On 20 August 2025, the Swiss Federal Council instructed BACS, OFCOM, and SECO to prepare a consultation draft on the cyber resilience of digital products by autumn 2026. In parallel, Swiss manufacturers exporting to the EU face hard reporting obligations under the European Cyber Resilience Act starting 11 September 2026. An assessment of who is affected when – and what companies cannot afford to postpone.
The Most Important Clarification First
Many Swiss manufacturers of digital products operate under a mistaken assumption: that the Cyber Resilience Act is an EU law that does not concern Switzerland. This is incorrect in two ways. First, the EU CRA has applied to every Swiss manufacturer exporting products with digital elements to the EU since 11 December 2024 – regardless of company location. Second, the Federal Council has been working since August 2025 on its own Swiss legislation, which will substantively follow the EU CRA and likely create obligations for the Swiss domestic market from 2027 or 2028.
For Swiss companies this means: the question is not whether regulatory action is required, but which deadlines apply first – European or Swiss. For most manufacturers with EU business, the answer is clear: the European ones.
What the EU CRA Has Required Since December 2024
The European Cyber Resilience Act entered into force on 11 December 2024. It applies to “products with digital elements” – a deliberately broad definition covering hardware and software, provided they have a direct or indirect logical or physical connection to a device or network. Specifically, this includes smart home devices, industrial controls, routers, networked medical devices, software libraries, operating systems, and cloud services with device connections.
The core obligations are demanding. Manufacturers must integrate cybersecurity “by design” into development processes, ensure vulnerability handling across the entire product lifecycle, create technical documentation and declarations of conformity, and for Class I or Class II products, additionally undergo conformity assessment by an accredited body.
Sanctions for violations are substantial: fines up to 15 million euros or 2.5 percent of worldwide annual turnover, whichever is higher. For comparison: Swiss Information Security Act sanctions reach a maximum of CHF 100’000. The gap in regulatory firepower between Bern and Brussels is even greater for digital products than it is for NIS2 and ISG.
The Critical EU Deadlines for Swiss Manufacturers
The CRA provides for staggered implementation that Swiss companies should track carefully.
11 September 2026: Reporting obligations for exploited vulnerabilities and severe security incidents take effect. Manufacturers must report actively exploited vulnerabilities within 24 hours to the competent authority and ENISA. This deadline falls 21 months after the CRA’s entry into force and marks the first hard compliance milestone.
11 December 2027: Full applicability of all CRA requirements. From this date, only products fully compliant with CRA requirements may be placed on the EU market, including CE marking and documented conformity assessment.
For Swiss manufacturers shipping to the EU, the September 2026 deadline is particularly time-critical. Those without functional processes for vulnerability detection, assessment, and reporting by then face not only fines but also reputational damage with EU customers, who increasingly demand CRA compliance from their suppliers.
The Swiss Draft: Status and Timeline
Triggered by Motion 24.3810 “Implementation of Urgently Needed Cybersecurity Checks” of the Council of States Security Policy Committee, the Federal Council issued a concrete mandate on 20 August 2025. The Federal Office for Cybersecurity (BACS), in cooperation with the Federal Office of Communications (OFCOM) and the State Secretariat for Economic Affairs (SECO), is leading the development of a consultation draft by autumn 2026.
The substantive direction is already sketched: the new legislation will establish security requirements for products with digital elements, regulate market surveillance, and create the basis for import and distribution bans on unsafe devices. The Federal Council emphasises that the work will follow the international context and keep administrative burden on companies “as low as possible.” According to BACS, the legislation should also ensure that “internationally active Swiss companies do not experience additional burdens from diverging requirements in other countries” (Federal Council press release, 20 August 2025).
Realistic timeline: after the consultation in autumn 2026, parliamentary deliberation typically takes 12 to 24 months. Swiss law entering into force is therefore expected no earlier than early 2028, more likely 2029.
Who Is Affected in Switzerland
Affected parties fall into three groups with different degrees of urgency.
