1 What is the current legal landscape for Data Protection and Cybersecurity in your jurisdiction?

Switzerland combines a modernized data protection framework with evolving cybersecurity regulations. The Federal Act on Data Protection (FADP) and its implementing ordinances govern data processing by private parties (in particular undertakings) and federal bodies (with increased duties). Its latest revision has brought Swiss data protection law closer to the EU’s General Data Protection Regulation (GDPR) in a number of aspects (e.g., risk-based compliance expectations, as well as transparency and governance requirements) – with the aim of maintaining adequacy from an EU perspective (which later proved to be successful) – while remaining a distinct regime (e.g. w/r/t enforcement and remedies) and staying true to the general principle of data processing being permitted, unless prohibited.

It may come as a surprise that the Federal Data Protection and Information Commissioner (FDPIC) cannot – contrary to its EU counterparts – issue any kind of fines and fines must be pursued by the cantonal criminal prosecution authorities (or in a court of law, if appealed). Then again, fines primarily target individuals with decision-making authority rather than the undertaking on behalf of which they process personal data. Thus, fines are criminal (and not administrative) in nature.

A layer of often unexpected complexity is added by the fact that cantonal and communal bodies are subject to cantonal data protection laws, of which there are 26. And if public duties/tasks are delegated to undertakings, they can equally be qualified as public (communal/cantonal/federal) bodies.

Separately, Switzerland is strengthening national cybersecurity capabilities and reporting expectations. Beyond sectoral requirements (e.g. for financial institutions regulated by the Swiss Financial Market Supervisory Authority FINMA), the Federal Act on Information Security and implementing ordinance, further operationalized Switzerland’s national cyber strategy and clarified the role of the National Cyber Security Centre, by introducing mechanisms for information exchange, support in cyber incidents and (for critical infrastructures and further defined relevant actors) a 24-hour notification duty for certain cyberattacks, with the aim of increasing national resilience and recognizing attack patterns early.

Still, there is no broad, generally applicable framework of cybersecurity measures beyond the technical and organizational measures (TOMs) that apply to all undertakings when processing personal data. The legal landscape can thus be characterized by a dual focus: strengthening individual rights and increasing general governance under the FADP (as a horizontal law) and enhancing national resilience against cyber threats through sector-specific and vertical legislation. Finally, extra-territorial EU regimes also remain key for many Swiss undertakings given their EU footprint.

In practice, undertakings increasingly focus on defensible compliance programs, documentation and incident-handling readiness, including the various notification duties and related decision-making and evidencing. Evergreens are also cross-border data transfers (and the required contractual/technical safeguards), allocation of roles and responsibilities in controller/processor chains and appropriate TOMs, whereby coordinated vulnerability disclosure concepts and state-of-the-art security expectations continue to gain prominence in contractual negotiations, audits and disputes.

2 What three essential pieces of advice would you give to clients involved in Data Protection and Cybersecurity matters?

First, data protection and cybersecurity should be treated as an integrated governance topic: The comprehensive risk-based compliance program (reflecting the regulatory approach) should provide for clear ownership (including roles in case of incidents), up-to-date policies, and training and controls that reflect actual processing operations and threat scenarios. Challenging cases are often not caused by a lack of – or unwillingness to implement – legal rules, but by unclear internal responsibilities, missing (or not easily retrievable) documentation, or gaps between policy and practice.

Also, said governance must be owned at the executive level and not be delegated entirely to compliance teams. Directors and senior management should understand the obligations which may attach to them personally, ensure appropriate internal escalation mechanisms exist, and ascertain that any incident response is properly documented. The human factor should not be underestimated – people need to be trained to be vigilant as they are usually the weakest link in a security architecture that otherwise reflects state-of-the-art security measures.

Second, early investment in incident response readiness is key: Incident detection capabilities should be (regularly) reviewed, incident response playbooks should be built and tested, escalation paths & protocols (including outside counsel/forensics) should be agreed, and information needed to quickly assess incident notification requirements (under data protection, cybersecurity and sector-specific Swiss and EU laws) should be pre-aligned. This includes pragmatic evidence gathering (logs, timelines, affected systems/data, containment measures) and a communications strategy that is consistent across sector-specific regulators, data protection authorities, customers and business partners.

