How Does the nDSG Differ from the EU GDPR in Terms of Cybersecurity?

See section: How Does the nDSG Differ from the EU GDPR in Terms of Cybersecurity?

nDSG Compliance: Cybersecurity Requirements for Swiss Companies

Q: What Does the nDSG Mean for Cybersecurity at Swiss Companies?

See section: What Does the nDSG Mean for Cybersecurity at Swiss Companies?

Q: What Technical Measures Does the nDSG Specifically Require?

See section: What Technical Measures Does the nDSG Specifically Require?

Q: What Organisational Measures Are Required for nDSG Compliance?

See section: What Organisational Measures Are Required for nDSG Compliance?

Q: What Penalties Apply for Violations of the nDSG?

See section: What Penalties Apply for Violations of the nDSG?

Q: How Do Penetration Tests Help with nDSG Compliance?

See section: How Do Penetration Tests Help with nDSG Compliance?

Q: What Does a Practical nDSG Compliance Checklist Look Like?

See section: What Does a Practical nDSG Compliance Checklist Look Like?

Q: What Special Requirements Apply to Specific Industries?

See section: What Special Requirements Apply to Specific Industries?

+40% data breach enquiries since the nDSG came into force (FDPIC activity report). The Act mandates technical and organisational measures to protect personal data. Penetration tests and security audits are among the FDPIC’s recommended measures.

Below: the specific nDSG cybersecurity requirements, practical implementation steps, and how technical security testing ensures data protection compliance.

What Does the nDSG Mean for Cybersecurity at Swiss Companies?

The revised Data Protection Act (nDSG) has fundamentally modernised data protection in Switzerland. It aligns more closely with the EU GDPR and imposes new IT security requirements on companies of all sizes. Unlike the old DPA from 1992, the nDSG explicitly requires companies to take “appropriate technical and organisational measures” to protect personal data against unauthorised access, loss, or misuse.

Key changes at a glance:

Data breach notification obligation: Companies must report data breaches that pose a high risk to affected individuals to the FDPIC “as quickly as possible”. According to FDPIC statistics, over 320 data breach notifications were submitted in the first year after the act came into force — approximately 60% of which involved cyberattacks.
Privacy by Design and Privacy by Default: Data protection principles must be considered from the outset when developing systems and processes.
Data Protection Impact Assessment (DPIA): A formal impact assessment is required for high-risk processing activities, which must also consider cybersecurity risks.
Extended information obligations: Data subjects must be comprehensively informed about data processing, including security measures.
Criminal sanctions: Violations can be punished with fines of up to CHF 250,000 against natural persons — a significant increase compared to the old act.

The National Cyber Security Centre (NCSC) recorded over 63,000 reported cyber incidents in Switzerland in 2024, underscoring the urgency of robust security measures. Companies that ignore the nDSG expose themselves not only to legal risks but also jeopardise the trust of their customers and business partners.

What Technical Measures Does the nDSG Specifically Require?

Article 8 of the nDSG, in conjunction with the Data Protection Ordinance (DPO), defines the requirements for technical measures. The ordinance specifies in Articles 1-5 which protective measures companies must implement. These measures must be designed on a risk-based approach — the more sensitive the data, the higher the requirements.

Access Control and Authentication

Multi-factor authentication (MFA) for all systems that process personal data
Role-based access controls (RBAC) following the principle of least privilege
Regular review of access rights (at least quarterly)
Logging of all access to sensitive personal data
Automatic lockout after failed login attempts

Encryption and Data Integrity

Encryption of personal data in transit (TLS 1.2 or higher)
Encryption of data at rest (AES-256 or equivalent)
Integrity checks to detect unauthorised data manipulation
Secure key management with regular rotation
End-to-end encryption for particularly sensitive personal data

Network Security

Network segmentation to isolate critical data repositories
Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS)
Regular vulnerability scans and penetration tests
Secure configuration of all network components
Network traffic monitoring for anomalies

Data Backup and Recovery

Regular encrypted backups of all personal data
Tested recovery processes (at least semi-annually)
Geographically separated backup storage
Documented Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)

“The technical measures under the nDSG should not be understood as a static checklist, but as a continuous process. Companies must regularly review their security measures and adapt them to the current threat landscape — penetration testing is an indispensable tool in this regard.” — Prof. Dr. David Rosenthal, Data Protection Expert and Partner at Vischer AG, Zurich

What Organisational Measures Are Required for nDSG Compliance?

