18 critical sectors, stricter cybersecurity requirements and severe penalties: the new EU NIS2 Directive affects more than just companies in the European Union. Swiss SMEs may also fall within its scope, either directly or indirectly – often without even knowing it. It is high time to check whether you are affected.
With penalties of up to €10 million or 2% of global annual turnover, the EU is sending a clear message with NIS2: cybersecurity is no longer a nice-to-have. The new regulatory framework has been in force in all EU member states since October 2024 – with far-reaching consequences for Swiss companies too. What is particularly controversial is that it is not only large corporations and critical infrastructures that are affected. The directive specifically targets medium-sized companies with 50 or more employees. Even suppliers working with EU companies will find it difficult to avoid the new requirements. For many Swiss SMEs, the question is therefore not whether, but how they must implement the NIS2 requirements.
In addition to corporate penalties, as have been in place since the GDPR (2015), executives are now also personally liable for proven misconduct. They are obliged to approve risk management measures, monitor their implementation and report security incidents to the authorities and affected partners, suppliers and customers.
To fulfil these obligations, executives must regularly attend training courses to enable them to assess cyber risks and measures. Violations of this duty of care are punishable by personal penalties, the amount and type of which are determined by the member states – however, they must be ‘effective, proportionate and dissuasive’. In extreme cases, management may even be relieved of their duties until the identified deficiencies have been remedied.
The impact of NIS2 on Swiss companies can be clearly defined: anyone who operates a branch in the EU or offers IT services there falls directly under the directive. This applies to companies that generate annual revenues of more than €10 million in the EU in 2024 or employ more than 50 people there. The consequences are far-reaching: affected companies must introduce systematic risk management, carry out regular security audits and report security incidents within 24 hours. The focus is particularly on IT service providers, cloud providers and companies in the 18 critical sectors.
The scope of NIS2 extends far beyond directly regulated companies. As suppliers to EU companies, Swiss SMEs are increasingly confronted with NIS2 requirements – even without a formal obligation. Large EU corporations must ensure the cybersecurity of their entire supply chain. In concrete terms, this means that Swiss suppliers, for example in the automotive or mechanical engineering industries, must meet the increased security standards. From complete documentation to regular penetration tests – this evidence is already required as standard in EU tenders.
Systematically reviewing your own EU activities is the first important step in clarifying whether you are affected by NIS2. This involves taking a close look at various aspects of your business.
→ If the answer is ‘yes’, you should have your NIS2 obligations reviewed in detail.
For Swiss SMEs, the domestic Information Security Act (ISG) provides a good starting point for NIS2. Both sets of regulations require reporting obligations for cyber incidents and structured risk management. However, NIS2 goes further: it requires specific technical measures and an active role for senior management. Take advantage of the overlaps to create an integrated compliance programme – this saves resources and creates clarity.
Particular attention should be paid to establishing robust risk management and effective incident response. Documenting the measures taken and providing regular staff training are also key success factors.
The second step focuses on technical and organisational measures. The key here is to establish robust security incident management: implement clear processes for 24-hour reporting of security incidents. Establish systematic risk management that takes into account the specific NIS2 requirements. Don't forget the supply chain: your suppliers must also be involved.
The third step concerns the governance structure. NIS2 requires management to play an active role – from approving security measures to regularly reviewing their effectiveness. Define clear responsibilities and escalation paths. It is particularly important to document all decisions and measures in full.
Finally, you need to get your employees on board. Regular training is not only a NIS2 requirement, but also the key to success. Develop an awareness programme that clearly communicates the new requirements and anchors them in everyday work.
The NIS2 Directive presents Swiss SMEs with new challenges – but also offers opportunities. Those who take a systematic approach now will not only be able to implement the requirements efficiently, but also raise their cybersecurity to a new level. MTF Solutions supports you with a proven three-step process:
The EU NIS2 Directive affects more Swiss companies than is apparent at first glance. Not only SMEs with direct EU activities need to take action; suppliers and business partners of EU companies are also increasingly required to meet the stricter cybersecurity standards. It is clear that NIS2 is more than just a regulatory obligation. The directive offers the opportunity to systematically raise your own IT security to a new level and thus gain a competitive advantage.
Let us analyse your NIS2 impact together. Our experts will support you with practical experience and proven solutions – from the initial analysis to successful implementation. Arrange a free initial consultation now!