Digital regulation in Switzerland: what companies must absolutely know in 2025
Digital Regulation in Switzerland: What Companies Must Absolutely Know in 2025
In 2025, Switzerland is strengthening its digital regulatory framework to protect data, enhance cybersecurity, and regulate sectors such as e-commerce and artificial intelligence. Here are the key points to remember:
- Data Protection: Since 2023, Swiss law has been aligned with the GDPR with fines of up to 250,000 CHF. In 2025, reinforced requirements include explicit consent for sensitive data and the obligation to maintain a record of processing activities.
- E-commerce: Starting July 2025, digital platforms will be responsible for VAT (8.1%) and must comply with new transparency obligations on pricing and invoicing.
- Cybersecurity: The law mandates regular audits, data encryption, and mandatory two-factor authentication to reduce cyberattacks, which have increased by 70% in recent years.
- Artificial Intelligence: Sector-specific regulatory framework is in progress, with compliance costs estimated between 218,000 CHF and 3.7 million CHF for high-risk systems.
Quick Comparison of the Concerned Areas
| Area | New Key Requirements | Implementation Date |
|---|---|---|
| Data Protection | Record of activities, incident management | 01/01/2025 |
| E-commerce | VAT for platforms, price transparency | 01/07/2025 |
| Cybersecurity | Regular audits, incident reporting | Already in effect |
| Artificial Intelligence | Sectoral framework for responsible AI | Under preparation for 2025 |
Advice: Companies must take action now to ensure compliance by updating their security policies, business practices, and technological systems.
Modifications to the Data Protection Law
Updates to the DPA 2025
The revision of the Federal Data Protection Act (DPA) redefines rules regarding the processing of personal data. Now, sensitive data also includes genetic and biometric information. This updated version establishes specific standards tailored to the Swiss framework.
| Area | New Requirements |
|---|---|
| Sensitive Data | Explicit consent required for processing genetic and biometric data |
| Scope | Applies only to individuals (natural persons) |
| Integrated Protection | Obligation to apply privacy by design and privacy by default |
| Registry | Obligation to maintain a record of processing activities |
Required Actions for Companies
-
Record of Activities
Maintain a ROPA (Record of Processing Activities) register. Low-risk SMEs may be exempted. -
Data Security
Implement data protection measures from the design (by design) and by default (by default). -
Incident Management
Establish a clear protocol for reporting data breaches. Note that the reporting threshold is lower than that of the GDPR, requiring prompt notification to the relevant authorities.
These measures raise expectations for transparency and security, directly impacting companies' compliance and public image.
Consequences of Non-Compliance
"The revision of the DPA aligns Swiss data protection law with the European GDPR, allowing for the free flow of data between the EU and Switzerland. While largely equivalent in many respects, the DPA sometimes diverges from the GDPR and goes even further in data protection regulation."
- Konrad Meier, Senior Manager, AI Law Leader in Financial Services | EY Switzerland
Sanctions for non-compliance can reach 250,000 CHF for intentional violations. However, the consequences are not limited to fines: companies also risk tarnishing their reputation. To avoid this, it is advisable to appoint a Data Protection Officer (DPO) responsible for ensuring ongoing compliance and enhancing customer trust.
Consider the implications of these new obligations on your business strategy and corporate image.
Digital Strategy Switzerland 2025
Rules and Standards in AI
Just like developments in data protection and cybersecurity, AI rules require strategic adjustments to ensure responsible use of technologies.
Swiss Guidelines on AI
Switzerland adopts a targeted approach, regulating AI by sector. This method aims to support its role as an innovation hub while safeguarding fundamental rights.
| Area | Planned Regulation |
|---|---|
| Social Platforms | Enhanced fight against disinformation and deepfakes |
| Autonomous Vehicles | Limited authorization to specific segments |
| Health | Development of domain-specific language models |
| Data Protection | Alignment with current DPA |
These rules impose clear obligations on companies to ensure that their AI systems comply with current standards.
Requirements for Companies
Companies must implement practices to ensure ethical and responsible use of AI. For high-risk systems, compliance costs range from 218,000 CHF to 3.7 million CHF per year, affecting around 30% of Swiss companies.
-
Governance and Responsibility:
- Define a clear framework for roles and responsibilities.
- Document development steps and testing processes.
-
Data Protection and Security:
- Transparently explain data processing objectives.
- Detail system operations and data sources used.
-
Training and Awareness:
- Train employees and establish internal guidelines for AI tool usage.
Comparison with European Rules
"For Switzerland, no regulation is better than bad regulation" – Livia Walpen, Policy Advisor for International Relations at OFCOM.
