Switzerland has long been synonymous with a stable financial system and rigorous regulatory oversight. Although the country is not a member of the European Union, its close economic ties to the EU mean that major legislative shifts—like the Digital Operational Resilience Act (DORA)—often resonate in Swiss boardrooms.
This post explores how Switzerland is responding to DORA, whether the Swiss approach differs from how EU member states adopt the regulation, and what existing Swiss frameworks already parallel DORA’s objectives. I’ll also provide a brief list of auditing firms in Switzerland that can assist businesses in aligning their operational resilience practices with DORA-like standards.
Switzerland and DORA: why it matters
DORA is designed to unify and strengthen rules around ICT risk management, incident reporting, and third-party oversight within the EU financial sector. Even though Switzerland is not bound by EU law, many Swiss financial institutions operate cross-border or serve EU clients. As a result, these organizations may need to meet DORA requirements when conducting business in EU jurisdictions. Conversely, Swiss regulators and policymakers often track EU developments closely, especially when they could affect Switzerland’s competitiveness or financial stability.
For non-EU Swiss entities with minimal or no EU exposure, DORA might appear less directly relevant. However, global cybersecurity expectations and client demands for strong digital controls mean that DORA’s influence may still be felt, particularly if partners or counterparties in the EU require compliance as a contractual condition.
Is the Swiss approach different from EU member states?
Whereas EU member states must transpose DORA into local legislation or apply it directly (since it’s an EU regulation), Switzerland typically assesses each significant EU measure on its own terms. Swiss authorities, led by the Swiss Financial Market Supervisory Authority (FINMA), maintain their own regulatory frameworks. They often issue guidelines mirroring aspects of EU laws, either to support cross-border compatibility or to maintain Switzerland’s reputation for robust financial governance.
Thus, unlike an EU member state, Switzerland isn’t legally required to adopt DORA. Instead, Swiss financial institutions operating in EU markets must ensure they meet DORA obligations in those jurisdictions. Over time, FINMA may integrate parts of DORA’s best practices into its circulars or guidelines if it sees value for the Swiss financial center. This selective alignment is typical of Switzerland’s approach to EU regulations—it aims for international compatibility while preserving its regulatory autonomy.
Existing Swiss regulations and parallels to DORA
Switzerland already has substantial rules on cybersecurity and operational resilience that, in some ways, echo DORA’s objectives. Below is an overview of key frameworks:
| Swiss regulation or measure | Focus area | How it aligns with DORA |
| FINMA Circulars (e.g., 08/21 on operational risks, 18/3 on outsourcing) | Detail risk management, incident handling, and vendor oversight for banks and insurers | Parallel DORA’s emphasis on ICT governance, structured due diligence of third-party providers, and robust incident reporting |
| Swiss Federal Act on Data Protection (FADP) | Governs data privacy, breach notification (in its updated form), and processing standards | Reinforces DORA-like requirements for safeguarding sensitive data and reporting cybersecurity incidents |
| National Cyber Strategy (NCS) | Outlines Switzerland’s broader approach to cyber threats, including collaboration between government and critical industries | Complements DORA’s aim of improving overall cyber resilience and coordinated incident responses |
The Swiss approach is principles-based, giving institutions latitude in how they meet regulatory goals. DORA, by contrast, is more prescriptive on incident reporting timeframes and standardized risk frameworks. As EU-regulated entities adapt to these specifics, Swiss firms with cross-border operations may need to follow suit to ensure consistent compliance across all markets.
Impact on industries beyond finance
While DORA primarily targets financial institutions, any business that provides essential IT services to those institutions may be required—by contract or client demand—to demonstrate DORA-level controls. In Switzerland, this could include a range of industries:
- Cloud service providers offering data hosting for Swiss or EU-based banks
- Fintech startups partnering with EU-insured entities
- Consulting and IT security firms supporting cross-border risk management
Even non-financial Swiss firms may find themselves subject to DORA-related requirements through vendor agreements or partnership structures. Over time, if Swiss regulators choose to incorporate certain DORA principles, the reach of these operational standards could expand further within Switzerland’s digital economy.
List of DORA auditors in Switzerland
DORA itself does not publish a list of approved auditors, but Swiss companies seeking to align with DORA-like requirements or support EU operations can turn to several local and international firms with a strong Swiss presence. Below is a snapshot of potential audit and consulting partners:
| Firm | Primary expertise | Additional notes |
| Deloitte Switzerland | Cyber risk management, operational resilience, compliance audits | Global network with a dedicated Swiss practice familiar with local & EU regulations |
| KPMG Switzerland | IT governance, risk assessments, financial services audits | Extensive track record serving Swiss banks and insurers |
| PwC Switzerland | Cybersecurity, data protection, governance, risk & compliance | Offers specialized guidance for multinational cross-border operations |
| EY Switzerland | IT audits, regulatory alignment, digital transformation | Combines global reach with Swiss-specific regulatory knowledge |
| BDO Switzerland | Internal controls, operational risk, SME & mid-market advisory | Known for practical, cost-effective solutions |
| InfoGuard | Swiss-based cybersecurity consultancy and managed security services | Specializes in technical audits, incident response, and compliance support |
When selecting an auditor, Swiss organizations should confirm the firm’s familiarity with both Swiss regulations and EU directives. That combination of knowledge will help ensure compliance across different legal environments, particularly for institutions straddling Swiss and EU markets.
Forging a resilient future
For Switzerland, DORA highlights the interconnected nature of the global financial system. Even without formal EU membership, Swiss institutions and their IT partners often operate in an environment shaped by EU standards. By proactively addressing DORA’s key pillars—ICT governance, standardized incident reporting, and oversight of third-party vendors—Swiss businesses can bolster their reputation for reliability and security on the international stage. In a rapidly digitizing world, aligning with emerging EU norms helps maintain Switzerland’s status as a premier, future-focused financial center.
