Switzerland is responding to growing threats in cyberspace. On August 20, 2025, the Federal Council decided to draft legislation on the cyber resilience of digital products. The Federal Office for Cybersecurity (BACS), together with the Federal Office of Communications (BAKOM) and the State Secretariat for Economic Affairs (SECO), has been tasked with preparing a consultation draft by fall 2026. The goal is to establish binding security requirements for products with digital elements and strengthen market surveillance for such products.
Key Takeaways
- The Federal Council intends to enshrine cyber resilience of digital products in law
- BACS, BAKOM, and SECO will draft a consultation template by fall 2026
- Security obligations for the development and marketing of digital products will be defined, including import and sales bans on unsafe devices
- Market surveillance will be enhanced to ensure vulnerabilities are identified and addressed quickly
- Switzerland is aligning itself with EU regulations such as the Cyber Resilience Act and the NIS-2 Directive
Why This Matters
Digital products have become part of every aspect of life – from smart devices to IoT, software, and connected hardware. If vulnerabilities exist in such products, the consequences can be severe for users, businesses, and critical infrastructure. To date, Switzerland has had very few binding regulations on cyber resilience of digital products. With the new initiative, this regulatory gap will finally be closed.
What Will the New Legislation Cover?
The law is expected to include:
- Security requirements for the development and marketing of digital products
- Market surveillance rules to prevent unsafe products from being sold or imported
- Minimum standards for updates, patches, security testing, and disclosure of vulnerabilities
- Enforcement mechanisms and sanctions for non-compliance
Comparison to EU Initiatives
| Initiative | Focus | Scope | Link to Switzerland |
|---|---|---|---|
| Cyber Resilience Act (CRA) | Security requirements for products with digital elements, lifecycle, updates, reporting obligations | Mandatory across the EU from 2027 | Switzerland aims to adopt similar standards |
| NIS-2 Directive | Protection of critical infrastructure and services against cyberattacks; reporting and preparedness obligations | Applicable in all EU member states | Switzerland aligns its framework with EU norms |
| EU Cybersecurity Act, CER, DORA | Broader regulations on cybersecurity, resilience, and financial services | EU-wide frameworks | Serve as benchmarks for Switzerland |
Benefits and Challenges for Switzerland
Potential Benefits
- Stronger protection for consumers and businesses
- Increased trust in digital products and providers
- Legal certainty for manufacturers and importers
- Reduced costs from security incidents through preventive measures
Challenges
- Overly strict requirements may hinder innovation
- Smaller manufacturers may struggle with compliance costs
- Effective enforcement and market surveillance require significant resources
- Harmonization with international supply chains is essential
Conclusion
The planned Swiss cyber resilience law marks an important step toward modern cybersecurity policy. It closes an existing regulatory gap, establishes binding requirements for digital products, and aligns with proven EU initiatives. For companies, now is the time to proactively integrate compliance, governance, and risk processes to avoid costly adjustments later.
FAQ
What is cyber resilience of digital products?
It refers to the ability of hardware and software with digital elements to remain secure, resist attacks, and quickly fix vulnerabilities.
Why is Switzerland introducing this law?
Because there are currently no binding national rules, despite rising risks from insecure digital products.
When will the draft be ready?
A consultation draft is expected by fall 2026.
What requirements are likely to apply?
Security by design, mandatory updates, vulnerability disclosure, and bans on unsafe devices.
How does this compare to EU laws?
Many elements mirror the Cyber Resilience Act and NIS-2 Directive, which also focus on minimum requirements, reporting duties, and market supervision.
What should companies do now?
Review product portfolios, implement security processes, adjust governance structures, and align with EU standards early.
Related posts
Holiday gifts for business partners in the DACH region
During the Christmas season, many companies take the opportunity to thank their business partners with small gifts. These gestures strengthen relationships, show appreciation and are often part of a company’s culture. At the same time, tax rules, compliance requirements and internal guidelines must be respected – and these differ between Germany, Austria and Switzerland. This<a href="https://zazoon.com/holiday-gifts-for-business-partners-in-the-dach-region/">Continue reading <span class="sr-only">"Holiday gifts for business partners in the DACH region"</span></a>
The Mozambique Affair of Credit Suisse: A Cautionary Tale of Compliance Failure and the Need for Robust GRC
What is the Mozambique Affair? The so-called Mozambique Affair involving Credit Suisse is one of the most serious financial scandals in recent years. At its core are hidden loans worth billions of dollars, dubious offshore transactions, and extensive allegations of corruption. This scandal vividly demonstrates how inadequate compliance and governance structures can not only bring<a href="https://zazoon.com/the-mozambique-affair-of-credit-suisse-a-cautionary-tale-of-compliance-failure-and-the-need-for-robust-grc/">Continue reading <span class="sr-only">"The Mozambique Affair of Credit Suisse: A Cautionary Tale of Compliance Failure and the Need for Robust GRC"</span></a>