Switzerland aims to maintain compatibility with the EU while preserving its autonomy. As highlighted by Professor Michael Wade from IMD:
"Not regulating AI would be like allowing pharmaceutical companies to invent new drugs and treatments and market them without testing their safety."
| Aspect | Swiss Approach | European Approach |
|---|---|---|
| Legal Framework | Sectoral Regulation | Comprehensive Regulation |
| Scope | Focus on Fundamental Rights | Comprehensive Framework |
| Innovation | Preferred Flexibility | Strict Standards |
| Surveillance | Risk-Based Analysis | Systematic Classification |
"In Switzerland, we have the infrastructure and some of the world's best talents: we can lead technological development in key areas and align it with Swiss values."
sbb-itb-454261f
E-commerce and Tax Rules
VAT Changes for E-commerce
Starting January 1, 2025, Switzerland introduces new VAT rules for digital platforms. These platforms, when facilitating the sale of goods, will be considered direct suppliers for VAT. This involves two separate transactions: a VAT-exempt transaction between the seller and the operator, and a VAT-subject transaction between the operator and the buyer.
The applicable VAT rate will be 8.1%. These changes come with specific obligations for marketplaces, detailed below.
Rules for Marketplaces in Switzerland
In addition to the new VAT rules, online marketplaces must comply with several obligations:
| Aspect | Requirement |
|---|---|
| VAT Threshold | 100,000 CHF turnover over 12 months |
| Documentation | Mandatory identification of the operator on each invoice |
| Reporting | Provide information to the AFC only upon request |
| Application | Contracts concluded from 01/01/2025 |
Platform operators must ensure that their billing systems comply with Article 20a of the LTVA. These requirements compel SMEs to update their processes to remain compliant.
Practical Guide for SMEs
To help SMEs adapt to these new rules, here is a simplified guide:
-
Information Obligations
E-commerce sites must clearly display:- Complete contact details
- Product details
- A transparent ordering process
-
Order Management
Order confirmations must include:- Details of prices including VAT
- Delivery conditions
- Explicit identification of the operator, as stipulated in Article 20a
-
International Deliveries
Suppliers shipping small parcels to Switzerland must adhere to the VAT threshold requirements mentioned earlier.
SMEs can regularly consult the Confederation's SME portal for updated resources on e-commerce compliance.
Cybersecurity Requirements
Mandatory Security Measures
In 2023, Switzerland recorded 50,000 cyberattacks, with losses exceeding 2 billion CHF in 2022. These figures highlight the urgency for Swiss companies to enhance their cybersecurity. Switzerland 2025 mandates several essential measures:
| Area | Requirements |
|---|---|
| Regular Audits | Quarterly risk assessments and penetration testing |
| Protection | Multilayer firewalls and intrusion detection systems |
| Authentication | Mandatory two-factor authentication for sensitive access |
| Data | Data encryption at rest and in transit |
These initiatives aim to structure effective risk management. Additionally, a new obligation to report incidents further strengthens this framework.
Security Incident Reporting
The National Cyber Security Centre (NCSC) facilitates incident reporting through a simplified process. This system relies on:
- An accessible electronic form for reporting incidents.
- A streamlined administrative procedure to reduce burdens.
- An early warning system based on information sharing among companies.
In addition, adopting robust practices helps enhance companies' resilience against threats.
Security Best Practices
The Swiss Financial Sector Cyber Security Centre (Swiss FS-CSC) advocates for a collective approach to bolster digital security. Here are three priority actions:
-
Employee Training
Organize regular awareness programs, including phishing simulations and practical workshops on security best practices. -
Incident Response Protocols
Establish a dedicated team for incident management, with documented procedures and a clear communication strategy. -
Cloud Security
Implement advanced encryption and multi-factor authentication for all cloud integrations, in line with NCSC recommendations.
With a 70% increase in ransomware attacks between 2021 and 2023, these measures are essential to ensure compliance and the survival of businesses in the Swiss digital ecosystem.
Implementation Guide
2025 Regulations Summary
Switzerland is undergoing a digital transformation accompanied by significant regulatory changes. Two key areas are affected by these changes:
| Area | New Requirements | Implementation Date |
|---|---|---|
| Data Protection | Record of processing activities, incident management | 01/01/2025 |
| VAT responsibility for platforms, price transparency | 01/07/2025 |
Compliance Checklist
To ensure compliance, companies must follow a structured program. The official Swiss platform EasyGov recommends a three-step approach:
- Initial Assessment: Conduct a comprehensive audit to identify compliance gaps, especially in data protection.
-
Technical Compliance: Implement appropriate technical measures. Here's what sanctions.io emphasizes:
"Institutions must use AI-based monitoring tools to enhance transaction control and regularly update their policies to reflect regulatory changes."
- Training and Documentation: Document your processes and train your teams on the new regulatory requirements.
These steps enable companies to effectively prepare for upcoming changes.
Upcoming Regulatory Developments
The regulatory framework will continue to evolve, with additional measures planned by the end of 2025. Expected changes include:
- A Swiss AI regulation proposal, with a report scheduled for late 2024
- Enhanced transparency requirements for cryptographic transactions
- Extension of due diligence requirements for financial intermediaries
"Thanks to EasyGov.swiss, we can use our limited resources more effectively and customer-oriented, as administrative tasks related to registrations and permits can be quickly and easily completed from the office."