NIS2 Directive for Swiss Companies

The EU NIS2 Directive has been in force since October 2024. For many Swiss companies, this means they are affected, even if they are headquartered outside the EU. Anyone with EU customers, part of an EU supply chain, or subsidiaries operating in the EU must address the requirements.

That sounds like yet another compliance project. In our experience, it is — but one that is worthwhile if approached properly. NIS2 forces you to answer questions you would need to answer anyway for operational resilience: Which systems are critical? Who is responsible if something goes down? How quickly can you respond to an attack?

This guide explains who NIS2 affects, what the requirements actually mean, and how to plan an implementation that does not take two years.

What exactly is NIS2?

NIS2 stands for "Network and Information Security Directive 2" — the second version of the EU directive on network and information security.

The first NIS Directive came into effect in 2016 and, in practice, was too vague and hardly enforced. The requirements were too vague, too few companies were covered, and enforcement was minimal. The EU realized that this was not enough.

So NIS2 came along. Adopted at the end of 2022, with an implementation deadline of October 2024 for EU member states.

What is different?

First: The scope has been massively expanded. Where the old NIS Directive covered only a handful of sectors (energy, health, transport), NIS2 now covers 18 sectors.

Second: The requirements are much more specific. No longer "you should maybe think about cybersecurity sometime," but clear requirements for risk management, incident response, supply chain security, etc.

Third: The penalties have real teeth. Up to 10 million euros or 2% of global annual revenue. And — this is new — personal liability for the executive management.

And for Swiss companies?

Switzerland is not in the EU. We are not required to adopt EU directives one-to-one.

Even so, for Swiss companies the rule is: if your company has subsidiaries in the EU, provides critical services to EU customers, is part of the supply chain of EU companies, or operates in the EU — NIS2 cannot be ignored. Your EU partners will require proof of compliance. Contracts will include NIS2 clauses.

We see this with GDPR — in practice, many Swiss companies had to become GDPR-compliant, even though the Swiss FADP was somewhat different in nature. NIS2 will likely play out in a similar way.

Does NIS2 apply to your company?

NIS2 distinguishes between two categories:

1. Essential Entities

• Energy: electricity, gas, oil, district heating, hydrogen

• Transport: aviation, rail, maritime, road transport

• Banking & financial market infrastructure

• Healthcare: hospitals, laboratories, research institutions, pharma

• Drinking water & wastewater

• Digital infrastructure: internet exchange points, DNS providers, TLD registries, cloud services, data centers

• Space: satellite operators

• Public administration (central level only)

2. Important Entities

• Postal and courier services

• Waste management

• Chemical production & distribution

• Food production & distribution

• Manufacturing: medical devices, computers/electronics, machinery, vehicles

• Digital services: online marketplaces, search engines, social media platforms, B2B SaaS

• Research organizations

The EU wanted to cover all sectors that could seriously impact the economy or society in the event of a cyberattack.

The size thresholds

You are affected if you have 50 or more employees OR more than 10 million euros in annual revenue.

There are exceptions for smaller companies in certain sectors, but if you operate in a critical area, you will probably not get around it.

The Swiss self-assessment check

1. Sector check:

• [ ] Is my company active in one of the 18 NIS2 sectors?

• [ ] Do I operate critical infrastructure (energy, transport, health)?

• [ ] Do I offer digital services (cloud, SaaS, data center)?

2. Size check:

• [ ] Do I have 50+ employees?

• [ ] Does my annual revenue exceed 10 million euros?

3. EU exposure check:

• [ ] Do I have branches or subsidiaries in the EU?

• Are my customers EU companies in regulated sectors?

• Am I part of the supply chain of companies subject to NIS2?

• Do I process data of EU citizens or companies?

If you answer at least one question per category with "Yes": welcome to the NIS2 club.

The gray area: Swiss specifics

Switzerland will probably develop its own cybersecurity law, similar to how we have the FADP for data protection instead of GDPR. So even if you are focused purely on the Swiss market: the direction is clear. Becoming NIS2-compliant is also good preparation for purely Swiss companies.

The 10 most important NIS2 requirements

Now it gets specific. What exactly does NIS2 require from you?