As often said, an incident is a matter of when, not if. Getting the incident response architecture in place before an incident occurs – and knowing precisely who to call and what to do within the first few hours of an incident – may be the difference between a manageable situation and a (legal/regulatory, financial and reputational) crisis. But architecture alone is insufficient: The playbooks must be tested regularly (e.g., tabletop exercises with legal, IT, communications and management) to expose practical gaps.

Third, the plumbing needs to be right in the foundations: data processing chains need to be mapped, robust data processing terms (including audit rights, breach notifications – noting that when an undertaking is subject to a notification period, the contractually agreed period by the vendor or supplier needs to be adequately shorter, and sub-processor governance) need to be negotiated, and contractual obligations need to be aligned with the security architecture (encryption in transit and at rest, access controls, back-up/restoration & business continuity measures). Vendor commitments should be reviewed for Swiss-specific adequacy (often missed when focusing only on the GDPR).

Mastering data flows is essential and starts with up-to-date records of processing activities (ROPA, a backbone for risk assessments, data subject requests, and defensible documentation). Cross-border data transfers and possibly (but increasingly) data sovereignty/localization options must be considered up front with an appropriate mix of legal safeguards and technical measures, not least because of the practical concern that the Data Privacy Frameworks (DPF) enabling transfers from Switzerland, the EU and the UK to the U.S. could be invalidated in the near future. European undertakings often implement Standard Contractual Clauses in parallel as a fallback, so as to not rely exclusively on any single transfer mechanism, which seems advisable.

3 What are the greatest threats and opportunities in Data Protection and Cybersecurity law in the next 12 months?

The greatest threats likely remain operational: ransomware and other extortion scenarios, supply-chain compromises, and slow-burn intrusions that stay undetected for extended periods (including in complex outsourced environments). Such incidents create multi-regime exposure (notifiable data breaches, contractual consequences/remedies, regulatory scrutiny, litigation and reputational impact) and require undertakings to coordinate all workstreams under time pressure. While attacks continue to escalate in both frequency and sophistication, mandatory reporting obligations (under data protection, cybersecurity and sectoral laws) are introduced, and reputational risk (in particular when attacks are published by attackers, notified data subjects or even regulators) is becoming a very real hidden cost, as it can strain investor confidence and existing supplier as well as customer relationships.

Another threat is the rising enforcement activity (the FDPIC’s preliminary enquiries and investigations have already increased, and the pace is accelerating) combined with increasing technical complexity. The FDPIC actively scrutinizes cross-platform tracking, targeted advertising, and AI-assisted data processing. This adds to the already multi-regime incident reporting/management burden (see above).

Finally, the geopolitical dimension of cross-border data transfers also presents ongoing risk. The Swiss-US DPF remains vulnerable to legal challenge, and an invalidation would create immediate compliance uncertainty for Swiss businesses reliant on US cloud and technology providers.

The opportunity is that the direction of travel is clear: Undertakings are expected to run mature, risk-based programs and to demonstrate compliance and resilience. Increased regulatory guidance and standardization (including on cyber incident reporting and coordinated vulnerability disclosures) can help create measurable controls and contractually enforceable standards. Thus, compliance can be turned into a trust and differentiation factor, leveraging it as a competitive advantage, especially in cross-border digital services offerings. Data trust as well as localization/sovereignty considerations are increasingly used as differentiators, particularly in data-intensive or otherwise sensitive sectors.

Swiss undertakings can also market themselves as operating within a high-standard, adequate jurisdiction (thanks to the European Commission’s reconfirmation) while retaining certain reliefs and flexibilities compared to EU companies. Thus, they can operate as an EU-trusted data processor, at a time when the EU’s enforcement environment is severe and businesses are seeking jurisdictions with credible but workable legal and regulatory frameworks.

