Patient data is caught between the conflicting priorities of medical treatment and data protection law. Doctors, therapists and other healthcare professionals need to process sensitive health data in order to do their jobs, but at the same time they are obliged to protect their patients’ privacy and personal rights.

This tension is particularly evident in the collection, transfer and storage of data in everyday practice – for example, in patient forms for registration, consent or treatment documentation. The Federal Data Protection and Information Commissioner (FDPIC) has published a new factsheet on patient forms for medical and therapeutic consultations. It specifies how information obligations, consent and data security can be implemented in a legally compliant manner in the treatment environment.

With this publication, the EDÖB aims to raise awareness among service providers such as doctors, therapists, practices and health centres of the requirements of the revised FADP and to bring existing form templates into line with data protection regulations.

Duty to provide information and consent – two separate obligations

The factsheet makes it clear that anyone who processes health data has a comprehensive duty to provide information, regardless of whether consent has been obtained. Healthcare professionals must inform patients transparently about data processing: the purpose, legal basis, recipients and retention period must be disclosed in a comprehensible manner (Art. 19 FADP).

Consent comes into play as a supplementary measure if there is no other legal basis or if particularly sensitive processing is carried out, such as when data is transferred to third parties or for research purposes. The following applies: valid consent must be voluntary, informed, specific and revocable at any time. Blanket or pre-filled consent forms – such as prior disclosure of the patient file or certain elements thereof to third parties – are inadmissible.

The factsheet urges service providers to critically review their forms: information and consent sections must be clearly separated and formulated in an understandable manner. Those who comply with this reduce the risk of data protection violations and at the same time build trust in patient contact.

Digital exchange of data – safety over convenience

Another focus is on the secure handling of patient data in digital communication. The factsheet expressly warns against the unsecured transfer of sensitive data – especially by e-mail or online form without encryption.

Digital data transfer should only happen if it’s properly secured. Only in special cases – and after getting clear, informed consent from the person involved – can a less secure transfer be okay. In these cases, the patient needs to know the risks and have a real choice (like between a secure portal and regular email).

The implementation of technical and organisational security measures is crucial, especially in increasingly digitised practices. Anyone who transfers patient data via unsecure channels risks not only data protection complaints, but also liability consequences.

Data minimisation and purpose limitation – less is more

The FDPIC points out that only data that is absolutely necessary for treatment or administration may be collected in the healthcare sector. The principle of proportionality requires that patient data be collected for a specific purpose, be accurate and be collected as sparingly as possible.

Forms that request excessive information – such as occupation, nationality or marital status without any medical relevance – are not permitted. All information collected must serve a clear purpose and be medically or administratively necessary.

Doctors and therapists may find this reference to the principle of proportionality somewhat objectionable. In practice, this is difficult to implement without enormous additional effort. However, these requirements are not aimed at bureaucracy, but at trust: lean, purposeful data collection protects both patients and practices from unnecessary data protection risks.

Significance & Practical Recommendations for Healthcare Providers

The new information sheet is a wakeup call for all healthcare providers from individual practices to therapy centres. Anyone who processes patient data should now check:

    • Are my patient forms understandable, up to date and compliant with data protection regulations?

    • Are the duty to provide information and consent clearly separated and documented?

    • Is digital communication sufficiently secure from a technical standpoint?

    • Is only data that is actually necessary being collected?

A practice that complies with data protection regulations not only strengthens legal certainty, but also patient trust the foundation of all medical activity.

Frequently asked questions on data protection and patient forms Datenschutz

No. There is a legal basis for most processing carried out as part of medical treatment (Art. 31 para. 1 FADP, cantonal health laws). Express consent is only required if data is processed outside the scope of the treatment order or passed on to third parties for example, for research purposes, marketing or insurance assessments. It is crucial that every patient is informed about data processing, even if consent is not required.

