastructure operators and their partners. For 2025 is a revision planned, which provides for expansion to additional industries and will partly build on NIS2 standards.
• Swiss companies are therefore caught between two sets of rules: On the one hand, the national ISG with a focus on public authorities and critical infrastructure, and on the other hand, the EU NIS2 Directive, which applies to supply chains and branches.

Difference with other EU states

• In EU countries, the vary NIS2 implementation details strong: Definition of sectors, control mechanisms, reporting requirements, sanctions. Read also our blog articles NIS 2 Directive: Implementation by Germany and NIS2 Austria: What companies need to consider.
• In Germany, for example, national implementation is delayed — a final law is in force at the earliest 2nd quarter 2025 to be expected.
• Switzerland is not directly returning to national regulations, but is rather following the approach that Evidence of compliance with EU customers to enable.

NIS2 Directive Switzerland: What companies should do now

1. Check relevance

• Analyze whether your company directly affected is (e.g. subsidiary in the EU, activity in critical sectors, supply activity for EU companies). Please also read our blog article NIS2: Who is affected? Here's how to check it!
• Auch indirectly affected (e.g. suppliers for critical industries) must prepare.

2nd Implement duties

• Introduction of a information security management system (ISMS), ideally in accordance with ISO 27001, makes it easier to comply with NIS2 requirements.
• Technical: multi-factor authentication, risk analysis, security concepts, regular reviews.

3rd Establish governance & reporting requirements

• Identify clear management responsibilities (e.g. CISO or data protection officer).
• Meet legal deadlines for cyber incidents: 24-hour reporting requirement, full report within 72 hours.

4th Ensure documentation & traceability

• Systematically document risk analyses, ISMS processes, safety precautions, and training.
• This is crucial in order to have evidence ready for EU authorities or customers.

Tip: Professional IT documentation software such as Docusnap helps you comply with NIS2 Switzerland compliance requirements. Find out how it works in our blog article NIS 2 Directive: Requirements, penalties and implementation.

5th Using external support — an opportunity for IT service providers

• The need for advice is increasing: The market for ISMS consultants, audits, and Security-as-a-Service is growing.
• Cooperation with specialized legal or technical partners can speed up implementation.

Role for the Swiss economy

In the long term, these legislative changes promote Digitalization security, strengthen trust in international business and open up new markets for security service providers in Switzerland. At the same time, compliance requirements will be Market access requirements — particularly in EU business.

NIS 2 Switzerland: Deadlines in focus

Conclusion on the EU NIS2 Directive in Switzerland

Even though Switzerland is not part of the EU, the “EU NIS2 Directive in Switzerland” This is not a theoretical requirement, but a reality for many companies, especially those with EU connections. Proactive, documented implementation in accordance with NIS2 standards provides security, strengthens competitiveness and makes doing business in the EU easier. In combination with the national ISG The result is a framework that takes IT resilience and compliance to a new level — a strategic opportunity for companies and IT service providers at the same time.