Cybersecurity · Zurich · CH / EU

Security that pays.

We approach cybersecurity from an adversarial-economic perspective — investment must match the value of the information at stake. That negotiation belongs where decisions are actually made: between board, legal, and compliance.

Understand NIS-2 & CRA
What we do

Three disciplines, one doctrine.

From strategic positioning through legally defensible valuation to regulatory practice. Sector- and size-agnostic, from SME to multinational.

01 / Strategy

Strategy that bridges.

We work at the level where security decisions are actually made — between board, legal, and compliance. Need-to-protect, doctrine, and investment logic are not delegated here; they are negotiated.

  • Security doctrine & strategic positioning
  • Asset valuation & risk economics
  • Investment prioritisation & security portfolio
  • Bridge function to legal, compliance & audit
  • Board & supervisory dialogue
02 / Valuation

Security, legally defensible.

Independent assessments that hold up before insurers, in due diligence, and in proceedings. We quantify what others merely assert — state of the art, duty of care, loss potential.

  • Insurer-ready reports (premium & claim cases)
  • Cyber lens in due diligence (M&A · investments)
  • State-of-the-art & duty-of-care — audit-proof
  • Proceedings support (arbitration · supervisor)
  • Loss-potential modelling
03 / Regulation

Regulation, put into practice.

We translate directives into operational reality — without buzzword theatre, with verifiable trails. Strong at the Switzerland / EU interface, from entry into force to audit.

  • NIS-2 & Cyber Resilience Act
  • Swiss ISG & BACS reporting duties
  • ISO 27001 / 27002
  • FINMA · DORA · sector-specific
  • Audit-readiness & defensibility before regulators
The regulatory landscape

Europe is tightening the perimeter.
What does that mean for Switzerland?

With the NIS-2 Directive and the Cyber Resilience Act, the EU is articulating its most comprehensive cybersecurity expectation to date. Swiss companies are not directly bound — but via EU subsidiaries, EU markets, and supply chains the pressure passes through almost without gap.

24h
Early warning for significant incidents — under both NIS-2 and the Swiss ISG since April 2025.
€10M
Maximum NIS-2 fine for "essential" entities — or 2% of worldwide annual turnover.
2027
Full application of the Cyber Resilience Act from 11 December 2027 — reporting duties begin already in September 2026.

The NIS-2 Directive replaces the original 2016 NIS Directive and moves cybersecurity definitively out of the IT basement and into the boardroom. It covers not only classical critical infrastructure but also manufacturers of critical products, digital services, waste management, public administration, and a substantial share of manufacturing.

Addressees fall into two categories — "essential" and "important" entities. The difference lies mainly in the intensity of oversight and the fine ceiling. For both, executive management bears personal responsibility.

  • Scope 18 sectors, medium and large enterprisesEnergy, transport, banking, healthcare, water, digital infrastructure, administration, food, industry, research and others.
  • Duties Risk management, security concepts, supply-chain due diligenceIncluding multi-factor authentication, incident handling, crisis management, encryption.
  • Reporting 24 h early warning · 72 h notification · 1 month final reportTo the competent national authority or CSIRT.
  • Sanctions Up to €10 m or 2% of annual turnover (essential) · €7 m / 1.4% (important)Personal liability of executive bodies; temporary disqualification possible.
NIS-2 elevates cybersecurity into a compliance discipline on par with data protection or anti-money-laundering — with verifiable duties and meaningful sanctions instead of pious wishes.

While NIS-2 governs the security of organisations, the Cyber Resilience Act (CRA) addresses the security of products — more precisely, all "products with digital elements" placed on the EU internal market. From the IoT sensor via industrial components to standalone software.

The direction is unambiguous: security-by-design becomes mandatory, the CE mark will include cybersecurity, and responsibility does not end at the sale — manufacturers must guarantee product-specific vulnerability management and security updates for the defined "support period".

  • Scope All products with digital elements on the EU marketHardware, software, networked components — including importers and distributors.
  • Core duties Security-by-design · vulnerability management · updatesConformity assessment before market entry; support across the entire product lifetime.
  • Reporting Actively exploited vulnerabilities and incidents from 09 / 2026Notification to ENISA and national CSIRTs within 24 / 72 hours.
  • Sanctions Up to €15 m or 2.5% of worldwide annual turnoverMarket withdrawal and CE revocation as additional measures available.
Anyone supplying products to the EU market must now carry cybersecurity on the bill of materials — with the same matter-of-fact rigour as electrical safety or EMC.

Switzerland is not an EU Member State — the NIS-2 Directive and the CRA do not apply directly. It is nevertheless an illusion to think Swiss companies are unaffected. The effect travels through three channels, and it is real.

i

EU subsidiaries

An establishment in the EU is directly subject to the local NIS-2 transposition — with all reporting duties and fine ceilings.

ii

Services into the EU market

Anyone offering digital services from Switzerland into the EU — cloud, managed services, DNS — often falls directly within scope.

iii

Supply chain

EU customers are required to vet their suppliers on cybersecurity. NIS-2 is thus passed "downstream" — through contracts rather than statutes.

In parallel, Switzerland is tightening its own framework. The Information Security Act (ISG) has been in force since January 2024; since 1 April 2025, a 24-hour reporting duty applies to operators of critical infrastructure vis-à-vis the Federal Office for Cybersecurity (BACS). Breaches can be fined up to CHF 100,000. An expansion of scope towards NIS-2 logic is foreseeable.

The central question is not "are we compliant?" but "are we resilient — and can we prove it?" Anyone who wants answers should have them before the incident, not after.
Timeline

What goes live when.

The regulatory wave does not start in 2027 — it has been in motion since 2024. The dates below are the pillars. Preparation begins several quarters earlier.

  1. 01 · 2024
    Swiss ISG enters into force First reporting duties for federal bodies and operators of critical infrastructure.
  2. 10 · 2024
    NIS-2 effective in the EU Deadline for national transposition; scope multiplied fivefold.
  3. 12 · 2024
    Cyber Resilience Act enters into force Transition phases begin; manufacturers recalibrate product lifecycle.
  4. 04 · 2025
    CH: 24-hour reporting duty active BACS notification mandatory for operators of critical infrastructure.
  5. 09 · 2026
    CRA reporting duties begin Active vulnerabilities and incidents reportable — manufacturers' reality.
  6. 12 · 2027
    Full application of the CRA Conformity for every market entry — no CE without cyber.

No sales pitch.
Fifteen minutes of clarity about what you actually need to protect.

About the firm
For sensitive matters, please use Threema or Signal — not unencrypted email