Cross-Border M&A: Cyber Due Diligence in EU-Swiss Transactions

Swiss companies are attractive targets for European PE firms across financial services, pharmaceuticals, precision engineering, and technology. In either direction, these transactions traverse two distinct but interrelated regulatory regimes. EU-Swiss regulatory alignment is governed by bilateral agreements rather than supranational law, and adequacy frameworks facilitating data flows are subject to periodic review and potential revocation — a risk dimension that must be assessed at transaction time and monitored post-acquisition.

The Swiss Data Protection Landscape: revFADP

The revised Federal Act on Data Protection (revFADP), in force since 1 September 2023, modernised Switzerland's framework largely to maintain the European Commission's adequacy decision. Key provisions relevant to M&A due diligence: mandatory data breach notification to the FDPIC “as quickly as possible” for high-risk breaches (notably without GDPR^[1]'s specific 72-hour deadline); data protection impact assessment requirements; strengthened international transfer provisions; and enhanced enforcement including criminal penalties.

Uniquely, the Swiss framework provides for criminal liability of natural persons — individuals who deliberately breach certain obligations face fines up to CHF 250,000. This personal liability dimension goes beyond GDPR's corporate liability framework and creates a distinct risk factor in transactions.

Key assessment areas for Swiss targets: data processing inventory and legal bases, technical and organisational security measures, breach notification procedures and history of notified and unnotified incidents, international transfer mechanisms, and DPIAs for high-risk processing.

The EU-Swiss Adequacy Framework

The European Commission's adequacy decision (originally adopted 2000, maintained under GDPR) enables personal data to flow from the EU to Switzerland without additional transfer mechanisms. This is not permanent — it is subject to periodic review and contingent upon Switzerland maintaining essentially equivalent protection.

While the adequacy decision remains in force, intra-group data flows operate with minimal compliance overhead. The risk: it could be challenged or revoked, given Schrems jurisprudence^[2] and evolving CJEU standards. Prudent due diligence should assess the target's reliance on the adequacy decision and evaluate feasibility of alternative data sovereignty mechanisms should it be revoked — considering volume and sensitivity of dependent data flows, plus technical changes required for alternative transfer mechanisms.

Navigating Dual Regulatory Regimes

While revFADP and GDPR share common principles, they diverge in operationally important details. Breach notification: GDPR mandates 72 hours; revFADP requires “as quickly as possible.” DPO requirements: GDPR mandates appointment in certain cases; revFADP makes it voluntary. Enforcement: GDPR penalties are administrative against turnover; revFADP penalties are criminal against individuals. Profiling: GDPR requires explicit consent for profiling with significant effects; revFADP introduces distinct “high-risk profiling” requirements.

Combined entities need either dual compliance frameworks or a harmonised framework satisfying the more stringent requirement in each area. The latter is more efficient but requires careful analysis to avoid conflict between jurisdictions. Due diligence should map the target's existing compliance against both regimes and quantify the effort for dual compliance post-acquisition.

Data Residency Considerations

Swiss financial services companies may face data localisation requirements from FINMA or contractual client obligations. Banking clients may require data to remain within Swiss jurisdiction. Regulatory investigations may require Swiss-territory access. These constraints may conflict with the acquirer's desire to consolidate IT infrastructure.

Due diligence must assess the full data residency landscape: current storage locations, movement constraints, and implications for post-acquisition integration — covering primary stores, backup systems, disaster recovery, and third-party processing arrangements that may involve unanticipated jurisdictions.

Banking Secrecy Implications

Article 47 of the Swiss Banking Act creates criminal liability for disclosure of client information by banks, their employees, agents, and auditors. This obligation survives termination of the banking relationship.

In due diligence, banking secrecy affects the assessment itself — the acquirer cannot access client data repositories directly. Technical advisors must operate under appropriate confidentiality arrangements, providing summarised findings without disclosing protected data. Post-acquisition, banking secrecy constrains IT integration: granting non-Swiss personnel access to Swiss banking client data may violate Article 47. Sovereign cloud migration must ensure Swiss banking data remains inaccessible from non-Swiss jurisdictions. Even routine security operations — monitoring, incident response — must respect these boundaries.

We have encountered post-acquisition situations where IT integration programmes inadvertently created banking secrecy violations by consolidating monitoring infrastructure in ways that gave non-Swiss SOC personnel visibility into Swiss client communications. The consequences are severe for institutions whose clients chose Swiss banking precisely for its secrecy protections.

Practical Due Diligence Approach

Phase 1: Regulatory Mapping

Comprehensive mapping of applicable obligations: Swiss federal and cantonal requirements, EU obligations from processing EU personal data, and sector-specific regulations (FINMA, Swissmedic). This establishes the compliance baseline.

Phase 2: Data Flow Analysis

Detailed analysis of cross-border data flows: all personal data transfers between Swiss and EU entities, legal bases, and technical mechanisms. Capture both documented and undocumented flows that exist in practice.

Phase 3: Technical Security Assessment

Evaluate technical controls against both regulatory regimes, structured to respect banking secrecy obligations. Key areas: encryption and key management, access control architecture, network segmentation between jurisdictional domains, logging and monitoring, and incident response procedures.

Phase 4: Integration Risk Assessment

Assess cybersecurity implications of planned integration: feasibility of IT consolidation given data residency requirements, banking secrecy implications for security operations, and cost and timeline for achieving dual compliance across the combined entity.

Conclusion

EU-Swiss transactions demand cyber due diligence beyond standard methodology. The interplay of two sophisticated regulatory regimes, Swiss banking secrecy constraints, and cross-border data residency challenges require specialist technical due diligenceadvisors with specific Swiss regulatory experience. The cost of specialist advisory is modest compared to compliance failures that emerge post-acquisition — particularly in financial services where regulatory penalties, client loss, and reputational damage can materially affect the investment thesis.