Yes, but only with a clear separation of functions. The EDÖB emphasises that the duty to provide information and consent must be distinguishable in terms of content and visually. Patients must understand which processing operations are mandatory (by law) and what they are voluntarily consenting to. It is advisable to use separate sections or checkboxes to ensure that consent is voluntary.

Health data is classified as particularly sensitive personal data (Art. 5 lit. c FADP). It may only be transferred electronically if the confidentiality and integrity of the data is guaranteed for example, through encrypted emails, secure patient portals or specialised communication solutions. Unencrypted transfer is only permitted if the patient gives their express consent after receiving comprehensive information.

No. The Federal Act on Data Protection obliges service providers to minimise data collection: only information that is necessary for diagnosis, treatment or administrative purposes may be collected. Questions about occupation, religion or marital status are only permissible if they have a clear medical relevance.

Yes. Consent must be revocable at any time. The revocation is valid from the time of its declaration and takes effect for the future. However, data that has already been processed lawfully (e.g. for treatments carried out or services invoiced) may continue to be stored if there are legal obligations to do so, such as for documentation or invoicing purposes.

Under Swiss law, protection of privacy entails both civil and criminal law mechanisms to protect a person’s honour, reputation and integrity from unlawful attacks. The case involving the Swiss People’s Party (SVP) in Lucerne and former party member Yves Holenweger1 illustrates how media reports can be legally relevant and what options those affected have to protect themselves.

Civil law protection of personality rights

Civil law provides comprehensive protection of personality rights in accordance with Art. 28 et seq. of the Swiss Civil Code. This protection covers physical and psychological aspects, as well as honour, privacy and economic reputation.

In the case of media-effective criticism, as in the present case, the person concerned can, for example, demand a counterstatement or take legal action to prevent and remove a defamatory statement.

Criminal law protection of personal rights

Criminal law applies in cases of particularly serious violations of personal rights, such as defamation, slander or verbal abuse.

Here too, the person affected can initiate civil proceedings in parallel in order to additionally mitigate the consequences of a criminal offence under civil law.

Effective protection of privacy: Legal action and recommended measures in cases of defamation, damage to reputation and media coverage

The example of the defamatory press release signed by Dieter Haller, then president of the Lucerne City SVP, and Timo Lichtsteiner, then and now vice-president, illustrates how personality rights protection works.

The Holenweger affair shows how personal attacks can quickly turn into a legal dispute over honour and personality rights. A specialised law firm offers competent support in dealing with such complex cases and ensures that the rights and interests of those affected are protected in an objective and efficient manner.

Find out more about the protection of personality rights in civil and criminal law here.

  1. https://www.luzernerzeitung.ch/zentralschweiz/stadt-region-luzern/artikel-ld.4016595 last visited on 23 September, 2025. ↩︎

In its ruling, the court refuses to unseal seized data carriers and documents belonging to a journalist, thereby strengthening freedom of press. The current decision of the Zurich District Court of 2 July 2025 deals with the unsealing of seized data carriers and documents in the case of Inside Paradeplatz journalist Lukas Hässig, after the journalist correctly filed for sealing on the grounds of protecting his sources. The decision of the Compulsory Measures Court shows the conditions under which a request for unsealing is approved or, as in this case, not approved.

Facts and background of the Hässig case

The focus is on an investigative journalist, editor of the Inside Paradeplatz platform. He is accused of sharing information and data from Bank Julius Bär & Co. AG, which is subject to banking secrecy and/or trade secrets, in his magazine ‘Inside Paradeplatz’. In connection with the resumption of criminal proceedings against the respondent for an offence under Article 47 Banking Act, a search was carried out at his home and place of work. Various items and data carriers were seized. Referring to the protection of journalistic sources, the respondent requested that all seized items be sealed.

The public prosecutor’s office then filed a request for unsealing with the Compulsory Measures Court of the Zurich District Court. The respondent commented on the request for unsealing and requested that it be dismissed.