In addition to technical measures, the nDSG also requires thorough organisational provisions. These form the foundation of a robust data protection strategy and are just as important for nDSG compliance as technical controls.

Data Protection Governance

Appointment of a data protection advisor (recommended, mandatory in certain cases)
Creation and maintenance of a register of processing activities
Documentation of all data flows and processing procedures
Regular reporting to management on the state of data protection
Integration of data protection into risk management

Training and Awareness

Regular data protection and cybersecurity training for all employees
Specific training for employees with access to sensitive data
Phishing simulations and social engineering awareness programmes
Documentation of completed training
According to an NCSC study, over 35% of all successful cyberattacks are attributable to human error — training is therefore a critical compliance factor

Incident Response Process

Documented incident response plan for data protection breaches
Clear escalation paths and responsibilities
Defined processes for reporting to the FDPIC (within 72 hours recommended)
Communication templates for notifying affected individuals
Regular exercises and tabletop simulations

Commissioned Data Processing and Third Parties

Data protection review of all data processors
Contractual regulation of data protection obligations (data processing agreement)
Regular audits of data processors
Ensuring adequate protective measures for data transfers abroad
Documentation of all sub-processors

What Penalties Apply for Violations of the nDSG?

The sanctions regime under the nDSG differs fundamentally from the EU GDPR. While the GDPR primarily targets companies with percentage-based revenue fines, the nDSG targets natural persons — i.e., the responsible decision-makers within companies.

Criminal Sanctions

Wilful violation of information and disclosure obligations: Fine of up to CHF 250,000
Wilful violation of due diligence obligations: Fine of up to CHF 250,000
Wilful violation of professional secrecy: Fine of up to CHF 250,000
Non-compliance with FDPIC orders: Fine of up to CHF 250,000

Unlike the GDPR, fines are not imposed on the company but on the responsible natural person. However, under Art. 64 para. 2 nDSG, the company can be ordered to pay the fine if identifying the responsible person would require disproportionate effort and the fine does not exceed CHF 50,000.

Enforcement by the FDPIC

The FDPIC has received expanded investigative powers under the nDSG:

Initiation of investigations ex officio or upon complaint
Right of access to all relevant information and systems
Ordering measures to restore lawful conditions
Recommendation to initiate criminal proceedings to cantonal prosecution authorities
Publication of recommendations and decisions

According to the FDPIC’s annual report, several formal investigations have been initiated since the nDSG came into force. The authority has significantly expanded its capacity to effectively exercise its new powers. By the end of 2025, over 200 formal consultations and preliminary assessments had been conducted.

Reputational Risks

In addition to direct financial penalties, significant reputational damage threatens:

Publication of FDPIC decisions
Media coverage of data protection breaches
Loss of trust among customers and business partners
Potential civil law damages claims from affected persons

How Do Penetration Tests Help with nDSG Compliance?

Penetration tests are a central instrument for verifying technical data protection measures. They simulate real attacks on IT systems and uncover vulnerabilities that could compromise personal data. In the context of the nDSG, penetration tests fulfil several important functions.

Demonstrating Adequate Technical Measures

The nDSG requires “appropriate” technical measures — but what is appropriate? Penetration tests provide objective evidence that the implemented security measures are effective. This evidence is particularly valuable for:

Investigations by the FDPIC
Data Protection Impact Assessments
Audits by clients or customers
Accountability obligations towards regulatory authorities

Identifying Vulnerabilities Before Attackers

Professional penetration tests identify security gaps before cybercriminals can exploit them. The experts at Red Team Partners conduct thorough security assessments specifically tailored to nDSG requirements. A typical nDSG-oriented penetration test includes:

Review of access controls for personal data
Testing of encryption implementation
Assessment of network segmentation
Analysis of API security in data processing systems
Social engineering tests to verify organisational measures
Evaluation of incident detection capabilities

Supporting the Data Protection Impact Assessment

For the Data Protection Impact Assessment required under Art. 22 nDSG, risks to affected individuals must be identified and assessed. Penetration test results provide concrete, technically substantiated risk assessments that substantially support the DPIA.

