Swiss Compliance Made Simple: nDSG, FINMA & Beyond
Switzerland occupies a unique position in the European regulatory landscape. As a non-EU member with deep economic ties to the European Union, Switzerland has developed its own distinct compliance framework that blends internationally recognised standards with Swiss-specific requirements. For organisations operating in or serving the Swiss market, understanding this regulatory environment is not optional — it is essential.
From the newly revised Federal Act on Data Protection to FINMA's stringent financial regulations, Swiss compliance demands a multi-faceted approach. This guide breaks down the key frameworks you need to know and explains how to build a policy programme that satisfies them all.
Switzerland's Unique Regulatory Landscape
Unlike EU member states that implement directives from Brussels, Switzerland crafts its own legislation while keeping a close eye on EU developments. The result is a regulatory environment that often mirrors the EU in substance but diverges in important procedural details.
Swiss organisations must navigate a layered system of federal laws, cantonal regulations, and industry-specific requirements. The key frameworks include:
- nDSG (neues Datenschutzgesetz): The revised Federal Act on Data Protection
- FINMA: Financial Market Supervisory Authority regulations
- OR (Obligationenrecht): The Swiss Code of Obligations for corporate governance
- ArG (Arbeitsgesetz): Swiss Employment Law requirements
- Industry-specific regulations: Banking secrecy laws, pharmaceutical regulations, and cantonal requirements
The challenge for compliance teams is that these frameworks overlap and interact. A single business process — say, processing employee health data at a bank — can trigger obligations under the nDSG, FINMA circulars, employment law, and cantonal health regulations simultaneously.
The New Swiss Federal Act on Data Protection (nDSG/FADP)
On 1 September 2023, Switzerland's completely revised Federal Act on Data Protection (nDSG, also known as the FADP) came into effect, replacing the original 1992 Data Protection Act (DPA). This was not a minor update — it was a comprehensive overhaul designed to align Swiss data protection law with the EU's General Data Protection Regulation (GDPR) while retaining distinctly Swiss characteristics.
Key distinction: Unlike the GDPR, the nDSG imposes penalties on individuals (the responsible decision-makers), not on companies. Fines can reach up to CHF 250,000 per violation. This personal liability makes compliance a C-suite priority in a way that corporate fines sometimes do not.
Core nDSG Requirements for Your Policies
Your organisation's policies must address these nDSG obligations:
- Privacy by design and by default: Technical and organisational measures must be built into processes from the outset, and the most privacy-friendly settings must be the default
- Data Protection Impact Assessments (DPIAs): Required when processing poses a high risk to the personality or fundamental rights of data subjects
- Breach notification: Data breaches must be reported to the FDPIC (Federal Data Protection and Information Commissioner) "as quickly as possible" — note that Switzerland does not impose the GDPR's strict 72-hour deadline, but delays must be justified
- Record of processing activities: Mandatory for organisations with 250 or more employees, or those processing sensitive data at scale
- Cross-border data transfers: Data may only be transferred to countries with adequate data protection levels, as determined by the Federal Council. The EU's adequacy decision for Switzerland simplifies data flows between Swiss and EU entities
- Data subject rights: Individuals have the right to access, rectify, and request deletion of their personal data, as well as the right to data portability
The FDPIC: Switzerland's Supervisory Authority
The Federal Data Protection and Information Commissioner (FDPIC) is Switzerland's equivalent of the UK's ICO or France's CNIL. The FDPIC oversees compliance with the nDSG, investigates complaints, and can order organisations to modify or cease data processing activities. Unlike some EU data protection authorities, the FDPIC does not have the power to impose fines directly — criminal proceedings are handled through the cantonal courts.
FINMA Regulations for Financial Services
Switzerland's reputation as a global financial centre means that FINMA (the Swiss Financial Market Supervisory Authority) plays an outsized role in the regulatory landscape. If your organisation operates in banking, insurance, asset management, or fintech, FINMA compliance is non-negotiable.
Key FINMA Requirements
- FINMA Circular 2023/1 (Operational Risks and Resilience): Requires comprehensive policies for managing operational risks, including IT security, business continuity, and outsourcing
- Anti-Money Laundering (AML): Detailed KYC (Know Your Customer) policies, transaction monitoring procedures, and suspicious activity reporting protocols
- Outsourcing requirements: Strict policies governing the outsourcing of essential business functions, including cloud services and IT infrastructure
- Data management: Policies for data classification, retention, and protection that align with both FINMA expectations and the nDSG
- Cybersecurity: Incident response plans, vulnerability management policies, and regular penetration testing requirements
FINMA-regulated institutions must maintain a documented policy framework that is reviewed and approved by senior management at least annually. Policies must be readily available to FINMA auditors upon request.
Swiss Code of Obligations (OR) Corporate Governance
The Obligationenrecht (OR) — Switzerland's Code of Obligations — sets the baseline for corporate governance requirements. Recent revisions have strengthened these obligations considerably.