Note: The judgment shows that the criminal investigation by the public prosecutor’s office had already been suspended twice. In the most recent suspension order, the public prosecutor’s office itself had denied the admissibility of a search on the grounds of source protection, which the court took up in its judgment.

Legal requirements for unsealing

A request for sealing is used to assert permissible confidentiality interests pursuant to Article 248 para. 1 of the Swiss Criminal Procedure Code when searching records. Once the request for sealing has been filed, the criminal authority first seals the seized data carriers and documents. In the unsealing proceedings, the Compulsory Measures Court is then obliged to examine any objections to the admissibility of the search. A general decision must therefore be made as to whether the search is admissible.

A search of records within the meaning of Article 246 ff. Swiss Criminal Procedure Code, i.e. ‘documents, audio, video and other recordings, data carriers and equipment for processing and storing information’, is permissible if:

According to Article 246 of the Swiss Criminal Procedure Code, documents, audio, video and other recordings, data carriers and equipment for processing and storing information may only be searched if there is reason to suspect that information subject to seizure is contained in these items. According to Article 263 para. 1 of the Swiss Criminal Procedure Code, items and assets that are used as evidence (lit. a) are subject to seizure if they are needed to secure procedural costs, fines, penalties and compensation (lit. b), if they are to be returned to the injured party (lit. c), confiscated (lit. d) or used to cover claims for compensation by the state in accordance with Article 71 of the Swiss Criminal Code.

Unlike the court of law, the Compulsory Measures Court does not have to exhaustively weigh up all incriminating and exonerating evidence. What is required is a sufficiently concrete probability that the alleged offence was actually committed. According to the highest court ruling, reasonable suspicion can be equated with the concept of initial suspicion pursuant to Article 309 para. 1 lit. a of the Swiss Criminal Procedure Code.
Compared to pre-trial detention (Art. 224 ff. Swiss Criminal Procedure Code), the unsealing and searching of records appears to be significantly less intrusive. The requirements for reasonable suspicion are therefore less stringent. Reference can be made to substantiated criminal complaints or reports. The grounds for suspicion must be examined on the basis of the results of the investigation to date.

Furthermore, the Compulsory Measures Court must weigh up the interests involved and examine whether the house search and the search of the sealed data are proportionate to the constitutionally protected intimate and private sphere of the respondent.
The owner of the records or objects may request sealing if there are obstacles to seizure in accordance with Article 264 of the Swiss Criminal Procedure Code (Art. 248 Swiss Criminal Procedure Code). These obstacles to seizure also prevent the unsealing of previously sealed records and objects.

When assessing the proportionality of this compulsory measure, the severity of the offences under investigation is also taken into account (Art. 197 para. 1 lit. d Swiss Criminal Procedure Code).

Considerations of the coercive measures court in its ruling of 2 July 2025

No reasonable suspicion

The criminal investigation against the respondent has now been ongoing for six years. The investigation files do not indicate that the suspicion against the respondent has intensified in recent years or at least months. The Compulsory Measures Court finds that no suspicion against the respondent can be established, even to a minimal degree. Sufficient suspicion is denied.

Proportionality and source protection

The public prosecutor’s office argues that the respondent cannot invoke source protection under Art. 28a para. 1 of the Swiss Criminal Code and Art. 172 of the Swiss Criminal Procedure Code and thus a right to refuse to give evidence. The Compulsory Measures Court argues that the respondent acted in the interests of society and fulfilled his duty as an investigative journalist. It considers the priority given to criminal prosecution and possible punishment for a breach of banking secrecy over the legitimate right of the public to be informed about alleged far-reaching violations of the law in the financial sector to be manifestly wrong. According to the Compulsory Measures Court, the interest in prosecution in this case is not sufficiently weighty to outweigh the protection of sources. The proportionality of the search must also be denied.

Finally, the Compulsory Measures Court finds that the conditions for unsealing and searching the seized data carriers and documents are not met.