Group 1: Swiss manufacturers with EU exports. These companies are already subject to the EU CRA, regardless of Swiss legislation. Relevant sectors include medical devices, industrial control systems, IoT device manufacturers, software providers with EU customers, automotive suppliers, and manufacturers of networked consumer goods. For them, the EU deadlines (September 2026, December 2027) are the operationally relevant ones.
Group 2: Swiss manufacturers without EU export but with supply relationships to EU-exporting companies. These companies are not formally subject to the CRA directly but increasingly face compliance requirements from their customers, who are themselves CRA-obligated. The supply chain effect is real and already operationally tangible.
Group 3: Swiss manufacturers focused purely on the domestic market. This group currently faces the least pressure but will incur obligations from the future Swiss CRA equivalent starting 2028 or 2029. Those developing products today exclusively for the Swiss market have approximately three years to prepare.
The categorisation is not static. Many Swiss SMEs sell primarily to Swiss customers but supply larger clients who export to the EU. They effectively belong to Group 2 with corresponding near-term pressure to act.
The Critical Distinction: Product Regulation vs. Operator Regulation
The CRA marks a regulatory paradigm shift often overlooked in the discussion. Previous cyber regulations like the Information Security Act or NIS2 target operators of infrastructure and services. The CRA, by contrast, regulates the product itself. This has far-reaching consequences.
For manufacturers, this shift means they are for the first time legally responsible for what happens to their products after delivery. Security-by-design moves from best practice to legal obligation. Vulnerability management across the entire product lifecycle becomes mandatory. Unsafe products can no longer be placed on the market – with market surveillance authorities empowered to actively withdraw unsafe products.
For Swiss companies that have treated cybersecurity as an operational risk topic, this is a strategic turning point. Cyber resilience becomes a product liability matter, comparable to product safety in the traditional sense. Responsibility shifts from operations to product development.
What Swiss Companies Should Do Now
First, conduct a product portfolio analysis. Which products fall under the CRA? Which risk class applies (standard, Class I, or Class II)? Where are the biggest compliance gaps? This inventory is the foundation for all further measures and should be completed in Q2 2026.
Second, build vulnerability management. By September 2026, functional processes for detecting, assessing, and reporting exploited vulnerabilities must be in place. This covers technical infrastructure (bug bounty programmes, security contact addresses), organisational processes (reporting channels to ENISA), and legal frameworks (non-disclosure agreements with security researchers).
Third, establish a Software Bill of Materials (SBOM). The CRA requires full transparency over software components, including open-source dependencies. Without structured SBOM management, compliance is practically unachievable. Tools and processes must be built, particularly for supply chain monitoring.
Fourth, appoint an authorised EU representative. Swiss manufacturers without EU establishment need a legally responsible representative in the EU. This step is often overlooked but is operationally central to CRA conformity.
Fifth, integrate security-by-design into development processes. Those developing new products today that will reach the market in 2027 or later must plan for CRA requirements now. Retrofitting compliance is more expensive than early integration.
Sixth, clarify governance structures. Who in the company owns CRA compliance? The answer is rarely clear. CISO, product management, quality management, legal – all are involved, but operational leadership requires clear accountability.
The Strategic Reading
The Federal Council’s Swiss approach is pragmatic and follows the established pattern: alignment with EU regulation but with Swiss autonomy and a focus on administrative efficiency. This is politically understandable and economically sensible but creates a temporal discrepancy problematic for Swiss manufacturers.
The good news: those building EU CRA compliance now will very likely meet future Swiss requirements as well. The bad news: those waiting for Swiss law will miss the hard EU deadlines in 2026 and 2027 and face substantial economic consequences.
For executive leadership, this requires clear prioritisation. Cyber resilience of digital products is no longer an IT topic but a strategic question with liability, market, and reputational dimensions. Companies acting now will secure a sustainable competitive advantage over those waiting for further regulatory clarity.
Those who understood NIS2 already know the rule: in Switzerland, Brussels regulates too. With the CRA, this rule is even more pronounced because enforcement operates through product market access rather than operator supervision. Waiting is not an option.