Artificial intelligence presents both a profound threat and a significant opportunity (see 5.). Another emerging area of threat and opportunity are workplace surveillance and people analytics. The increasing use of digital tools for employee monitoring, productivity tracking, and behavioral analysis raises significant data and employee (health) protection concerns. The pandemic accelerated the adoption of remote work technologies, creating new data flows and monitoring possibilities but undertakings must ensure that any monitoring complies with local law. However, when implemented within the narrow constraints of the law and responsibly (not disproportionately interfering with employees’ privacy rights), they can provide valuable insights for workforce management, resource deployment and decision-making. Clear governance frameworks, meaningful information to employees, and ensuring only legitimate business purposes are pursued and served remain key.

4 How do you ensure high client satisfaction levels are maintained by your practice?

We focus on responsiveness (while still being proactive rather than reactive) and clear and practical deliverables, i.e. the law must be made practically useful and digestible. This includes setting expectations early (as regards scope, timelines, decision points), translating legal requirements into easily implementable steps (policies, playbooks, contractual provisions, governance models), and staying close to the client’s operational reality by working hand-in-hand with IT, security, compliance and communications teams, as applicable. In case of smaller undertakings which may not have such dedicated teams, we work with C-level management or directors and deploy adjusted methodologies.

We also recognize that technical legal accuracy is necessary but not sufficient – what clients need is clear guidance they can act on immediately. Accordingly, we focus on guidance that is immediately actionable in the client’s operating model. We strive to understand our clients’ business objectives first, then tailor our legal guidance to help them achieve those goals in a compliant manner. We present solutions that fit both the operational reality and risk appetite, allowing allocation of resources to the areas of highest risk and greatest business impact.

We also emphasize the principle of preparedness before urgency: we encourage tabletop exercises, and pre-agreed pathways and templates that can be activated quickly when an incident occurs. But clients rarely contact us in calm conditions – they usually have breaches to contain, regulators to manage, contractors to negotiate with under time pressure, or compliance programs to build from scratch. With data breaches, we ensure remediation measures are prioritized in a way that matches the business risk. When clients face regulatory scrutiny, we provide strategic advice and practical support, helping them engage constructively with authorities and achieve favorable outcomes. Sometimes positive relationships with regulators can be developed in advance through voluntary engagements, such as seeking guidance on novel processing activities.

We believe that the best client relationships are built on transparency and honesty about uncertainty, including areas of the FADP and cybersecurity framework where regulatory practice is still developing. We never overstate what the law currently requires or what the regulator is likely to do. That candor, we find, builds the trust that underpins a long-term advisory relationship.

We invest in staying ahead of the regulatory curve on behalf of our clients. We monitor publications, regulator guidance, enforcement trends, emerging risks, and EU developments with effects in Switzerland, and reach out to clients with targeted updates before issues arise. This may include practical tools like compliance checklists, training sessions, or incident response simulations to embed the law in the organizational culture. For more mature clients’ legal teams, we help them develop internal expertise, incl. education of data protection officers. By empowering clients with knowledge, we enable them to make informed decisions and manage compliance risks effectively. Our goal is for our clients to never feel surprised by a regulatory development – and that when a crisis does occur, they know exactly where to turn.

Finally, we measure client satisfaction through feedback mechanisms, including the detailed client satisfaction data analysis by Legal 500. We solicit feedback on our advice, responsiveness, and overall service quality, and refine our approach and address any concerns promptly. This is reflected in our client satisfaction accolade for billing & efficiency as the only Swiss firm in the Legal 500 survey.

5 What technological advancements are reshaping your Data Protection and Cybersecurity law and how can clients benefit from them?

AI is the most significant technological force reshaping our field, as regards both risk (e.g., new attack techniques, data leakage and model-related governance) as well as opportunity (e.g., faster and more accurate incident detection/response capabilities, better handling of data subject requests, triage and evidence collection, and control monitoring/compliance management). Traditional security approaches based on signature detection are increasingly inadequate against AI-powered attacks but AI-assisted security systems can analyze vast amounts of data from across the IT environment, identifying patterns and anomalies that may indicate security incidents. The integration of AI with security operations allows detection of previously unknown threats, responding to incidents in real-time, and even predicting potential vulnerabilities before they are exploited. For clients, this means improved security posture and reduced data breach risks through a shift from reactive incident response to proactive threat hunting, identifying and addressing security issues before they cause harm.