1. Risk management

You must systematically identify, assess, and manage your cyber risks. Regular risk analyses, documented assessment methodology, prioritization by criticality, action plan. NIS2 requires that you document it and can demonstrate it. Most companies do informal risk analyses — NIS2 wants formal processes.

2. Incident response (24-hour reporting requirement)

You must report cybersecurity incidents to the relevant authority within 24 hours. This requires an incident response plan, clear escalation paths, and a defined reporting process (24-hour initial detection, 72-hour interim report, 30-day final report). For Swiss companies: there is currently no national 24-hour reporting requirement. But if you serve EU customers, you must comply with their rules.

3. Business continuity & disaster recovery

You need a plan for restoring operations after a cyberattack. Business continuity plan, disaster recovery plan, backup strategy with regular tests, defined RTO and RPO. "We have backups" is not enough. You must show that you can also restore them. We repeatedly see this: backups exist, but the restore procedure was never tested.

4. Supply chain security

You are responsible for the cybersecurity of your suppliers and service providers. Security assessment of critical suppliers, contractual security requirements, incident notification clauses. You cannot audit every supplier. But you must identify the critical ones and know their security level. The 2020 SolarWinds attack showed that your weakest link is often not in your own house, but in the supply chain.

5. Network security

Segmentation (Zero Trust approach), firewalls and intrusion detection/prevention, VPN for remote access, network monitoring. More on this: Zero Trust — Where do I actually start?

Many companies have "flat networks" — everything can communicate with everything. That is the opposite of what NIS2 wants.

6. Access control

Multi-factor authentication everywhere, least privilege principle, regular access reviews, privileged access management for admin accounts. MFA is not optional in 2025. And SMS-based MFA is not enough. Use authenticator apps or hardware tokens.

7. Cryptography & encryption

TLS 1.3 for all connections, encrypted databases, encrypted backups, key management. "Our data is in the cloud, it is secure" is not enough. You need to control who has the encryption keys.

8. Employee training

Annual security awareness training, phishing simulations, incident reporting training, role-specific training. 90% of breaches start with phishing or social engineering. The most annoying compliance training in the world is also the most important.

9. Security testing & audits

Vulnerability scans (monthly or quarterly), penetration tests (annually), security audits. "We have never been attacked, so we are safe" is no longer an argument.

10. Management responsibility & governance

The executive management is responsible. Not IT. The C-suite. Executive management must approve and oversee cybersecurity measures, provide regular reporting, own the budget, and accept personal liability in cases of gross negligence.

In the past, management could say "IT issue, take care of it." Not anymore. NIS2 makes cybersecurity a top-level responsibility.

More on this: CISO-as-a-Service — Leadership in cybersecurity

The NIS2 implementation roadmap

You now know what NIS2 wants. How do you implement it without spending the next two years doing nothing else?

Phase 1: Gap analysis (4-6 weeks)

Scope definition, document the current state, map against NIS2 requirements, identify gaps, assess risk. Output: gap analysis report with prioritized action areas.

Most companies are at 40-60% compliance. That is normal. No one starts at zero. But no one is NIS2-compliant by accident, either.

Phase 2: Roadmap & prioritization (2-3 weeks)

Identify quick wins, medium- and long-term planning, clarify resources and budget, prioritize risks, secure executive buy-in. Output: 12-18 month roadmap with milestones.

NIS2 compliance is not a 3-month project. Expect 12-18 months for full implementation. But after 3-6 months, you should have closed the most critical gaps.

Phase 3: Implementation (6-12 months)

Months 1-3: Quick wins — enable MFA, create an incident response plan, set up basic monitoring, critical patches, initial training.

Months 4-6: Core security — network segmentation, PAM, backup recovery testing, supply chain assessment of the top 10 suppliers.

Months 7-12: Advanced & governance — Zero Trust architecture, penetration tests, business continuity plans, governance framework, management reporting.

NIS2 requires "appropriate" measures. That means risk-based, proportionate. Small companies do not need the same measures as large corporations, but they need the right ones.

Phase 4: Documentation (ongoing)

Risk analyses, security policies, incident response plans, training records, audit reports, management reviews, supplier assessments.

"If it is not documented, it did not happen" — that is true in audits.