Continuous Improvement

The nDSG does not require one-time implementation but a continuous improvement process. Regular penetration tests (recommended: at least annually, quarterly for critical systems) ensure that security measures keep pace with the evolving threat landscape.

According to the Alpine Excellence Cybersecurity Report, companies that conduct regular penetration tests have a 60% lower risk of successful data protection breaches.

What Does a Practical nDSG Compliance Checklist Look Like?

The following checklist supports Swiss companies in systematically implementing the nDSG cybersecurity requirements. It should be understood as a starting point and must be adapted to the specific risk situation of each company.

Phase 1: Stocktaking and Gap Analysis

Create an inventory of all personal data (data mapping)
Create or update the register of processing activities
Document existing technical security measures
Conduct a gap analysis between current state and nDSG requirements
Create a risk assessment for all data processing activities
Identify data processors and assess their data protection level

Phase 2: Implement Technical Measures

Implement encryption for data in transit and at rest
Activate multi-factor authentication for all relevant systems
Set up and document role-based access controls
Review and optimise network segmentation
Set up logging and monitoring for personal data access
Implement and test backup and recovery processes
Commission a penetration test from a qualified provider

Phase 3: Implement Organisational Measures

Appoint a data protection advisor
Create an incident response plan for data protection breaches
Define and document the reporting process to the FDPIC
Develop and deliver training programmes for all employees
Create or update data protection policies
Conclude or update data processing agreements
Establish a process for Data Protection Impact Assessments

Phase 4: Monitoring and Continuous Improvement

Regular review of access rights (quarterly)
Annual penetration tests and vulnerability assessments
Semi-annual review of the incident response plan
Continuous training and awareness-raising for employees
Annual review and update of the data protection concept
Monitoring of regulatory changes and adaptation of measures

What Special Requirements Apply to Specific Industries?

The nDSG does not fundamentally distinguish by industry, but the nature of the data processed and sector-specific regulations result in different requirements.

Financial Sector

Financial institutions are subject not only to the nDSG but also to FINMA regulation, which imposes specific cybersecurity requirements. The combination of both regulatory frameworks results in heightened requirements:

Enhanced access controls for financial data
Extended logging requirements
Regular FINMA-compliant security audits
Specific requirements for data retention and deletion

Healthcare

Medical data are classified as “particularly sensitive personal data” under Art. 5 let. c nDSG. Heightened requirements therefore apply to the healthcare sector:

Strict access control to patient data on a need-to-know basis
Encryption of all medical data
Extended logging of all data access
Specific requirements for health system interoperability
Compliance with medical confidentiality (Art. 321 Swiss Criminal Code)

Technology and SaaS

Technology companies and SaaS providers frequently process data on behalf of their clients and must meet special requirements:

Robust tenant separation (multi-tenancy security)
Transparent data localisation and processing chains
API security and secure interfaces
Automated data deletion upon contract termination
Regular security certifications (ISO 27001, SOC 2)

Retail and E-Commerce

Companies in retail and e-commerce process large volumes of customer data and are frequently targeted by cyberattacks:

Secure payment processing (PCI-DSS compliance)
Protection of customer profiles and purchase histories
Cookie compliance and tracking restrictions
Secure processing of address and contact data

Although the nDSG is closely modelled on the EU GDPR, there are significant differences that are relevant to cybersecurity compliance. Companies operating in both Switzerland and the EU must consider both regulatory frameworks.

