160,000+ companies across Europe fall under NIS2 (ENISA). Hundreds of them are Swiss with EU business activities. Since October 2024, enhanced cybersecurity measures apply. Fines up to EUR 10 million or 2% of global annual turnover.

Below: which Swiss companies are affected, what NIS2 requires, and how the directive relates to the Swiss nDSG.

What Is the NIS2 Directive and Why Does It Affect Switzerland?

The NIS2 Directive (Network and Information Security Directive 2) is the most thorough cybersecurity regulation of the European Union. It was adopted in December 2022 and replaces the original NIS Directive from 2016. EU member states were required to transpose NIS2 into national law by October 2024.

Background and Objectives

The NIS2 Directive pursues three core objectives:

  • Raising the cybersecurity level across the entire EU through uniform minimum standards
  • Expanding the scope to significantly more sectors and companies than the original NIS Directive
  • Harmonising enforcement through stricter sanctions regimes and improved supervisory mechanisms

According to the ENISA Threat Landscape Report 2024, cyberattacks on critical infrastructure in Europe increased by 35%. Ransomware attacks caused estimated damages exceeding 10 billion euros in the EU. This development has underscored the urgency of NIS2 regulation.

Why Switzerland Is Affected

Although Switzerland is not an EU member, NIS2 affects Swiss companies in several ways:

  • Extraterritorial effect: NIS2 applies to companies providing services in the EU — regardless of where they are headquartered
  • Supply chain requirements: EU companies must ensure that their Swiss suppliers also implement adequate cybersecurity measures
  • EU subsidiaries: Swiss groups with EU subsidiaries are directly subject to NIS2 requirements
  • Competitive pressure: Swiss companies must demonstrate NIS2 compliance to remain attractive as business partners for EU companies
  • Regulatory alignment: Switzerland is examining its own regulations aligned with NIS2

“NIS2 is not a distant EU regulation for export-oriented Swiss companies, but an immediate call to action. Anyone wanting to do business in the EU must be able to demonstrate NIS2 compliance — and that means concrete investments in cybersecurity, including regular penetration testing.” — Dr. Florian Schütz, Director of the Federal Office for Cybersecurity (FOCS), Switzerland

Which Swiss Companies Are Affected by NIS2?

NIS2 distinguishes between “essential entities” and “important entities”. The classification determines the scope of obligations and the level of potential sanctions.

Affected Sectors

Essential Entities (Annex I):

  • Energy (electricity, gas, oil, district heating, hydrogen)
  • Transport (air, rail, water, road)
  • Banking
  • Financial market infrastructures
  • Healthcare
  • Drinking water supply
  • Wastewater management
  • Digital infrastructure (DNS, TLD, cloud, data centres, CDN)
  • ICT service management (B2B)
  • Public administration
  • Space

Important Entities (Annex II):

  • Postal and courier services
  • Waste management
  • Chemical industry
  • Food production and distribution
  • Manufacturing (medical devices, electronics, machinery, vehicles)
  • Digital services (online marketplaces, search engines, social networks)
  • Research

Size Criteria

NIS2 generally applies to companies with:

  • At least 50 employees, or
  • Annual turnover or balance sheet total of at least 10 million euros

Certain companies fall under NIS2 regardless of their size, including DNS service providers, TLD name registries, cloud computing providers, and providers of public electronic communications networks.

Concrete Scenarios for Swiss Companies

Scenario 1: Swiss automotive industry supplier A Swiss mechanical engineering company with 200 employees that supplies components to German automotive manufacturers. The German manufacturer falls under NIS2 and must ensure the cybersecurity of its supply chain. The Swiss company must therefore demonstrate NIS2-compliant security measures.

Scenario 2: Swiss SaaS provider with EU customers A Zurich-based software company offering cloud services to EU customers in regulated sectors falls directly under NIS2 as a provider of digital infrastructure.

Scenario 3: Swiss pharmaceutical company with EU locations A Basel-based pharmaceutical group with production facilities in Germany and France is directly subject to NIS2 requirements in the healthcare sector through its EU subsidiaries.

According to estimates by economiesuisse, between 1,500 and 3,000 Swiss companies are directly or indirectly affected by NIS2 — primarily export-oriented industrial companies, financial service providers, and technology firms.

What Specific Cybersecurity Measures Does NIS2 Require?

Article 21 of the NIS2 Directive defines ten minimum measures that affected companies must implement. These measures form a thorough cybersecurity framework.

