⚠ NCSC: Week 23: Job seekers in the crosshairs – phishing, scams and malware in the application… 🔴 CVE: CVE-2026-48172 (CVSS 9.8) — LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (po… 📰 New article: Citrix NetScaler CVE-2026-3055: Swiss Perimeter Alert 2026 ⚠ NCSC: Week 23: Job seekers in the crosshairs – phishing, scams and malware in the application… 🔴 CVE: CVE-2026-48172 (CVSS 9.8) — LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (po… 📰 New article: Citrix NetScaler CVE-2026-3055: Swiss Perimeter Alert 2026
← Back to articles
Regulation 15 June 2026 10 min read

Swiss KRITIS-G and EU NIS2 Revision: CISO Guide 2026

Switzerland's KRITIS-G and the EU NIS2 targeted revision are advancing on parallel legislative tracks — Swiss critical-infrastructure operators must navigate both simultaneously or risk compliance gaps by 2027.

MS

Marco Scarito

15 June 2026

10 min read

The EU Commission's January 2026 proposal for targeted NIS2 amendments entered trialogue in spring 2026, with a political agreement target of late 2027. The proposal narrows scope for micro and small enterprises in sectors where their individual market share is minimal, while strengthening supervisory convergence requirements for critical-infrastructure entities across member states. At the same time, Switzerland's KRITIS-G Act — the domestic framework transposing NIS2-equivalent obligations into Swiss law — completed its parliamentary consultation phase and is expected to receive Federal Council approval in H2 2026. The result is a dual-track legislative environment that few Swiss organisations have fully modelled: entities operating in both the Swiss domestic market and the EU single market must satisfy frameworks that are functionally aligned but legally distinct, with different supervisory authorities, different notification procedures, different timelines, and different scope definitions that do not map cleanly onto each other.

What the NIS2 Targeted Revision Changes

The core of the EU Commission's amendment proposal is a recalibration of NIS2's scope. The original directive applied automatically to medium and large enterprises in sixteen critical sectors; the revision introduces a more granular analysis, exempting micro and small enterprises from automatic coverage in sectors where their aggregate market share is below a defined threshold. For Swiss organisations, this is relevant primarily to subsidiaries and branches operating in EU member states: a small Swiss-owned entity operating a minor piece of digital infrastructure in Germany or France may fall out of NIS2 scope under the revision where it was previously covered under the baseline directive.

More consequential for large organisations is the revision's treatment of supervisory convergence. Member state national competent authorities will face stronger harmonisation obligations on how they assess compliance, conduct audits, and calculate penalties — reducing the current patchwork of enforcement intensity across the EU. For Swiss-headquartered groups with subsidiaries in multiple member states, this means the variance in NIS2 enforcement risk that currently exists between, say, a German subsidiary and a Dutch subsidiary will narrow. The Netherlands was among the first member states to publish mandatory NIS2 self-assessment requirements with a June 2026 deadline; that level of enforcement rigour is becoming the expected baseline, not the exception.

The revision also clarifies supply chain obligations. Entities subject to NIS2 must conduct structured due diligence on ICT suppliers and service providers, including assessment of the supplier's own security posture and contractual security requirements. This obligation is largely already present in the baseline directive, but the revision provides more specific guidance on what "appropriate" due diligence looks like — which in practice raises the minimum bar for supplier security questionnaires, audit rights, and contractual provisions.

What Switzerland's KRITIS-G Introduces

KRITIS-G is Switzerland's domestic answer to NIS2. Where the ISA (Informationssicherheitsgesetz) covers federal bodies and operators of critical infrastructure in the context of information technology specifically, KRITIS-G extends a coherent cross-sector mandatory security framework to all operators of critical infrastructure — energy, transport, water supply, digital infrastructure, financial market infrastructure, and healthcare — regardless of whether their core operations are IT-intensive.

The framework's obligations follow the NIS2 pattern: a risk-based minimum security standard, mandatory incident notification to the NCSC/BACS within defined timelines, supply chain risk management, and governance requirements at board level. The Federal Council is expected to set sector-specific thresholds for which entities qualify as critical-infrastructure operators under KRITIS-G, mirroring the NIS2 approach of distinguishing essential from important entities.

For FINMA-supervised entities — banks, insurance companies, securities dealers — KRITIS-G creates a third compliance layer on top of FINMA Circular 2023/1 on operational risks and the ISA reporting obligation. The reporting chains are distinct: FINMA notification for operational risk events, NCSC notification for cyber incidents under the ISA, and NCSC notification for KRITIS-G incidents. While FINMA Supervisory Guidance 03/2024 provides for a combined notification to NCSC that satisfies both the ISA and FINMA requirements simultaneously, the KRITIS-G notification channel has not yet been integrated into this combined procedure.