Significance for the media, lawyers and those affected

The ruling thus rightly emphasises the high hurdles for interference in journalistic work. Source protection enjoys strong protection in Switzerland, as it is enshrined in the Constitution and the ECHR. Finally, criminal proceedings such as the unsealing and searching of records require careful consideration of the interests involved – especially in the case of media professionals.

For affected journalists and media companies, this means that access to confidential data is only permitted in exceptional cases where there are concrete and serious grounds for suspicion of criminal activity.

Our law firm provides advice on criminal procedure law, media law, source protection and the enforcement of personal rights. Please feel free to contact us without obligation if you have any questions about criminal proceedings and the search of records.

FAQ Criminal proceedings and sealing:

  1. How does the sealing of data carriers or documents occur in criminal proceedings?

Seized data carriers or documents are sealed if the person concerned claims that the contents of the records are subject to special protection, for example due to professional secrecy (e.g. protection of journalistic sources, lawyers, doctors). Sealed data may only be searched after a court decision has been made.

  1. Under what conditions can a request for unsealing be successful?

To this end, the public prosecutor’s office submits a request for unsealing to the Compulsory Measures Court. Unsealing is possible if there is concrete and sufficient suspicion against the person concerned and the search appears proportionate to their fundamental rights. The Compulsory Measures Court always examines the proportionality and the suspicion.

  1. What is the right to refuse to give evidence and who can invoke it?

The right to refuse to give evidence allows certain professional groups – e.g. lawyers, journalists, doctors – to refuse to testify and to keep their sources or client data confidential. This protection applies as long as they are not suspected of having committed serious crimes themselves.

The right to refuse to give evidence allows any person to refuse to testify during questioning for their own protection (Art. 169 Swiss Criminal Procedure Code) or to protect personal relationships such as their spouse or close relatives (Art. 168 Swiss Criminal Procedure Code). However, sealing is only protected under Art. 264 of the Swiss Criminal Procedure Code in cases of qualified confidentiality protection, e.g. items and documents from another person’s communications with their lawyer.

  1. Is the protection of journalists’ sources also guaranteed in court?

Yes, journalists can invoke source protection. Courts and public prosecutors may only seize and unseal their data in exceptional cases – namely when there are clear indications of a criminal offence and public interests, namely in the criminal investigation, outweigh other considerations.

  1. What can I do if I receive a summons to appear as a witness but wish to refuse to provide information?

You must attend the appointment, but you can exercise your right to refuse to give evidence if you are bound to secrecy as a relative or because of your profession. Inform the authorities of this in good time and seek legal advice if necessary.

Switzerland is strengthening its claim to be one of Europe’s leading centres of innovation. ETH Zurich plays a central role in this as a driving force. Three recent developments emphasise the country’s technological potential and digital sovereignty (personal selection):

All projects symbolise an innovation strategy based on scientific excellence as well as entrepreneurial scalability, sustainable infrastructure and regulatory foresight.

Digital sovereignty: The ETH large language model for public use

The LLM, launched by ETH Zurich, is the first AI technology to be tailored to Swiss legal requirements, multilingualism and the highest data protection standards. It is the result of a collaboration between EPFL and ETH Zurich and was trained on the ‘Alps’ supercomputer at the Swiss National Supercomputing Centre (CSCS). For companies, administrations and, in particular, SMEs that value data-secure processes, this opens up new possibilities in the areas of automation, information indexing and modern customer interaction – without having to rely on global cloud platforms. This development illustrates how technological progress and location policy can be combined. Switzerland is thus positioning itself as a pioneer for trustworthy and independent digitalisation in both the public and private sectors.

