Cybersecurity Advisory in Zurich, Switzerland

Switzerland's cybersecurity regulatory framework operates independently of the European Union while maintaining substantial alignment through bilateral agreements and the economic necessity of regulatory equivalence. For Zurich-based institutions serving international clients, this dual orientation creates compliance requirements that span both Swiss domestic regulation and EU frameworks that apply to cross-border activities.

Revised Federal Act on Data Protection (revFADP). The revFADP, effective since September 2023, represents Switzerland's most significant data protection reform in over two decades. Aligned with but distinct from GDPR, the revFADP introduces enhanced obligations for data processing transparency, data breach notification within 72 hours to the Federal Data Protection and Information Commissioner (FDPIC), privacy impact assessments for high-risk processing, and strengthened requirements for cross-border data transfers. For Zurich-based financial institutions, the revFADP's intersection with banking secrecy obligations and FINMA requirements creates a layered compliance environment that demands integrated governance approaches.

FINMA Cybersecurity Requirements. The Swiss Financial Market Supervisory Authority has established comprehensive expectations for ICT risk management across supervised entities. FINMA Circular 2023/1 on operational risks and resilience addresses cybersecurity governance, incident management, business continuity, and third-party risk management with specificity that effectively mandates institutional-grade security programmes for all supervised financial institutions. FINMA's supervisory approach emphasises proportionality but maintains rigorous expectations for systemically important institutions, creating tiered compliance requirements that Intarmour helps clients navigate.

Cross-Border EU-Swiss Considerations. Zurich-based institutions serving EU clients or operating EU subsidiaries face the concurrent application of Swiss and EU regulatory frameworks. The EU's adequacy decision for Swiss data protection facilitates cross-border data transfers, but specific requirements around data localisation, processing purpose limitations, and supervisory authority notifications must be carefully managed. NIS2 and DORA apply to EU operations of Swiss-headquartered groups, creating compliance obligations that must be coordinated with Swiss domestic requirements. Intarmour's position as an EU-based advisory with deep Swiss market knowledge provides unique value in navigating this dual regulatory environment.

Swiss National Cyber Security Centre (NCSC). The NCSC serves as Switzerland's central coordination point for cybersecurity, providing threat intelligence, vulnerability disclosure coordination, and incident response support. Zurich-based institutions are expected to maintain active relationships with the NCSC and to participate in sector-specific information sharing programmes. The NCSC's evolving role, including mandatory incident reporting requirements for critical infrastructure operators, represents a growing regulatory dimension that Intarmour incorporates into advisory engagements for Swiss clients.

Intarmour serves Zurich from our Como headquarters, approximately 2.5 hours by rail through the Gotthard Base Tunnel. This positioning provides a distinct advantage for Zurich-based clients: an advisory relationship with a firm that operates under EU jurisdiction, maintains first-hand experience with GDPR, NIS2, and DORA implementation, yet possesses the deep familiarity with Swiss regulatory requirements that comes from daily cross-border advisory practice across the Italy-Switzerland corridor.

For Zurich-based banks and asset managers, we provide cybersecurity advisory that integrates FINMA requirements with practical security programme design. Our approach recognises that Swiss financial institutions typically maintain sophisticated existing security capabilities and focuses on identifying gaps in governance, emerging regulatory requirements, and strategic security investments that enhance both compliance posture and genuine operational resilience. We do not impose generic frameworks on institutions that have already invested significantly in security infrastructure — we enhance what exists with targeted, expert guidance.

For family offices, we bring the comprehensive private wealth security capability that Intarmour has developed through extensive engagement with UHNWI principals across the Italy-Switzerland corridor. This includes not only institutional governance for investment operations but personal security advisory covering digital footprint management, secure communications, travel security, and residential network protection. The family office sector in Zurich values advisors who understand the intersection of institutional governance and personal privacy — a positioning that defines Intarmour's practice.

Our cross-border advisory capability is particularly relevant for Zurich-based institutions with EU operations or clients. We advise on data transfer frameworks that satisfy both revFADP and GDPR requirements, incident response protocols that coordinate across Swiss and EU supervisory authorities, and governance structures that present a unified compliance posture across jurisdictions. Founded by Simone Nogara, former advisor to NATO and the European Commission, Intarmour brings a level of institutional credibility and regulatory insight that resonates with Zurich's most sophisticated financial institutions.