Key Differences

Aspect	nDSG	EU GDPR
Sanctions	Fines up to CHF 250,000 against natural persons	Fines up to 4% of annual turnover against companies
Breach notification	”As quickly as possible” to the FDPIC	Within 72 hours to the supervisory authority
DPO obligation	Recommended, not mandatory	Mandatory in certain cases
Privacy Impact Assessment	DPIA for high risk	DPIA for high risk (similar)
Technical measures	”Appropriate” TOM	”Suitable” TOM (similar standard)
Commissioned processing	Contractual regulation required	Data processing agreement (Art. 28)

Harmonisation as an Opportunity

For Swiss companies with EU connections, implementing a harmonised data protection and cybersecurity framework covering both regulatory regimes is recommended. This saves resources and reduces complexity. Detailed information on international compliance can be found at CybersecuritySwitzerland.com.

nDSG Compliance as a Competitive Advantage

Compliance with the nDSG signals a high level of data protection and security to customers and business partners. According to a study by the University of St. Gallen, 78% of Swiss consumers consider data protection an important criterion when choosing a provider. Companies that proactively invest in nDSG compliance therefore benefit from a measurable trust advantage.

Frequently Asked Questions About nDSG Cybersecurity Compliance

Does every Swiss company need to comply with the nDSG?

Yes, the nDSG applies to all companies that process personal data of persons in Switzerland — regardless of company size. Foreign companies that process data of persons in Switzerland are also subject to the nDSG. SMEs with fewer than 250 employees are exempt from the obligation to maintain a register of processing activities under certain conditions, but must fulfil all other requirements.

How often should penetration tests be conducted for nDSG compliance?

The nDSG does not prescribe a specific frequency. However, the FDPIC recommends regularly reviewing the adequacy of technical measures. Best practice suggests: at least annual penetration tests for standard systems and quarterly tests for systems that process particularly sensitive personal data. A penetration test should also be conducted after significant system changes.

What are the most common cybersecurity violations in the nDSG context?

According to FDPIC reports, the most common violations are: inadequate access controls (28%), missing or insufficient encryption (22%), delayed reporting of data protection breaches (18%), insufficient logging (15%), and inadequate employee training (12%). Regular penetration tests can identify most of these vulnerabilities before they lead to breaches.

What documentation is required for nDSG cybersecurity compliance?

Companies should maintain at minimum the following documents: register of processing activities, data protection concept with technical and organisational measures, incident response plan, Data Protection Impact Assessments (where required), data processing agreements, training records, penetration test reports, and results of vulnerability assessments. This documentation serves as evidence of compliance during FDPIC investigations.

Can penetration test reports serve as evidence of nDSG compliance?

Penetration test reports are an important but not sole proof of nDSG compliance. They document the state of technical security measures at a specific point in time and demonstrate that the company proactively identifies and addresses security risks. In the event of an FDPIC investigation, penetration test reports can substantiate the adequacy of technical measures. However, they should be supplemented by additional documentation, such as the data protection concept and training records.

What should I do in the event of a data breach caused by a cyberattack?

In the event of a data protection breach caused by a cyberattack, you should initiate the following steps: (1) Immediate containment of the incident according to the incident response plan. (2) Assessment of the risk to affected individuals. (3) Notification to the FDPIC if a high risk exists — recommended within 72 hours. (4) Notification of affected individuals if required to protect their rights. (5) Documentation of the incident and measures taken. (6) Conduct a post-incident analysis. (7) Implementation of measures to prevent similar incidents. Professional support from specialised cybersecurity service providers can be decisive in this situation.

Conclusion: nDSG Compliance as a Strategic Investment

The cybersecurity requirements of the nDSG are not a burdensome obligation but a strategic investment in your company’s future viability. A systematic approach that combines technical and organisational measures, includes regular penetration tests, and continuously monitors compliance not only protects against legal sanctions but also strengthens resilience against cyberattacks.

Implementation need not be overwhelming. Start with a gap analysis, prioritise identified gaps by risk, and work through the measures systematically. Professional cybersecurity service providers such as Red Team Partners and the resources at Alpine Excellence can competently support you in this process.

Remember: under the nDSG, responsible persons bear personal liability. A proactive, well-documented compliance strategy protects not only your company and your customers’ data — it also protects you personally.