- The Federal Council recognizes a significant gap in the cyber resilience regulation of digital products in Switzerland compared to the EU Cyber Resilience Act.
- The BACS, OFCOM and SECO are to draw up a consultation draft for legislation on cyber resilience by fall 2026.
- New rules are to regulate safety requirements, market surveillance and bans on unsafe imports, with adaptation to Switzerland as a business location.
The Federal Council notes that in Switzerland Specifications for the cyber resilience of digital products are largely absent – unlike in the EU with the Cyber Resilience Act (CRA; see Here is our edited version), and although
Security vulnerabilities in software or hardware […] are a gateway for cyber attacks. If attackers find such a gap, they can penetrate numerous systems in a short space of time. As many individual products are often digitally networked, this can result in major physical or economic damage. In the case of products that are used in critical infrastructures, vulnerabilities can jeopardize national security. Although it is crucial for cybersecurity to avoid security vulnerabilities or to close them quickly, there are hardly any requirements for the cyber resilience of digital products in Switzerland.
The Federal Council wants to change this. On August 20, 2025, it commissioned the Federal Office for Cybersecurity (BACS), in collaboration with the Federal Office of Communications (OFCOM) and the State Secretariat for Economic Affairs (SECO), to develop a cybersecurity strategy by Fall 2026 a Consultation draft on the “Creation of legislation on the cyber resilience of digital products” to develop (Media release):
The new legal basis is intended to define the cybersecurity regulations for the development and marketing of products with digital elements, define the implementation of market surveillance for these products and create the basis for a ban on the import and distribution of unsafe devices.
and:
The new legal basis is intended to increase the safety requirements for products with digital elements and thus meet the requirements of the Motion “Implementation of urgently needed cybersecurity audits” 24.3810 of the Security Policy Committee of the Council of States.
The CRA should be “respected”, but the legislation should be “adapted to Switzerland as a business location” and it should be ensured “that the administrative burden on companies is kept as low as possible and that internationally active companies from Switzerland are not additionally burdened by divergent requirements”.