You are in Switzerland. An EU law. Doesn’t affect you.

Wrong.

If your company uses AI systems whose outputs end up in the EU—whether it’s a CV screening tool for your EU branch, a credit scoring model for EU customers, or a chatbot on your website serving EU visitors—then you are in scope. Article 2 of the EU AI Act is crystal clear: the regulation applies to any provider and operator whose AI output is used in the EU. Company location? Irrelevant.

We see this constantly with our Swiss clients: there is a lack of awareness. And the clock is ticking.

Why the EU AI Act also affects you

The extraterritorial effect is not a side note; it is a core element of the regulation. Similar to the GDPR, which affects Swiss companies with EU customer data, the EU AI Act (Regulation EU 2024/1689) reaches across borders.

Specifically, you fall under the EU AI Act if you:

• develop or offer AI systems that are used in the EU

• use AI tools whose output affects EU citizens (HR screening, credit decisions, insurance assessments)

• sell AI-based products or services to EU customers

• have subsidiaries or branches in the EU that use AI

This affects more Swiss companies than most people think. Financial service providers with AI-supported credit scoring, pharma and medtech companies using AI in clinical trials, industrial companies with predictive maintenance, HR tech providers with automated applicant screening, insurers with AI risk assessment—AI is used everywhere. And everywhere there are EU links.

(And no, Switzerland does not have its own AI law. The Federal Council is still reviewing whether existing laws are sufficient. Until then: if you do business in the EU, you comply with the EU AI Act.)

The four risk categories: why they matter

The EU AI Act follows a risk-based approach. Not every AI system is treated the same. The category determines your obligations:

Unacceptable risk, prohibited. Since February 2025, certain AI practices have been completely banned. Social scoring by public authorities, manipulative AI that uses subliminal influence, real-time biometric mass surveillance, emotion recognition in the workplace. Anyone deploying such systems risks fines of up to EUR 35 million or 7% of global annual turnover.

High risk, strictly regulated. This is the category that affects most Swiss companies. And most underestimate its scope. High-risk AI systems include, among others: biometric identification, AI in critical infrastructure, education and examination systems, CV screening and personnel decisions, creditworthiness checks, insurance risk assessment. The obligations are extensive: risk management system, technical documentation, logging, human oversight, conformity assessment, EU database registration, and post-market monitoring. Sounds like a lot? It is. But it is manageable if you start early enough.

Limited risk, transparency obligations. Chatbots must disclose that the user is interacting with AI. Deepfakes must be labeled. Emojis and friendly words are not enough; the information must be clear and unmistakable.

Minimal risk, no obligations. Spam filters, AI in video games, simple recommendation systems. The EU recommends voluntary codes of conduct here, but there are no binding requirements.

The question you should ask yourself: Which category do your AI systems fall into? And do you even have an overview of where AI is running in your company?

The timeline: what applies when

The regulation enters into force in stages. That is both helpful and dangerous—helpful because you do not have to implement everything at once. Dangerous because the staggered rollout creates a false sense of security.

February 2025 (already in force): Prohibited AI practices apply. Social scoring, manipulative AI, biometric mass surveillance—anyone still using these is already in breach.

August 2025: Rules for General-Purpose AI (GPAI) models enter into force. Transparency obligations for GPAI providers, technical documentation, compliance with EU copyright law. For GPAI with systemic risk (training compute above 10^25 FLOPs), additional obligations apply. The EU AI Office and the national supervisory authorities begin their work.

August 2026: Full application. All high-risk AI systems must meet all requirements. Conformity assessments, EU database registration, post-market monitoring—everything must be in place.

August 2027: High-risk AI in regulated products (medical devices, machinery, lifts) is integrated into the existing sector-specific regulation.

For Swiss companies, that means: by August 2026, there are less than six months left. Anyone operating a high-risk AI system needs 6–12 months of preparation time. The math is simple, and it does not work if you only start planning now.

The fines: nothing to take lightly

A brief note on the consequences:

• Violation of prohibited AI practices: up to EUR 35 million or 7% of worldwide annual turnover (the higher amount applies)

• Violation of high-risk requirements: up to EUR 15 million or 3% of worldwide annual turnover

• False statements to authorities: up to EUR 7.5 million or 1% of worldwide annual turnover

For SMEs and startups, proportionally lower fines apply, with the lower amount in each case. Still: these are existentially threatening sums, even in the reduced version.

(For context: GDPR fines were also initially "only" theoretical. Meta has now paid over EUR 2 billion in GDPR penalties. The EU is serious.)

What you can do now

Here’s where it gets practical. Six steps we recommend to our clients:

1. Create an AI inventory. Sounds trivial? We have never seen a company that knew all of its AI systems at first glance. Not just the obvious ones (ChatGPT, Copilot), but also embedded AI in purchased tools, your CRM, your HR system, your ERP. Those often have AI features that nobody actively turned on, but which are still running.

2. Carry out risk categorization. Assign every identified AI system to a category based on the EU AI Act criteria. High risk? Limited? Minimal? This classification determines everything that follows.

3. Check the EU nexus. Clarify whether and how your company falls within the extraterritorial scope. EU customers, EU branches, EU users—the connection can be surprisingly direct.

4. Perform a gap analysis against existing compliance. If you are already GDPR-compliant, have ISO 27001, or meet NIS2 requirements, you already have a foundation. An integrated compliance approach reduces effort by 40–60% compared with isolated implementation. Data protection impact assessments, risk management processes, documentation obligations—much of it overlaps.

5. Create a compliance roadmap. Prioritize high-risk systems first. Define milestones, responsibilities, and budget. August 2026 is your deadline for high-risk compliance.

6. Build governance structures. Who is responsible for AI compliance? Which processes ensure that new AI systems are classified before deployment? Monitoring is not a one-time project; it is an ongoing process.

The integrated approach: not another compliance silo

Here’s the thing: most companies already have GDPR programs, ISO certifications, and perhaps NIS2 preparations underway. Now the EU AI Act is being added on top.

The mistake we see: each regulation is treated as a separate project. Separate teams, separate documentation, separate audits. The result? Double the work, triple the cost, zero overview.

We recommend an integrated compliance approach. EU AI Act, GDPR, NIS2, ISO 27001—within one framework. The overlaps are significant: risk management, data protection impact assessments, technical documentation, incident response, monitoring. Bringing these together instead of handling them in isolation not only reduces effort, it actually gives you a real overview of your compliance landscape.

Practical example: a data protection impact assessment, which you already need for GDPR, covers much of the risk assessment required by the EU AI Act for high-risk systems. Your ISO 27001 documentation framework? It can be extended directly for AI technical documentation. These are not theoretical synergies; they mean measurably less work.

The next step

Forget the panic. Forget the 200-page legal texts. Do one thing tomorrow morning: create a list of all AI systems in your company. All of them. Even the ones you "think" are only minimal.

That list is the beginning. Everything else builds on it.

(We help Swiss companies implement the EU AI Act pragmatically, with an integrated compliance framework that combines the EU AI Act, GDPR, NIS2, and ISO 27001. Vendor-neutral, without panic, with a clear roadmap. View compliance consulting or Discover AI advisory)