Policy Requirements Under the OR
- Internal control systems: Companies must establish and maintain an internal control system (ICS) proportionate to their size and complexity (Art. 728a OR)
- Risk management: The board of directors is responsible for establishing a risk management framework, which must be documented in policy form
- Financial reporting policies: Clear policies governing financial statement preparation, audit procedures, and disclosure requirements
- Whistleblower protections: While Switzerland does not yet have a standalone whistleblower protection law at the federal level, the OR's provisions on employment contracts create implicit protections that should be reflected in internal policies
- Supply chain due diligence: New non-financial reporting obligations require larger companies to maintain policies on environmental matters, social issues, human rights, and anti-corruption
Swiss Employment Law (ArG) Policy Requirements
The Arbeitsgesetz (ArG) and its associated ordinances establish comprehensive requirements for workplace policies. Swiss employment law is notably employee-friendly, and failure to maintain proper policies can expose organisations to significant liability.
Mandatory Workplace Policies
- Working hours and rest periods: Policies must document maximum working hours (45 hours/week for industrial workers, 50 hours for others), overtime rules, and mandatory rest periods
- Health and safety: Comprehensive workplace safety policies are required under the ArG and the Accident Insurance Act (UVG)
- Equal treatment and non-discrimination: The Gender Equality Act (GlG) requires policies preventing workplace discrimination and sexual harassment, including a formal complaints procedure
- Data protection in employment: Employee data processing policies must comply with both the nDSG and specific employment law provisions under Art. 328b OR
- Remote work (Homeoffice): Since the pandemic, formal remote work policies have become a practical necessity, covering equipment provision, expense reimbursement, data security, and working hour documentation
Important: Swiss employment contracts and policies must typically be provided in the employee's working language. For multilingual Switzerland, this often means maintaining policies in German, French, and Italian — and sometimes English for international teams.
How PolicySuite Simplifies Swiss Compliance
Managing compliance across the nDSG, FINMA, OR, and ArG simultaneously is a significant undertaking. PolicySuite is purpose-built to make this manageable.
145+ Swiss-Specific Policy Templates
PolicySuite includes over 145 policy templates specifically tailored to Swiss regulatory requirements. These are not generic international templates with a Swiss label — they are drafted to reflect Swiss legal terminology, reference the correct articles of Swiss law, and address the specific obligations of Swiss regulatory frameworks. Templates cover:
- nDSG data protection policies (privacy notices, DPIA procedures, breach notification protocols, cross-border transfer assessments)
- FINMA compliance policies (AML/KYC, operational risk management, outsourcing governance, cybersecurity incident response)
- OR corporate governance policies (ICS documentation, risk management frameworks, board reporting procedures)
- ArG employment policies (working time regulations, health and safety, equal treatment, remote work frameworks)
Multi-Language Support (DE/FR/IT)
Switzerland's trilingual business environment creates a unique challenge for policy distribution. PolicySuite supports policy distribution in German, French, and Italian, ensuring that every employee receives policies in their working language. This is not just a convenience — it is a legal requirement in many cantons and under various collective labour agreements.
PolicySuite's distribution engine allows you to assign language preferences at the employee, department, or office level, so policies are automatically delivered in the correct language without manual intervention.
CHF Billing and Swiss VAT (MWST)
PolicySuite supports billing in Swiss Francs (CHF) with proper Swiss VAT (MWST) handling at the current rate of 8.1%. Invoices are formatted to meet Swiss accounting requirements, making expense reconciliation straightforward for your finance team. No currency conversion headaches, no VAT confusion.
Automated Compliance Mapping
Every PolicySuite template is mapped to the specific regulatory requirements it satisfies. When a FINMA auditor asks to see your outsourcing policy, you can demonstrate not only the policy itself but also exactly which FINMA circular provisions it addresses. This audit-ready mapping saves compliance teams dozens of hours during regulatory examinations.
Building Your Swiss Compliance Programme
Here is a practical roadmap for organisations looking to establish or strengthen their Swiss compliance framework:
- Conduct a regulatory gap analysis: Map your current policies against nDSG, FINMA, OR, and ArG requirements to identify gaps
- Prioritise by risk: Address nDSG and FINMA requirements first, as these carry the most significant penalties for non-compliance
- Draft and localise policies: Create policies in all required languages, ensuring consistency across translations
- Distribute and obtain acknowledgements: Use automated distribution to ensure every employee receives, reads, and acknowledges relevant policies
- Establish a review cycle: Swiss regulations evolve regularly — schedule annual policy reviews at minimum, with more frequent reviews for rapidly changing areas like data protection and financial regulation
- Document everything: Swiss regulators expect detailed records of your compliance activities, including policy version histories, distribution logs, and acknowledgement rates
Ready to Simplify Swiss Compliance?
PolicySuite's Swiss Compliance Pack includes 145+ templates mapped to nDSG, FINMA, OR, and ArG requirements — with full DE/FR/IT language support and CHF billing.
Start Your Free Trial