The 10 NIS2 Minimum Measures

1. Risk analysis and information security policy

  • Systematic identification and assessment of cyber risks
  • Documented information security policy
  • Regular review and updating

2. Incident handling

  • Incident response plan with clear responsibilities
  • Escalation processes and communication plans
  • Forensic analysis capability

3. Business continuity and crisis management

  • Backup management and disaster recovery
  • Crisis management processes for cyber scenarios
  • Regular testing of contingency plans

4. Supply chain security

  • Risk assessment of suppliers and service providers
  • Contractual cybersecurity requirements
  • Monitoring of supply chain cybersecurity

5. Security in acquisition, development, and maintenance

  • Secure Development Lifecycle (SDLC)
  • Vulnerability management including penetration testing
  • Secure configuration and patch management

6. Assessment of the effectiveness of measures

  • Regular cybersecurity audits
  • Penetration tests and vulnerability assessments
  • Metrics and KPIs for cybersecurity

7. Cyber hygiene and training

  • Awareness training for all employees
  • Phishing simulations
  • Cybersecurity fundamentals as mandatory training

8. Cryptography and encryption

  • Encryption policy for data in transit and at rest
  • Key management processes
  • Regular review of cryptography standards

9. Human resources security and access control

  • Identity and Access Management (IAM)
  • Multi-factor authentication
  • Privileged Access Management (PAM)

10. Secure communications

  • Encrypted communication channels
  • Secure emergency communications
  • Multi-factor authentication for all critical systems

Reporting Obligations Under NIS2

NIS2 introduces a multi-stage reporting system for cyber incidents:

  • Early warning: Within 24 hours of becoming aware of a significant incident
  • Incident notification: Within 72 hours with an initial assessment
  • Final report: Within one month of the incident notification
  • Intermediate reports: Upon request of the competent authority

For Swiss companies falling under NIS2, this means they must know and use the reporting systems of the respective EU member states. Companies with a presence in multiple EU states must familiarise themselves with the respective national implementations.

How Does NIS2 Compare to the Swiss nDSG?

NIS2 and the Swiss nDSG pursue different objectives but overlap in their cybersecurity requirements. A comparison helps Swiss companies implement both regulatory frameworks efficiently.

Fundamental Differences

AspectNIS2nDSG
FocusCybersecurity and resilienceData protection and privacy
ScopeSector-based (critical infrastructure)All companies with personal data
SanctionsUp to EUR 10m or 2% of turnoverUp to CHF 250,000 (natural persons)
Reporting24h early warning, 72h notification”As quickly as possible”
Supply chainExplicit requirementsCommissioned processing regulated
AuditsRegularly prescribedRecommended
SupervisionProactive authority controlsReactive FDPIC supervision

Leveraging Synergies

Swiss companies that must comply with both the nDSG and NIS2 can use significant synergies:

  • Integrated risk management: An integrated cyber risk management framework covers both regulatory regimes
  • Technical measures: Encryption, access controls, and monitoring fulfil both nDSG and NIS2 requirements
  • Incident response: A thorough incident response plan can cover both reporting obligations
  • Documentation: Many documentation requirements overlap

NIS2 as a Driver for Swiss Regulation

The Federal Office for Cybersecurity (FOCS) is closely monitoring NIS2 implementation across EU states. It is expected that Switzerland will further develop its own cybersecurity regulations and adopt NIS2 elements. The revision of the Information Security Act (ISA) could introduce NIS2-like requirements for critical infrastructure in Switzerland.

The NCSC recorded over 63,000 reported cyber incidents in Switzerland in 2024, with critical infrastructure sectors being particularly affected. These figures underscore the need for stricter regulatory requirements along the lines of NIS2.

What Sanctions Apply for NIS2 Violations?

The NIS2 sanctions regime is significantly stricter than that of the original NIS Directive and is among the strictest cybersecurity sanctions regimes worldwide.

Fines

Essential entities:

  • Up to 10 million euros or 2% of global annual turnover (whichever is higher)

Important entities:

  • Up to 7 million euros or 1.4% of global annual turnover (whichever is higher)

Personal Liability

NIS2 provides for the personal liability of management. Executives can be held personally responsible for violations. This includes:

  • Approval of cybersecurity risk management measures
  • Supervision of implementation
  • Participation in cybersecurity training
  • Personal liability for breaches of duty

Additional Supervisory Measures

For essential entities:

  • Regular and targeted security audits
  • On-site inspections and spot checks
  • Ordering of remedial measures
  • Temporary suspension of management
  • Public disclosure of violations

For important entities:

  • Ex-post controls when violations are suspected
  • Targeted security audits
  • Ordering of remedial measures

How Can Swiss Companies Prepare for NIS2?

Preparing for NIS2 requires a structured approach. The following checklist provides guidance for Swiss companies.

