Switzerland, despite not being a member of the European Union, must carefully consider the impact of the NIS2. That may have on its companies, especially those that operate in close collaboration with the European market. While NIS2 is not mandatory for Swiss companies, it represents a significant opportunity to enhance cybersecurity and increase international appealing.
It is important to underline noting that Switzerland already has its own regulatory framework for cybersecurity, including the LSIN (Law on Information and Network Security), which was recently introduced to ensure the security of critical infrastructures and the national network.
The LSIN, which came into force on January 1, 2024, establishes guidelines for information and network security in Switzerland. This law implies that Swiss companies managing critical infrastructures adopt preventive measures and report cybersecurity incidents to the National Cyber Security Center (NCSC).
While the LSIN provides a solid foundation for cybersecurity in Switzerland, the increasing cooperation between Switzerland and the EU makes it relevant for many Swiss companies to also consider NIS2. This directive imposes similar requirements but with a broader and more harmonized European focus.
The NIS2 directive requires affected companies to implement stringent measures for preventing and managing cyber incidents, including mandatory security breach notifications and severe penalties for non-compliance.
Even though these rules are applied directly only to EU member states, the question for Swiss companies is: how should they approach this directive?
There are some events situations in which a Swiss company might need to assess the applicability of NIS2, especially when operating in close connection with the European market or providing services that fall within the scope of the directive.
Please find some examples below:
- Companies Providing Essential Services to European Partners Subject to NIS2:
For example, if a Swiss company provides IT management services or critical infrastructure to a European company subject to NIS2, the latter may require its partners to adhere to the same security standards to ensure its own regulatory compliance.
- Providers of Digital and Technological Services:
If a Swiss company supplies digital and technological services (e.g., cloud computing providers, data centers) to entities within the EU or plays a critical role in providing digital infrastructure (such as a large data center hosting European data), compliance with NIS2 security standards may be required. European businesses might demand NIS2 compliance to ensure the reliability of their operations and services, particularly in handling sensitive data.
- When the Parent Company Is in the EU:
If the Swiss subsidiary is subject to NIS2, but the parent company is not, the Swiss entity may still need to comply with European regulations even though the parent company is not formally bound by the directive.
If the Swiss company falls under NIS2—for example, because it operates in regulated sectors such as energy, finance, transport, healthcare, or digital infrastructure, or participates in a critical supply chain within the EU—it will be directly responsible for meeting the directive’s requirements. This means the company must:
- Implement cybersecurity measures compliant with NIS2, including risk management and protection against cyberattacks.
- Promptly notify the relevant authorities in the EU of any security incidents.
- Designate a NIS2 representative, if required, to ensure regulatory compliance and communication with European authorities.
Even if the parent company is not subject to NIS2, the Swiss subsidiary must act independently to ensure it meets all obligations set forth by the directive.
- Swiss Companies with Subsidiaries or Branches within the EU:
If a subsidiary or branch of a Swiss company operates in one of the EU member states and provides essential or digital services, that subsidiary will be directly subject to NIS2. Considering also the revenue or annual balance criteria [not exceeding 10 million euros] and employment levels [up to 50 people]. Even if the headquarters is in Switzerland, the EU subsidiary must comply with the obligations imposed by NIS2, including the adoption of cybersecurity measures and incident reporting.
In these cases, compliance with NIS2 may also indirectly involve the headquarters in Switzerland, especially if the subsidiary relies on IT infrastructure or services provided by the parent company. In such instances, a coordinated approach to cybersecurity may necessitate compliance across the entire business ecosystem, both within and outside the EU.
- Providers of Critical Infrastructure Services:
Companies that provide critical infrastructure services or operate in highly regulated sectors such as defense, healthcare, and telecommunications may be subject to NIS2 if they offer these services or collaborate with regulated European companies. This includes companies that provide cybersecurity services, network monitoring, or supply strategic technologies related to the management of critical European infrastructures.
For example, a Swiss company that provides cybersecurity solutions for the energy sector in Europe may be required to adopt the same security standards outlined by NIS2, even if it does not have a legal entity in the EU.
- Companies Involved in Critical European Supply Chains:
NIS2 may also extend its scope to supply chains. A Swiss company that acts as a supplier within a strategic supply chain for a European company in key sectors could be impacted. For example, if a Swiss company manufactures critical components or provides services to a large European firm in the financial or energy sector, it may be subject to compliance requests under NIS2 from the European client.
In particular, IT or technological supplies to critical infrastructures or major European digital service providers (such as data management software, telecommunications networks, or strategic hardware) could trigger compliance requests to ensure that the entire supply chain is secure. (Company who provides financial service or fintech service of the UE).
NIS2 imposes stringent obligations on operators in the financial sector, including banks and other institutions that provide related services. Swiss companies offering financial services, fintech solutions, or financial infrastructure to European clients may need to adopt the measures outlined by NIS2 to ensure the security of operations and protection against cyberattacks in the European financial sectors.
- Companies with European Clients Regulated by NIS2:
Even if a Swiss company is not directly obligated by NIS2, it may be required to adhere to its standards due to contractual requests from European clients subject to the directive. Many European clients in regulated sectors (healthcare, energy, finance) may require their Swiss suppliers to implement cybersecurity measures equivalent to those stipulated by NIS2 as a condition for continuing their business collaboration.
What Can We Say About the Role of the Representative Under NIS2? How Can We Integrate It into the Context?
If a Swiss company decides to adhere to NIS2 to operate in compliance with European Union security standards, it must consider a fundamental obligation: the appointment of a representative in the EU.
NIS2 stipulates that companies based outside the European Union, which provide services or operate in sectors regulated by the directive within the EU, must designate a legal representative based in one of the EU member states. This representative is responsible for interacting with supervisory authorities and ensuring that the company complies with all the obligations set forth by NIS2.
The designated representative serves as the official point of contact between the Swiss company and the competent EU authorities.
- Ensures that the company complies with the security requirements set by NIS2.
- Coordinates the reporting of cybersecurity incidents to EU authorities.
- Ensures that the company responds promptly to information requests from authorities.
- Monitors the implementation of risk management measures and ensures that necessary technical and organizational measures are adopted to prevent incidents.
Switzerland, through the LSIN, has already demonstrated a strong commitment to cybersecurity at the national level. However, the growing economic integration with the European Union could lead to greater collaboration between cybersecurity authorities. The appointment of a representative in the EU can facilitate this collaboration and ensure that Swiss companies align with European regulatory expectations.
Compliance, cybersecurity, and artificial intelligence are redefining the business landscape. Don’t get left behind: rely on LabCode, a brand of Privacy Desk Suisse, where professionals and compliance experts guide you through the digital transformation of your company with complete security.