The Dual-Track Compliance Problem

Swiss organisations with EU operations face an architectural compliance problem that is easy to underestimate until it generates an incident. The instinctive assumption is that NIS2 compliance is harder and more prescriptive, and that achieving it automatically satisfies KRITIS-G. This is wrong in three specific ways.

First, supervisory scope diverges. NIS2 is supervised by member state national competent authorities with jurisdiction over EU-based entities. KRITIS-G is supervised by the NCSC/BACS in Bern with jurisdiction over Swiss-based entities. A Swiss bank headquartered in Zurich with a subsidiary in Frankfurt is subject to the German BSI for the Frankfurt subsidiary's NIS2 obligations and to the NCSC for the Zurich entity's KRITIS-G obligations. These are not the same regulator, and a finding by one does not satisfy the other.

Second, incident notification timelines and content requirements differ in detail. NIS2 imposes a preliminary notification within 24 hours, an intermediate report within 72 hours, and a final report within one month. KRITIS-G and the Swiss ISA impose a 24-hour notification to the NCSC. The content required at each stage differs between the frameworks, and the clock starts running independently in each jurisdiction. A single incident affecting both the Swiss parent and an EU subsidiary may require simultaneous notification to multiple authorities on different content templates.

Third, supply chain due diligence requirements are written with different regulatory reference points. NIS2 references ENISA guidelines and EU-level schemes. KRITIS-G references Swiss national standards and NCSC guidance. An ICT supplier that passes NIS2-compliant due diligence in an EU subsidiary's procurement process has not necessarily been assessed against KRITIS-G requirements for the Swiss parent's procurement.

◆ Key Takeaway

Running KRITIS-G and NIS2 compliance as two sequential programmes — first achieve NIS2 compliance, then retrofit KRITIS-G — is the wrong model. Swiss critical-infrastructure operators should build a unified compliance architecture that satisfies both frameworks from a single evidence set, mapping controls explicitly to both frameworks and accepting additional documentation overhead only where they genuinely diverge. Organisations that treat this as one problem to solve once will absorb future regulatory updates at a fraction of the cost of those running parallel standalone programmes.

  • Conduct an entity-level scope analysis under both KRITIS-G and the NIS2 revision before H2 2026. Determine which legal entities in your group qualify as critical-infrastructure operators under KRITIS-G and which qualify as essential or important entities under NIS2 — and whether the scope matches. Mismatches are common and create unmonitored compliance gaps.
  • Map supervisory authority relationships explicitly. For each entity in scope, document the specific supervisory authority: NCSC/BACS for KRITIS-G; member state NCA for NIS2 (BSI for Germany, ANSSI for France, etc.); FINMA for operational risk reporting where applicable. These contacts and notification procedures should be in your incident response runbooks before an incident occurs.
  • Design incident response runbooks with dual — or triple — notification paths built in. For FINMA-supervised entities, a single incident may require simultaneous notification to FINMA (via the NCSC combined procedure), the NCSC under KRITIS-G, and the EU member state NCA for any affected subsidiary. Test these procedures before they are needed.
  • Align supply chain due diligence to satisfy both frameworks from a single assessment process. Review your ICT supplier questionnaire framework and contract templates to ensure they capture the requirements of both KRITIS-G (NCSC reference framework) and NIS2 (ENISA guidelines, EU cybersecurity certification schemes). A single assessment that satisfies both is achievable — but requires explicit design.
  • Build a unified policy library mapping each security control to both frameworks. Controls that satisfy KRITIS-G's risk-based minimum standard and NIS2's security measure requirements simultaneously can be documented once, with framework-specific annotations where the requirements diverge. This reduces evidence duplication and makes audit preparation manageable.
  • Monitor the NIS2 trialogue closely through 2026–2027. Scope changes in the final text may affect whether EU subsidiaries qualify as essential or important entities, and therefore the level of supervisory scrutiny they face. The political agreement timeline (late 2027) is firm enough to plan against.
  • For FINMA-supervised entities, integrate KRITIS-G into your operational risk framework now. FINMA's operational risk assessments are beginning to reference the broader Swiss regulatory landscape, including KRITIS-G. Entities that have documented their KRITIS-G compliance posture alongside FINMA Circular 2023/1 compliance will be better positioned in the next supervisory assessment cycle.

The convergence of KRITIS-G and NIS2 is not a temporary compliance burden specific to the current legislative moment — it reflects a long-term alignment between Swiss and EU regulatory philosophy on critical infrastructure protection that will deepen over the next decade. Organisations that invest now in compliance architectures designed to absorb multiple overlapping frameworks will spend less on regulatory adaptation in 2028 and 2030 than those managing each framework in isolation. The Swiss regulatory trajectory is toward closer functional alignment with the EU on cybersecurity standards; building modular compliance infrastructure is not just a response to the current NIS2 revision cycle, it is the foundational investment that makes every subsequent regulatory update manageable.