Semiconductor expertise in the heart of Europe: the Swiss Chip Fablab

ETH Zurich is also marking a milestone in the area of hardware and semiconductor development: the planned participation in the Swiss Chip Fablab in the Dübendorf Innovation Park will create a network that combines research, development and production at a geopolitically secure, reliable location. The aim is to strengthen the resilience of supply chains and establish independent semiconductor expertise – a key concern in times of global uncertainty. It does not serve as an alternative to AI processor chips, which are predominantly manufactured in Taiwan, but rather to develop highly specialised chips for applications such as energy, mobility, medicine or communication. The Fablab offers start-ups, established companies and international partners access to state-of-the-art infrastructure, support with regulatory issues and the opportunity for strategic networking.

New ETH hub for the canton of Lucerne: strengthening the region and promoting innovation

Thanks to the CHF 100 million donation from the Jörg G. Bucherer Foundation to the ETH, an earth observation centre is to be built in the canton of Lucerne. Emmen/Viscosistadt, Horw around the University of Applied Sciences or Hochdorf are being discussed, for example. This shows how the power of innovation can be strengthened in a targeted manner and promoted in a decentralised manner. Such an ETH hub creates new opportunities for companies and start-ups in Central Switzerland to enter into direct dialogue with research and teaching – and sends out a strong signal for the attractiveness of Emmen as a location for technology and innovation. The regional anchoring of technological excellence contributes to the broad development of innovation potential and the utilisation of synergies between science and business.

What does this mean for companies, investors and entrepreneurs?

For technology-orientated companies, investors and innovative entrepreneurs, new opportunities for collaboration arise, but also complex regulatory issues:

As a boutique law firm from Lucerne specialising in data protection law, digital business models and commercial law issues, we assist companies, authorities and institutions with all the challenges of digital transformation. Our team supports you in all matters relating to data protection and IT projects, as well as in commercial law issues such as corporate governance, restructuring and M&A. We emphasise legally compliant innovation, regulatory compliance and pragmatic implementation. From data protection impact assessments and licence agreements to cross-company transformation, you benefit from our expertise in the digital and business environment.

Contact us for questions about digital business models.

The Federal Data Protection and Information Commissioner (FDPIC) has published his 2024/2025 activity report. In his press release, he headlines ‘Increased intervention against data protection violations and new highs in access requests under the Freedom of Information Act’ and draws a much-noticed summary of digitalisation and fundamental rights, both in the public sector such as the judiciary, police, security and health, but also in business and society. In the private sector, the following topics stand out in particular:

Cyberattack on OneLog: Risks associated with login solutions

The FDPIC documents a targeted cyberattack on the OneLog login platform. The incident clearly shows that cloud-based authentication services are becoming attractive targets for hackers – with potentially far-reaching consequences for thousands of private individuals. The report calls for strict security and incident response processes at identity providers. Those responsible not only have a duty to report data security breaches (Art. 24 para. 1 FADP), they must also continuously inform the FDPIC about the measures taken and the next steps.

Duty of representation (Art. 14 FADP): Clear responsibility in the private sector

The FADP now clearly requires representation in accordance with Art. 14 FADP for private individuals domiciled or resident abroad who process personal data. This means that anyone who processes data extensively and regularly – e.g. in the context of private online platforms or community services – must appoint an elected or appointed person who is responsible for compliance with the FADP. This strengthens the traceability of data protection-relevant processes. To this end, companies and other private individuals can appoint a representative as a point of contact for both the data subjects and the FDPIC.

BPS Legal offers representation in accordance with Art. 14 FADP, possibly in combination with the role of Swiss data protection advisor in accordance with Art. 10 FADP. Please feel free to contact us.

Cross-platform tracking: on the watchdog’s radar

Particularly interesting for online marketing: the FDPIC is focussing on cross-platform tracking, e.g. using cookies or fingerprinting. The FDPIC notes that such methods in the private sphere often take place in a legal vacuum – and calls for clear rules on transparency, consent and documentation. Without suitable technical and organisational measures, there is a risk of fines and loss of reputation. When using third-party services and third-party cookies by website and app operators, information obligations, design rights of the data subjects and responsibilities must be observed.

