Swiss Cybersecurity Rules 2025: What SMEs Must Know to Stay Compliant

28/04/2025
Elmira Gazizova
Partager
Swiss Cybersecurity Rules SME 2025

Are you prepared for the new cybersecurity requirements in Switzerland for 2025?

For Swiss SMEs, the evolving regulatory landscape isn’t just about avoiding penalties - it’s about protecting your business, your clients, and your reputation.

In this blog post, we break down the latest compliance expectations, practical tips for assessing your security maturity, and how keyIT supports SMEs in meeting these obligations with affordable, concrete solutions, such as continuous penetration testing.
 

Why Cybersecurity is No Longer Optional for SMEs

Cybersecurity is often perceived as a technical expense reserved for large companies. But today, every business, regardless of size, is accountable for protecting its data. In 2025, this responsibility is reinforced by a new operational enforcement of Swiss federal law. 
 

What’s Changing in 2025?

As of 1 April 2025, certain companies in Switzerland are now legally required to report cyberattacks to the Federal Office for Cybersecurity (OFCS). This isn’t a new law, but rather the active application of existing regulations under the Information Security Act.
 
Learn how keyIT supports Swiss SMEs in strengthening their cybersecurity.
 
Who Is Affected?
The mandatory reporting applies to companies operating in:
  • Energy and utilities
  • Drinking water distribution
  • Public transport
  • Cantonal or municipal authorities
  • IT security service providers handling sensitive infrastructure
📌The full list is available under Article 74b of the Information Security Act.
 
What Needs to Be Reported?
Affected organizations must notify the OFCS within 24 hours of detecting an incident, including:
  • Service disruptions affecting critical infrastructure 
  • Data breaches or leaks involving sensitive information 
  • Ransomware attacks or attempts at extortion 
     
A grace period of 14 days is allowed to supplement details once the initial report is submitted.
 
⚠️ By 1 October 2025, financial penalties for non-compliance will be introduced. Now is the time to build the right processes.
 
How to File a Cyberattack Report
There are two reporting options:
  • Mandatory reports for operators of critical infrastructure (via secure OFCS platform) 
  • Voluntary reports for all other businesses (form available on the OFCS website) 
     
Even if you’re not legally obliged, voluntary reporting helps the government identify attack patterns and risks, and signals cybersecurity maturity to clients and partners.
 

7 Key Questions to Assess Your Cybersecurity Maturity

Cyber readiness isn’t just about technology—it’s about awareness, planning, and resilience. Here are seven checkpoints SMEs should review:
  1. Visibility: Do you regularly conduct audits or penetration tests to monitor security levels? 
  2. Backups: Are your backups encrypted, externalized, and tested regularly for recovery? 
  3. Awareness: Are your employees trained to recognize threats and follow security protocols? 
  4. Device Control: Are personal devices restricted from accessing sensitive company data? 
  5. Multi-Factor Authentication (MFA): Is MFA activated on all key accounts and systems? 
  6. System Updates: Are all infrastructure components supported and patched? 
  7. Incident Response: Do you have a response plan documented and ready? 
 
If you answered “NO” to any of the above, it’s time to take action.
 

What keyIT Offers to Support SMEs

At keyIT, we understand that SMEs often lack the resources of larger enterprises. That’s why our solutions are tailored to be practical, affordable, and easy to implement, without compromising on effectiveness.
 
✔  Autonomous Penetration Testing
We offer automated pentest solutions powered by NodeZero®, simulating attacks from both internal and external sources. These tools identify vulnerabilities and provide clear remediation plans, once reserved only for large corporations.
✔  Security Audits and Planning
Our team helps SMEs define a roadmap for cybersecurity based on current maturity. With the help of a dedicated Security Officer, we collaborate with your IT providers to prioritize projects and ensure full coverage.
✔  Advisory and Accompaniment
We go beyond software - keyIT provides expert support to interpret your security landscape, avoid redundant investments, and build long-term resilience.
 

4 Immediate Actions to Improve Your Cybersecurity

Don’t wait for October. Here are four steps you can take today:
  1. Ask your IT provider: When was our last penetration test and backup recovery test? 
  2. List critical systems: Is MFA enabled across all of them? 
  3. Appoint a cybersecurity contact: Even a one-page checklist can make a difference. 
  4. Schedule a basic security audit: If you’ve never had one, now’s the time. 
     
Cybersecurity in 2025 isn’t a technical add-on - it’s a fundamental business responsibility. For SMEs, it’s no longer about “if” but when a cyber incident will occur. Proactivity, preparation, and partnerships are key.
 

Want to know where your business stands?

Schedule your free initial cybersecurity consultation with keyIT now.

Or explore our services for SMEs: managed IT services KITO and pentest NodeZero®.

🎥 Watch the full LinkedIn webinar on Swiss SME cybersecurity 2025.
28/04/2025
Partager

Continuez votre lecture