Switzerland does not yet have a law specifically governing the cybersecurity of digital products. That is about to change. On 23 April 2026, the Federal Council announced that it has mandated three federal departments — the Federal Department of Defence, Civil Protection and Sport (DDPS), the Federal Department of the Environment, Transport, Energy and Communications (DETEC), and the Federal Department of Economic Affairs, Education and Research (EAER) — to jointly develop a draft law on the cybersecurity of digital products, to be submitted for consultation by autumn 2026. The law is explicitly designed to align with the EU Cyber Resilience Act. Swiss companies have a narrow window to prepare before the draft is public and the compliance clock starts running.
The Federal Council Announcement: What Is Actually Decided
The Federal Council's press release is a mandate to draft, not a law. What has been decided is the direction: Switzerland will legislate minimum cybersecurity standards for products with digital elements. The mandate to three departments simultaneously signals that the law is intended to cover a broad scope — defence and national security dimensions (DDPS), digital infrastructure and telecommunications products (DETEC), and the economic and trade implications for Swiss industry (EAER). The involvement of EAER in particular indicates that import and market access dimensions are being treated as central to the design from the outset, not as secondary considerations.
The autumn 2026 target for a consultation draft is ambitious. It gives affected companies a rough timeline: the public consultation will likely begin in October or November 2026, a parliamentary process will follow, and the law could enter into force as early as 2028, depending on the pace of deliberation. Companies that wait for the final text before beginning preparation will have missed the practical window to influence the design and the opportunity to make structural changes at lower cost.
What the Law Will Require: Anticipated Provisions Based on EU CRA Alignment
Because the Federal Council has explicitly framed the law as aligned with the EU Cyber Resilience Act, the CRA provides the most reliable template for understanding what Swiss law will likely require. The CRA's core obligations — and therefore the probable shape of Swiss requirements — fall into five categories.
Minimum security standards at the design and development stage. Products with digital elements must be designed and developed with security as a baseline requirement, not as an add-on. This means security must be built into the product architecture from the initial design phase. For software products, this includes requirements around input validation, authentication, access control, and encryption of sensitive data in transit and at rest. Vendors cannot ship products with known exploitable vulnerabilities and rely on post-market patches as the primary security mechanism.
Lifecycle security obligations. Manufacturers must provide security updates for the expected useful life of the product, or for a defined minimum support period. The CRA sets a five-year minimum support period for most product categories. Swiss law is expected to adopt a similar or identical threshold. This has significant implications for vendors who currently use planned obsolescence as a mechanism for upgrading their installed base: under this framework, ceasing security support within the mandatory period without providing a migration path to a supported product is a compliance failure, not a business decision.
Vulnerability disclosure requirements. Manufacturers must establish and maintain a vulnerability disclosure policy, including a channel for third-party researchers to report discovered vulnerabilities. Actively exploited vulnerabilities and significant security incidents must be reported to the relevant national authority — in Switzerland, this will be the NCSC — within defined timeframes. The CRA requires notification of actively exploited vulnerabilities within 24 hours of discovery by the manufacturer. Swiss law is likely to adopt a comparable requirement. Organisations that currently handle vulnerability reports through informal processes or that have no formal disclosure policy are not compliant with the direction of travel.
Market surveillance and conformity assessment. Products will be required to demonstrate conformity with the applicable security requirements before being placed on the market. For lower-risk product categories, this may be achievable through self-assessment and declaration of conformity. For higher-risk categories — the CRA defines "important" and "critical" product classes — third-party conformity assessment by an accredited body will be required. Swiss law will need to establish or designate the conformity assessment infrastructure, which does not currently exist for this purpose in Switzerland.
Import restrictions and market exclusion powers. The most significant enforcement mechanism in the CRA — and expected in Swiss law — is the power to ban non-compliant products from the market and to require importers to withdraw or recall products that do not meet requirements. For Swiss importers bringing connected products from non-EU, non-Swiss manufacturers into the Swiss market, this creates direct liability for compliance with requirements that the original manufacturer may have no obligation to meet in their home jurisdiction.
The EU CRA Alignment and the September 2026 Deadline
The EU Cyber Resilience Act's first binding reporting obligations enter into force in September 2026 — specifically, the requirement for manufacturers to notify ENISA of actively exploited vulnerabilities within 24 hours. Swiss companies selling connected products into the EU market are already subject to this requirement as a condition of EU market access, regardless of Swiss domestic law. The Federal Council's timing is therefore not accidental: aligning a Swiss law with the CRA creates a single compliance framework for Swiss companies operating in both markets, rather than two parallel regimes.
Swiss companies that have not yet assessed their obligations under the EU CRA should treat the September 2026 reporting deadline as an immediate priority, independently of the Swiss law development process. Non-compliance with CRA reporting requirements is an EU market access issue, not a future Swiss regulatory risk.
Who Is Affected in Switzerland
The scope of the anticipated law covers three primary categories of actors. Manufacturers of products with digital elements — hardware with network connectivity, software products, and systems combining both — face the full set of obligations: design standards, lifecycle support, vulnerability disclosure, and conformity assessment. This includes Swiss hardware manufacturers, IoT device producers, industrial control system vendors, and enterprise software companies.
Importers — companies that bring products manufactured outside Switzerland into the Swiss market — bear responsibility for ensuring that the products they import meet Swiss requirements. This is not a theoretical liability: it means that a Swiss distributor of a Chinese IoT device or a US industrial sensor that does not meet Swiss cybersecurity standards is personally responsible for the non-compliance of that product in the Swiss market.
Software vendors, including those who distribute software through online channels without a physical product, fall within scope for the software-as-a-product provisions. Software sold under a commercial licence — as distinct from open-source software provided free of charge — is within scope. SaaS products delivered as a service rather than installed on customer infrastructure occupy a more ambiguous position; the CRA has a specific carve-out for SaaS, and Swiss law is expected to follow the same demarcation.
What Companies Should Do Before the Draft Is Published
The period between now and the autumn 2026 consultation draft is the highest-value window for preparation. Three actions are immediately productive. First, conduct a scoping assessment: identify which of your products fall within the anticipated scope (products with digital elements, sold commercially, with network connectivity or data processing capabilities). Second, review your current security development lifecycle, vulnerability disclosure policy, and product support commitments against the CRA requirements. The gaps you identify now are the gaps the Swiss law will require you to close. Third, if you sell into the EU market and have not yet assessed CRA obligations, do so before September 2026 — the CRA reporting deadline is live, not pending.
◆ Key Takeaway
Switzerland's cyber products law is in active development, not distant deliberation. The autumn 2026 consultation draft will set the framework that Swiss manufacturers, importers, and software vendors will operate under for the next decade. The law will require minimum security-by-design standards, lifecycle support obligations, mandatory vulnerability disclosure, conformity assessment, and import controls — all aligned with the EU Cyber Resilience Act. Companies selling into the EU market are already subject to CRA reporting obligations from September 2026. The time to conduct a scoping assessment, identify gaps in your security development lifecycle, and review your vulnerability disclosure policy is now — before the draft sets the terms and before your competitors have already built compliance capacity you are still designing.