Data protection is becoming part of the corporate culture

In the 2024/2025 activity report, the FDPIC shows that data protection is being taken increasingly seriously in the private sector. From cloud security to tracking regulation – the figures speak for themselves. For platform operators, SMEs and private individuals, proactive legal advice is more important than ever to create legal certainty and trust. The full report is available from the FDPIC at: https://backend.edoeb.admin.ch/fileservice/sdweb-docs-prod-edoebch-files/files/2025/07/01/de77df3c-8cdb-4a72-9109-6783d8218fbc.pdf

Contact us for non-binding advice on data protection law and digitalisation.

FAQ: Questions and answers on data protection for SMEs and platform operators

The incident shows that centralised login services pose a high security risk. Platform operators must ensure that authentication processes are specially protected – with strong passwords, two-factor authentication and a functioning security and emergency management system. Data security breaches must also be reported quickly.

Companies based abroad that systematically process personal data of people in Switzerland must appoint a data protection representative in Switzerland. Smaller operators of websites or platforms may also be affected – for example, if they regularly process data from Swiss users. The representative must be identified transparently in the data protection notice.

Anyone who tracks user behaviour across different websites and devices requires the explicit consent of the data subjects. The use of cookies, pixels or fingerprinting tools without clear consent is contrary to data protection law. SMEs need to review and adapt their cookie banners and tracking processes both technically and legally.

 

If a company carries out particularly risky data processing – such as systematic tracking, profiling or the processing of health data – a data protection impact assessment is often required. The FDPIC’s latest report shows an increase in the number of such audits of data controllers. SMEs should clarify at an early stage whether a DPIA is necessary in order to prevent subsequent legal consequences.

The new Data Protection Act requires data security breaches to be reported to the FDPIC immediately – if there is a high risk for the data subjects. Delayed or incomplete reporting can be considered a breach of duty. SMEs should establish clear internal reporting processes.

From 1 June 2025, the principle of public access will apply in the Canton of Lucerne. This marks a significant step towards greater transparency and democratic oversight within the cantonal administration: citizens, journalists, and businesses will, in principle, have access to official information and documents held by the administration — without the need to demonstrate a specific interest. Lucerne is thus the last Swiss canton to implement this important reform.

What does the principle of public access mean?

The principle of public access obliges authorities to make official documents and information available upon request. Access may only be refused if there are compelling reasons — such as the protection of personal data or other legally protected interests. The burden of justification to refuse access lies with the authority. This new right strengthens transparency, democratic oversight, and the formation of public opinion in the Canton of Lucerne.

Limitations: Data Protection and Privacy

The principle of public access is limited where the protection of personal data is concerned. Personal data is protected by constitutional rights to privacy and by the Cantonal Data Protection Act (KDSG). If an official document contains personal data relating to third parties, the administration must carefully weigh the interests involved: does the public interest in transparency outweigh the private interest in confidentiality? As a rule, personal data must be anonymised. If anonymisation is not possible, either consent or a balancing of interests is required.

Practical Challenges and Anonymisation

Anonymising personal data in official documents is a complex task. Due to modern research tools and the abundance of publicly accessible data, there is a risk that seemingly anonymised information can still be linked to specific individuals. The use of identifying features such as social security numbers (AHV numbers) further complicates effective anonymisation. Administrative bodies must therefore exercise particular care to ensure that data protection and transparency are appropriately balanced.

Decentralised Implementation in the Canton of Lucerne

The legal provisions on the principle of public access and data protection are spread across various statutes in the Canton of Lucerne. Requests for access are processed in a decentralised manner by the respective administrative bodies. An interdepartmental committee is intended to ensure uniform practice. Nevertheless, it remains to be seen whether equality of treatment and data protection can be guaranteed in every individual case.