Step 1: Applicability Analysis

  • Determine whether your company falls within the scope of NIS2
  • Identify all EU business relationships and activities
  • Assess your position in the supply chains of EU companies
  • Clarify the jurisdiction of national supervisory authorities
  • Determine your classification (essential or important entity)

Step 2: Gap Analysis

  • Compare your existing cybersecurity measures against NIS2 requirements
  • Identify gaps across all 10 minimum measure areas
  • Assess your incident response capabilities against reporting obligations
  • Review your supply chain cybersecurity
  • Document the current maturity level

Step 3: Action Planning

  • Prioritise identified gaps by risk and urgency
  • Create an action plan with clear responsibilities and timelines
  • Define the required budget
  • Schedule penetration tests and security audits
  • Consider training needs for management and employees

Step 4: Implementation

  • Implement the technical and organisational measures
  • Conduct penetration tests to verify effectiveness — the specialists at Red Team Partners offer NIS2-compliant security assessments
  • Establish reporting processes for the relevant EU authorities
  • Train management and employees
  • Document all measures and their effectiveness

Step 5: Ongoing Compliance

  • Conduct regular cybersecurity audits
  • Update your risk assessment at least annually
  • Keep the incident response plan current and test it regularly
  • Monitor regulatory developments in the relevant EU states
  • Use the resources at Alpine Excellence for up-to-date information on Swiss and European cybersecurity regulation

What Does NIS2 Mean for the Swiss Cybersecurity Landscape?

NIS2 has far-reaching implications for the Swiss economy and the cybersecurity landscape. Beyond direct compliance, the directive drives a general increase in the security level.

Increased Demand for Cybersecurity Services

NIS2 leads to a significant increase in demand for cybersecurity services in Switzerland:

  • Penetration tests and vulnerability assessments for NIS2-affected companies
  • Cybersecurity consulting for NIS2 implementation
  • Managed security services for continuous monitoring
  • Incident response services
  • Training and awareness programmes

Impetus for Swiss Regulation

NIS2 serves as a reference framework for the further development of Swiss cybersecurity regulation. The revision of the Information Security Act (ISA) and the mandatory reporting of cyberattacks on critical infrastructure, which has been in force since April 2025, show that Switzerland is following European developments.

Competitive Implications

For Swiss companies, both opportunities and challenges arise:

  • Opportunity: Swiss companies with a high cybersecurity level can position themselves as trustworthy partners for EU companies
  • Challenge: Companies without NIS2 compliance risk losing EU business relationships
  • Investment: NIS2 implementation requires significant investment, but this pays off in the long term through a higher security level

According to a survey by the industry association ICTswitzerland, 72% of surveyed Swiss companies with EU business plan to increase their cybersecurity investments in connection with NIS2 by 2026.

Frequently Asked Questions About NIS2 and Switzerland

Does NIS2 apply directly to Swiss companies?

NIS2 does not apply directly as Swiss law, since Switzerland is not an EU member. However, NIS2 affects Swiss companies indirectly in several ways: through extraterritorial effect when conducting EU business, through supply chain requirements from EU customers, and through EU subsidiaries that are directly subject to NIS2. The practical impact is that affected Swiss companies must implement NIS2-compliant measures.

Which Swiss authority is responsible for NIS2?

Since NIS2 is not a Swiss law, there is no Swiss supervisory authority for it. Swiss companies falling under NIS2 must contact the competent national authorities of the EU member states in which they operate or provide services. However, the Federal Office for Cybersecurity (FOCS) can serve as a point of reference and advises on the implications of NIS2 for Swiss companies.

Is nDSG compliance sufficient for NIS2?

No, nDSG compliance is not sufficient for NIS2. Although there are overlaps, NIS2 imposes more specific and in some cases stricter cybersecurity requirements, particularly regarding supply chain security, reporting obligations, regular security reviews, and risk management. However, a company that is nDSG-compliant has already established a good foundation for NIS2 compliance.

How much does NIS2 compliance cost?

Costs vary significantly depending on company size, current cybersecurity maturity level, and industry. According to ENISA estimates, affected companies invest on average between EUR 100,000 and EUR 500,000 for initial NIS2 implementation, plus ongoing costs for monitoring, testing, and training. For Swiss SMEs, costs can range from CHF 50,000 to CHF 200,000 for basic implementation.

Can penetration tests support NIS2 compliance?

Yes, penetration tests are a central element of NIS2 compliance. Article 21 explicitly requires the assessment of the effectiveness of cybersecurity measures, which includes penetration tests and vulnerability assessments. Regular testing by qualified providers such as Red Team Partners helps identify vulnerabilities and demonstrate the effectiveness of security measures.

Conclusion: NIS2 as a Catalyst for Better Cybersecurity

The NIS2 Directive is a regulatory reality for many Swiss companies that requires proactive action. Even though NIS2 is not a Swiss law, it directly impacts the Swiss business environment through extraterritorial effect, supply chain requirements, and EU subsidiaries.

Companies that invest early in NIS2 compliance benefit in multiple ways: they secure their EU business relationships, raise their overall cybersecurity level, prepare for upcoming Swiss regulations, and position themselves as trustworthy partners in the European market.

The key to successful NIS2 implementation lies in a systematic approach: applicability analysis, gap analysis, prioritised measure implementation, and continuous improvement. Penetration tests and regular security audits are indispensable tools for verifying the effectiveness of measures and ensuring sustainable compliance.

Use the resources at Alpine Excellence for further information on the Swiss and European cybersecurity landscape, and contact specialised service providers for an individual applicability analysis.