Although the Swiss government is currently assessing the extent of required AI-regulation, Switzerland is not pursuing an EU-AI-Act-style comprehensive framework. Rather Swiss AI-regulation will remain limited to targeted adaptations of existing laws. Related thereto, the FDPIC already confirmed (as expected) a year ago that the FADP applies directly to AI-assisted personal data processing, emphasizing Switzerland’s technology-neutral approach. This gradual, participatory, and staged approach positions Switzerland as a serious cybersecurity actor without overreaching, hopefully attracting domestic technology investments.

AI adoption presents profound data protection challenges, particularly concerning the principles of transparency, data minimization, purpose limitation, cross-border data transfers, automated individual decisions, (high-risk) profiling and data subjects’ rights. The lack of specific AI regulation in Switzerland means that undertakings must rely on and comply with all general data protection principles, creating uncertainty and challenges. At the same time, AI can help analyze data flows across complex IT environments, identifying personal data processing that may have been overlooked in manual inventories. AI can also automatically categorize data based on sensitivity and risk (e.g. through appropriate labelling), enabling prioritization of compliance efforts. AI-technologies may reduce manual effort required for compliance activities while improving accuracy and completeness.

That being said, in contemporary discourse, AI is increasingly used as a synonym for large language models (LLM), reflecting an AI hype cycle that focuses on generative foundation models while sidelining other, more traditional and partially well-established machine‑learning approaches and techniques, even though LLMs represent only a subset thereof and despite the fact that much of the AI traditionally deployed in practice consists of non‑generative or even deterministic systems. As long as such AI systems are based on probabilistic rather than deterministic methods (noting LLMs are inherently probabilistic and may produce plausible but completely incorrect outputs with impeccable confidence), a heightened degree of caution is warranted: AI cannot be used in any critical areas without human oversight and verification of every single output.

We are also seeing a rise of sophisticated privacy-enhancing technologies (PET) and clients benefit from leveraging technology for compliance itself. Investments occur in technical solutions related to automated pseudonymization/data minimization, key-management solutions (with customer-held keys in high-sensitivity environments), differential privacy (adding statistical noise to datasets, allowing publication of aggregate statistics without revealing personal data), homomorphic encryption (enabling performance of computations on encrypted data without decrypting it first), and further techniques to derive insights from data without exposing individual-level information, leading to lower regulatory exposure while enabling responsible data-driven innovation. PET can manage ROPAs, streamline the handling of data subject requests, and monitor for data processing anomalies. With PET, clients can move from manual, error-prone efforts to automated, efficient, and robust data governance frameworks, reducing risks and burden while maintaining customer trust.

Finally, real-time detection capabilities can no longer be considered a nice to have. We see investments in security operations centers, network monitoring tools, and threat intelligence sharing platforms. They also enable seamless integration of legal and regulatory reporting obligations into technical response workflows. This ensures legal counsel is involved from the moment of detection, and that nothing said or documented in the first critical hours creates unnecessary exposure.

The common thread across all of these developments is that the boundary between legal advice and technical risk management is blurred; teams that understand both legal requirements and technical execution are best placed to advise. From a legal perspective, this is reflected in more detailed expectations around TOMs, auditability, and incident cooperation obligations in data processing and outsourcing agreements.

Clients benefit most where technology and legal work are aligned, in particular by (i) using structured risk assessments and automation to keep records, policies and vendor assessments current; (ii) implementing modern detection and response capabilities; and (iii) leveraging coordinated vulnerability disclosure processes to reduce exposure before weaknesses are exploited. Our practice has adapted to provide integrated governance advice that combines legal analysis, risk mapping, and practical implementation support. The author is also engaged by the Europa Institut at the University of Zurich to provide monthly workshops to various stakeholders related to personal data and professional secrecy protection considerations when implementing AI.