Our firm has proven expertise in administrative law, data protection, and the practical application of the principle of public access. We support citizens, businesses, journalists, and authorities with requests for access to official documents—from the initial application and the balancing of interests to representation in appeal proceedings.

Get in touch with us for an initial consultation on matters of Public Access.

On Monday, 12 May 2025, Matthias R. Schönbächler, former Data Protection Officer of the Canton of Lucerne, was officially bid farewell by the Lucerne Cantonal Council. Schönbächler held the office from 2018 to 2024 and supported the handover to his successor Natascha Ofner-Venetz in 2025.

In his tribute, Ferdinand Zehnder President of the Cantonal Parliament emphasised Schönbächler’s pioneering work in setting up the cantonal data protection supervisory authority. This task was successfully mastered with legal precision and technical understanding.

As a lawyer with impressively broad specialist knowledge and, as he himself described it, competence in technical dialogue, Matthias Schönbächler combined legal precision with technical understanding

– Ferdinand Zehnder, President of the Cantonal Parliament

The video recording of the Cantonal Parliament session of 12 May 2025 is available on the Cantonal website: https://www.lu.ch/kr/Sessionen/videoaufnahmen?keyword=Session&sessionoverview=true

After these words of praise, the President of the Cantonal Parliament thanked Matthias R. Schönbächler on behalf of the Cantonal Parliament for his many years of service to the Canton of Lucerne.

We would also like to thank Matthias R. Schönbächler for his services to data protection and administrative development in the Canton of Lucerne. Our special thanks also go to the Lucerne Cantonal Council and State Secretary Vinc Blaser for their honourable farewell.

Presently there is no dedicated Artificial Intelligence (AI) legislation in Switzerland. Nevertheless, given the ever increasing adoption and use of AI tools in various sectors – in particular in finance, the risks associated with such systems would inevitably require thorough scrutiny.

To this end, the Swiss Financial Markets Authority (FINMA) has recently[i] published a set of findings and observations which take a risk-based approach defined from operational, data-related, IT and cyber alongside legal and reputational perspectives. The supervised entities would therefore need to identify, assess, monitor, manage and control the risks associated with their AI applications, either as an in-house development or outsourced, and to make sure these are aligned and reflected in their respective governance models.

Above all, FINMA highlights operational risks such as lack of robustness, correctness, bias and explainability, the risks associated with third party service providers as well as challenges in the allocation of responsibilities and accountability as the most compelling issues.

Once identified, the ‘materiality’ of the risks in question would need to be determined. In other words, to define whether a given AI application may carry a higher threshold in cases where it “…is used to comply with supervisory law or to perform critical functions, or when customers or employees are strongly affected by its results”.

From the perspective of date-related risks, it is apparent that incorrect, inconsistent, incomplete, unrepresentative or outdated data would undermine the credibility and effectiveness of an AI application. Therefore, certain measures would need to be put in place to ensure input data integrity and that the availability of and access to data is secured. On the other hand, FINMA refers to regular checks in order to detect data drifts, and to validation methods in order to guarantee ongoing quality of output data.

Lastly, it is noted that explainability of results would be critical for an effective assessment of an AI application, whereby the drivers of a given application and its behaviour under varying circumstances and conditions would need to be comprehensible even to non-experts such as clients, investors and supervisory authorities etc. For those applications carrying higher ‘materiality’, the results of an independent review forming an informed and unbiased opinion as to the reliability of the application in question would also need to be taken into account in the development phase of that application.

[i] See here https://www.finma.ch/en/news/2024/12/20241218-mm-finma-am-08-24/.

The new FINMA circular 2025/2 on rules of conduct under the Financial Services Act (FinSA) and Financial Services Ordinance (FinSO) which is set to enter into force on 1 January 2025[i] aims to put together a series of uniform standards for the provision of information and support of clients in the financial services sector.

A transitional period until 30 June 2025 is introduced for the implementation of certain requirements.

