By 2026, cyber compliance in Europe will stop being “nice to have” and become a board-level obligation. The EU’s NIS2 Directive and Switzerland’s emerging cyber-resilience regime—often referred to in practice as the “Swiss Cyber Act”—together create a new baseline for how groups must govern security, report incidents, and control their supply chains.

This shift is driven by a hard reality. Ransomware and supply-chain attacks in Europe have hit record levels. Europe now accounts for roughly a fifth of global ransomware victims, with thousands of European companies listed on extortion leak sites in recent years. 

In Switzerland alone, cyber incidents reported to authorities have climbed into the tens of thousands annually, with double-digit percentage growth year-on-year.

Why Cyber Governance is becoming mandatory

Regulators are no longer satisfied with “best-effort IT security.” They now expect structured, provable governance that can withstand scrutiny after a major incident. Here are the reasons:

  1. Ransomware and availability attacks are now systemic risks. 

European airports, hospitals, and logistics hubs have all experienced operational disruption triggered by a single compromised supplier. In 2025, for example, a cyberattack on a major aviation IT provider temporarily disrupted check-in and baggage systems across multiple European airports. One weak link cascaded into a multi-country operational crisis.

  1. Supply-chain attacks are no longer edge cases. 

A recent breach at a global procurement provider serving UBS exposed data on more than 130,000 staff, including senior management. The bank itself was not directly hacked—its supplier was. Both NIS2 and the Swiss cyber regime directly respond to this pattern by imposing explicit duties on how companies select, contract, and monitor vendors.

At the same time, recent global surveys show that roughly 70% of organisations report an increase in cyberattack frequency in just the last year alone, and many also report rising severity. Regulators increasingly interpret this not as bad luck, but as a failure of governance and controls.

NIS2 requirements that apply to Swiss and EU groups

NIS2 applies to “essential” and “important” entities in key sectors across the EU. It also affects Swiss-based groups with EU operations or a critical role in EU supply chains.

Board accountability

NIS2 explicitly assigns responsibility to the management body. Boards must approve cybersecurity risk-management measures and can be held liable for non-compliance. They must also receive regular training and ensure the same for relevant executives. Cyber risk now becomes a standing board agenda item, not an annual compliance slide.

Incident reporting timelines

NIS2 replaces informal breach handling with a formal, time-bound regulatory escalation sequence:

  • First 24 hours — Early warning. A short regulatory alert that a potentially significant incident has occurred. At this stage, facts may still be incomplete, but regulators must already be informed.
     
  • By 72 hours — Incident notification. A structured submission that includes the initial impact assessment, known indicators of compromise, and early mitigation actions.
     
  • One-month mark — Final report. A full technical and operational breakdown covering root cause, confirmed business impact, remediation measures, and any cross-border effects. If the incident is still active at this point, a formal progress report is required instead.

This model imposes a fundamental operational shift. Organisations must be capable of real-time detection, legal classification, executive escalation, and regulator communication, all driven by predefined response playbooks.

Risk-management controls

NIS2 defines a minimum control baseline that must be implemented and maintained, including:

  • Incident handling and business continuity.
  • Supply-chain and vendor security.
  • Encryption, access control, and multi-factor authentication.
  • Testing, audits, and cybersecurity training.

These controls must be documented, operational, and continuously reviewed. Informal or reactive security practices will not meet regulatory expectations.

Supply-chain compliance

Entities must assess and manage cyber risk across their supply chain, especially for critical ICT providers. After high-profile supplier-driven breaches in banking, aviation, and government, regulators now expect formal vendor-risk frameworks supported by contracts and continuous monitoring, not trust alone.

Swiss Cyber Act: What changes in 2026

Switzerland is moving in parallel with the EU, though via its own legislative instruments rather than a direct NIS2 transposition. The term “Swiss Cyber Act” is widely used to describe this emerging Swiss cyber-resilience regime, even though the final legal package will be shaped through several statutes and ordinances.

Mandatory reporting

From 2025, operators of critical infrastructure in Switzerland are required to report significant cyberattacks to the federal cybersecurity office within 24 hours of discovery under the Information Security Act framework. Over time, the planned cyber-resilience legislation is expected to extend this reporting logic to additional categories of companies.

