Federal Council to strengthen cyber resilience of digital products

20.08.2025 - Although preventing security vulnerabilities is crucial for cybersecurity, Switzerland currently has few regulations regarding the cyber resilience of digital products. The Federal Council aims to change this. At its meeting on 20 August, it tasked the DDPS, in collaboration with DETEC and the EAER, with drafting a bill to be submitted for consultation. This new legislation will raise security requirements for products containing digital components, responding to the demands of Motion 24.3810, "Conducting urgently needed cybersecurity checks", which was submitted by the Security Policy Committee of the Council of States.

Security flaws in software or hardware provide entry points for cyberattacks. If attackers discover such a vulnerability, they can infiltrate numerous systems in a short amount of time. Since many products are digitally interconnected, this can lead to significant physical or financial damage. In the case of products used in critical infrastructure, vulnerabilities can even threaten national security. Despite the importance of preventing or quickly addressing such vulnerabilities, Switzerland currently lacks clear cyber resilience requirements for digital products.

The absence of such security requirements has been raised in Parliament several times. With Motion 24.3810 submitted by the Security Policy Committee of the Council of States, Parliament has instructed the Federal Council to address this issue.

Following discussions, the Federal Council has tasked the National Cyber Security Centre (NCSC), in collaboration with the Federal Office of Communications (OFCOM) and the State Secretariat for Economic Affairs (SECO), with drafting a corresponding bill to be submitted for consultation by autumn 2026. This new legislation will set out cybersecurity requirements for the development and commercialisation of products with digital components, establish rules for market surveillance of these products, and lay the groundwork for banning the import and sale of insecure devices.

The new legislation will take into account the international context, including the European Union's Cyber Resilience Act (CRA), which came into force on 11 December 2024. The goal is to create legislation that is tailored to Switzerland's economic landscape, while ensuring that the administrative burden on companies is kept to a minimum and Swiss companies operating internationally are not burdened by conflicting requirements.