The circular will essentially be applicable to banks and security firms, managers of collective assets, companies with provision of fund management as well as portfolio management services. Therefore, those financial service providers which are not subject to FINMA supervision would in principle fall outside of the scope of the circular.

In a nutshell, a number of points as follows.

[i] See here https://www.finma.ch/en/news/2024/11/20241121-mm-rs-verhaltenspflichten-fidleg/.

On 17 October 2024[i] the European Commission adopted the first implementing rules of cybersecurity of critical entities and networks, in consonance with the NIS2 Directive, in the form of an Implementing Regulation.[ii] The Regulation is set to come into force in late November, to be precise 20 days after its publication in the Official Journal – which took place on 7 November 2024.

The adoption of the Regulation also coincides with the last day of the deadline set for the EU Member States to transpose the NIS2 Directive into their national laws.

The implementing rules essentially detail measures pertaining to cybersecurity risk management, and reporting obligations to national authorities across the bloc which are imposed on companies providing digital infrastructures and services in the event “significant” incidents may occur. Specifically, those companies with provision of digital services for instance cloud computing service providers, data centre service providers, online marketplaces, online search engines and social networking platforms would fall under the scope.

NIS2 Directive[iii] re-categories and noticeably expands the previous scope, which initially covered two categories of i) operators of essential services (OESs) and ii) relevant digital service providers (RDSPs), by classifying covered entities under either Essential Entities (EE) or Important Entities (IE).

EE includes sectors of energy, transport, finance, public administration, health, space, water supply and digital infrastructure such as cloud computing service providers and ICT management.

IE includes sectors of postal services, waste management, chemicals, research organisations, food processing, manufacturing and digital providers such as social networks, search engines and online marketplaces.

With micro and small entities in principle excluded from the scope, the Directive puts in place a size threshold. In other words, a threshold of 250 employees, annual turnover of €50 million or balance sheet of €43 million concerning the EE entities, respectively a threshold of 50 employees, annual turnover of €10 million or balance sheet of €10 million concerning those under the IE list.

Nevertheless, an entity may still be considered as ‘essential’ or ‘important’ irrespective of its size, if it is the sole provider of a critical service for societal or economic activity in a given Member State, respectively a trust service provider or any central or regional government entity.

Similar to GDPR, the Directive requires Member States to impose penalties for non-compliance, the ratio of which would differ per classification. €10 million or at least 2% of global annual turnover for the previous fiscal year, whichever is higher, for the EE entities, respectively €7 million or at least 1.4% of global annual turnover for the previous fiscal year, whichever is higher, for the IE entities.

Notably, the covered entities’ management bodies, such as board of directors, would also be held liable for non-compliance.

On the other hand, the Swiss Information Security Act (Informationssicherheitsgesetz, ISG) applies primarily to the federal administration, cantonal authorities and their partner companies in the country, and its revised version is set to come into force by 1 January 2025. In this context, partner companies could be active in similar sectors as those within the scope of the Directive in the EU, such as financial and information and communication sectors as well as those service providers and manufacturers of hardware and software products that are used by critical infrastructures.

Therefore, supplier companies would indirectly fall under the scope of ISG, similar to that of the Directive in the EU. The Swiss entities forming part of a supply chain which ultimately target those EU based entities covered by the Directive, would as a result be affected by the requirements and obligations under both instruments.

Specifically, the subsidiaries and branches of Swiss entities registered within the EU, which fall under either of the EE or IE classifications, will have to comply with the Directive in the EU and comply with the requirement to register with the national authority of an affiliated Member State, among other things. In this scenario, the parent or affiliated entity in Switzerland may also be indirectly caught under the radar of the Directive through the supply chain connection.

[i] See here https://ec.europa.eu/commission/presscorner/detail/en/ip_24_5342.

[ii] See here https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj.

[iii] See here https://eur-lex.europa.eu/eli/dir/2022/2555.