Sector-specific security standards

Swiss regulators such as FINMA already supervise banks and insurers on cyber risk and have logged a growing number of serious incidents in recent years, most of them in financial services. Future cyber-resilience legislation is expected to formalise minimum security baselines for key sectors such as finance, energy, telecoms, and transport, largely mirroring the philosophy of NIS2.

Certification requirements

Switzerland is aligning with European trends embodied in the EU Cyber Resilience Act: security by design, mandatory updates, coordinated vulnerability handling, and conformity assessments for critical digital products and services. Over time, recognised certifications and attestations will increasingly form part of regulatory supervision and customer due diligence expectations.

For Swiss–EU groups, the message is clear: align Swiss and EU security regimes now rather than treating them as separate compliance projects.

High-risk sectors affected the most

While all mid- to large-scale organisations are impacted, several sectors face disproportionate exposure:

  • Financial services. Banks and financial institutions remain top cyber targets in Europe. With NIS2, DORA, and Swiss FINMA supervision converging, cyber-resilience now sits alongside capital adequacy and risk management as a core prudential obligation.
     
  • Healthcare. Hospitals and pharmaceutical companies are frequent ransomware victims, sometimes forced to suspend operations or delay critical care. NIS2 explicitly classifies much of the healthcare sector as “essential.”
     
  • Industrial and manufacturing firms. Manufacturing has become one of the most targeted ransomware sectors in Europe, with production downtime used directly as leverage in extortion campaigns.
     
  • Digital service providers. Cloud platforms, managed service providers, telecom operators, and large SaaS vendors increasingly sit at the centre of systemic cyber risk. Their outages or breaches cascade across client ecosystems.

Governance & technical controls companies must implement

By 2026, regulators will expect the following controls not only to exist, but to be embedded, tested, and auditable across the group.

Risk assessments

Annual, or more frequent, cyber risk assessments aligned with recognised frameworks such as ISO 27001 or NIST. These must cover:

  • Critical systems and data assets.
  • Business-impact analysis for outages and data compromise.
  • Third-party and cross-border exposure.

Incident response

Documented incident response frameworks with:

  • Clear roles and escalation paths from SOC to the board.
  • Playbooks for ransomware, supplier compromise, and data exfiltration
  • Table-top simulations at least once per year

Without rehearsed escalation paths and pre-approved communication protocols, meeting NIS2’s 24- and 72-hour reporting thresholds is unrealistic.

Vendor compliance mapping

A structured vendor-risk lifecycle must include:

  • Security due diligence before onboarding.
  • Contractual security, audit, and reporting clauses.
  • Technical controls such as segmentation and least-privilege access.
  • Continuous monitoring of high-risk suppliers.

After recent supplier-driven incidents in banking and aviation, regulators expect companies to know exactly which vendors can disable operations and how that risk is controlled.

Cyber-insurance alignment

Cyber insurance does not replace regulatory compliance. Insurers increasingly require specific security controls and strict reporting timelines. Misalignment between internal controls and insurance conditions regularly leads to coverage disputes after major incidents.

How SIGTAX helps

For Swiss and EU groups, the real challenge is not buying more security tools. It is aligning structure, governance, and regulation across all operating entities. That is where SIGTAX creates value.

  • Cyber compliance advisory. SIGTAX helps boards and leadership teams interpret how NIS2, Swiss cyber law, and sector-specific regulation apply to their structure, risk profile, and regulatory exposure.
  • Governance framework alignment. We support the design of group-wide cyber-governance frameworks by aligning ownership, escalation paths, documentation, and training responsibilities with regulatory expectations.
  • Group-level cyber structure integration. SIGTAX aligns holding, service, and operational entities so that cyber-compliance responsibility, liability allocation, and regulatory accountability are legally defensible across the group.
  • Cross-border regulatory mapping. We map your operations against NIS2, Swiss obligations, GDPR, DORA, and the Cyber Resilience Act, replacing fragmented compliance with a unified, future-proof structure.

Final word

In 2026, cyber risk becomes a structural governance issue, not just an IT problem. Companies that treat NIS2 and Switzerland’s cyber-resilience regime as an opportunity to professionalise control, rather than a regulatory burden, will be the ones that retain the trust of regulators, investors, and customers when the next major cyber crisis hits.

Add new comment

About text formats

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.