The EU's new cybersecurity directive also affects Swiss companies
Since October 2024, the NIS2 Directive (Network and Information Security Directive 2) has been binding in the EU. It replaces the previous NIS Directive and brings significantly stricter requirements for cybersecurity, risk management, and reporting obligations. Even though Switzerland is not part of the EU, Swiss SMEs should urgently familiarize themselves with the new rules - as they are indirectly affected.
Why does NIS2 affect Swiss SMEs?
The directive applies to companies in the EU, but it also covers foreign companies that:
- Offer services or products in the EU
- Are part of an EU organization's supply chain
- Work as IT or cloud service providers for EU customers
Example: A Swiss IT service provider delivering backup services to a German company must meet NIS2 standards, even without having their own office in the EU.
What does NIS2 specifically require?
NIS2 requires companies to:
Systematic Risk Management
- Identification, assessment, and documentation of cyber risks
- Implementation of technical and organizational protection measures
Incident Reporting Obligations
- Report significant IT incidents within 24 hours
- Final report within 72 hours
Governance and Responsibilities
- Appointment of a person responsible for cybersecurity
- Involvement of management in security decisions
Controls and Sanctions
- Non-compliance can lead to high fines of up to 10 million EUR or 2% of global turnover
- Authorities may require audits and security checks
What do SMEs in Switzerland need to do specifically?
Even if many Swiss SMEs don't fall directly under NIS2, they should prepare, especially if they work with EU customers or partners. Because: Compliance becomes a prerequisite for market access.
Understanding the Risk Landscape
- Conduct an internal risk analysis: Where are vulnerabilities, which IT systems are critical?
- Identify interfaces with EU companies through customer contracts, supply chains, online services, etc.
Implement Security Measures
- Update your firewalls, backup strategies, and access controls
- Implement Multi-Factor Authentication (MFA) everywhere
- Use centralized vulnerability management
Establish IT Emergency Management
- Create an incident response plan
- Train employees in recognizing and reporting attacks
- Define escalation paths and communication plans
Documentation and Compliance
- Document processes, measures, risks, and responsibilities
- Use an Information Security Management System (ISMS) according to ISO 27001 or an adapted SME-compliant framework like Cyber Seal for IT service providers
- Include requirements in contracts with service providers
Think Security as a Service
Many SMEs don't have the resources to build their own cybersecurity team. In such cases, it's worth collaborating with Managed Security Service Providers (MSSP) or specialized IT partners who:
- Take over security monitoring
- Conduct vulnerability analyses
- Support NIS2-compliant documentation and implementation
Where should security incidents be reported?
In most cases, to the national Computer Security Incident Response Team (CSIRT) of the respective EU countries, or a specially designated supervisory authority.
Examples:
- Germany: Federal Office for Information Security (BSI)
- Austria: GovCERT or Federal Ministry of Interior
- France: National Agency for Information Systems Security (ANSSI)
- Italy: National Cybersecurity Agency (ACN)
Act proactively instead of being surprised
The NIS2 Directive is more than just an "EU issue" - it will increase digital security requirements across industries. Swiss SMEs that prepare early not only improve their resilience against cyber attacks but also strengthen their trust with customers and partners in the EU.
At Backup ONE, we support you on this journey - with secure cloud and backup solutions.
Test our solutions!
- Free and non-binding
- Full functionality
- 20-day trial
- Ready for immediate use