Part 14 of our series on data protection law in Switzerland
In this part of our series, we analyse if and under which circumstances personal data breaches must be notified to the competent authorities in Switzerland.
Notification obligations under the Swiss Federal Act on Data Protection (FADP)
Under the revised Swiss Federal Act on Data Protection (FADP), time is of the essence when a data security breach occurs. If any data security breach may likely lead to a high risk to the personality or fundamental rights of those individuals affected, controllers are legally required—under Art. 24(1) FADP—to notify the Federal Data Protection and Information Commissioner (FDPIC) as quickly as possible.
To determine the risk level, controllers must carefully assess both the severity of potential consequences and the likelihood that these consequences will materialise. According to the FDPIC's guidance1, factors such as the sensitivity of the data concerned, the nature and circumstances of the breach, the effort required to identify the affected persons and the total number of persons and volume of data affected should be considered when assessing the severity of the consequences, while any security measure taken after the breach shall not count toward lowering the likelihood of the consequences to occur.
Notifications to the FDPIC shall be made via the dedicated online reporting portal2.
Notification obligations under other laws
According to the revised Swiss Information Security Act (ISA), operators of critical infrastructures must, as of 1st April 2025, report any cyberattacks on their IT infrastructure within 24 hours to the National Cyber Security Centre (NCSC). The details and exemptions of the reporting obligation are regulated in the Cybersecurity Ordinance3, which entered into force on 1st April 2025. The reporting obligation under the ISA applies to any cyberattack, irrespective of whether personal data is involved or not.
Following the EU Network and Information Security Directive (NIS 2), Swiss companies in critical sectors as defined in Annex I and II of NIS 24 that provide services or carry out activities in the EU, or that are part of the supply chain of a European company falling within the scope of NIS 2, may furthermore be subject to cybersecurity incident reporting obligations under NIS 2.
To learn more about personal data breach prevention and response strategy, you may also read our contribution to the Legal500 Data Protection Cybersecurity Guide here.
For a more detailed overview of Swiss cybersecurity legislation, you may consult our contribution to the ICLG Cybersecurity Laws and Regulations Report 2025 here.
Preview of Part 15
In part 15 of our series, we will examine the penalties for violating Swiss data protection laws.
Footnotes
2 https://databreach.edoeb.admin.ch/report
3 https://www.fedlex.admin.ch/eli/oc/2025/169/de (only available in German)
4 This includes sectors such as energy transport, banking, health, water, digital infrastructure, postal and courrier services, waste management, chemicals, food, medical devices, digital providers, etc. The full list can be found in Annex I and II of the NIS 2 Directive: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2555
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.