Phase 5: Testing & continuous improvement

• Quarterly: vulnerability scans, access reviews, policy updates

• Semi-annually: security awareness training, backup recovery tests

• Annually: penetration tests, risk analysis update, management review

NIS2 compliance is not a project; it is a program. The question is not "When are we compliant?" but "How do we stay compliant?"

The most common mistakes in NIS2 implementation

Mistake 1: Treating NIS2 as a purely IT project

"IT, take care of NIS2" — and IT tries to handle it alone. NIS2 is a business risk management issue. It requires executive management, legal, HR, procurement, and all business units. Solution: cross-functional NIS2 project team with an executive sponsor.

Mistake 2: Underestimating documentation

"We are already doing everything anyway, we just need to write it down." This "just writing it down" becomes a 6-month project. Because you realize you are not doing many things consistently after all. Plan for documentation from the start.

Mistake 3: Ignoring supply chain security

"We will focus on our own systems first. Suppliers can come later." Later never comes. Identify the top 10-20 critical suppliers and address them early.

Mistake 4: Waiting too long

"NIS2 might apply to us, but Switzerland is not in the EU, so we have time." Your EU customers and partners are not waiting. Contracts already include NIS2 clauses. RFPs require compliance evidence. Start now.

Mistake 5: Striving for perfection instead of pragmatism

The most critical 20% of measures close 80% of the risks. Take a risk-based approach. NIS2 requires "appropriate" — not "perfect".

What happens in case of non-compliance?

For essential entities: Up to 10 million euros or 2% of global annual revenue.

For important entities: Up to 7 million euros or 1.4% of global annual revenue.

Personal liability: Executive management can be held personally liable in cases of gross negligence.

For Swiss companies, there are currently no direct penalties from EU authorities. But: EU partners can terminate contracts, reputational damage, Swiss regulation is coming, and there can be civil liability in the event of data breaches.

The business case for compliance

1. Risk reduction: The measures genuinely make you safer. Also see: The real cost of being unprepared for ransomware

2. Competitive advantage: "We are NIS2-compliant" will become a selling point, especially with large, regulated customers.

3. Insurability: Cyber insurers increasingly require minimum standards.

4. M&A readiness: Due diligence in acquisitions looks at cybersecurity.

5. Foundation for growth: Solid security foundations enable faster, secure growth into new markets.

How we help with NIS2 implementation

Over the last few months, we have conducted NIS2 assessments and roadmaps with dozens of companies. From SMEs to large corporations. Across regulated and unregulated industries.

Our approach is assessment-first. We do not start with "Here is what you need." We start with "Where do you stand today?"

Step 1: Scope & applicability assessment — Are you affected at all? Which systems, processes, and data are relevant? Essential or Important Entity?

Step 2: Gap analysis — Document the current state, map against NIS2 requirements, identify and prioritize gaps.

Step 3: Roadmap & business case — Implementation planning, budget and resources, presentation for executive management.

Step 4: Implementation support — Project management, technical implementation or coordination with your teams and partners, documentation and testing.

Our job is to structure the process, identify the gaps, guide you through the complexity, and make sure that in the end you are not only compliant, but actually more secure.

Next steps

Step 1: Clarify whether you are affected (1-2 hours)

Use the self-assessment checklist above. If it is unclear: better safe than sorry, and conduct an assessment.

Step 2: Initial gap analysis (internal, 1-2 weeks)

• List the 10 NIS2 requirements

• Rate where you stand on a scale of 1-10

• Identify the top 5 gaps

• Estimate budget and effort roughly

Step 3: Inform stakeholders and secure buy-in

NIS2 is a management responsibility. Inform executive management early. "Personal liability" is a strong argument for budget and attention.

Step 4: Professional assessment (recommended)

An external gap analysis costs 4-8 weeks and a few tens of thousands of francs. In return, you get: an objective assessment without blind spots, benchmarking, a prioritized roadmap, a business case for executive management, and the foundation for compliance evidence.

Step 5: Start, do not wait

The companies that start now have an advantage: they can proceed calmly and in a structured way. The companies that wait until the first EU customer demands NIS2 compliance in the contract are under time pressure and make mistakes.

You do not have to be perfect. But you do have to start.