Lukas Huber
Founder & AI Strategist
Swiss SMEs struggle with GDPR & EU AI Act. Discover the top compliance platforms to minimize risks and ensure secure data processing.
In Switzerland, many SMEs still hesitate when it comes to the consistent implementation of new compliance regulations. A recent survey by gfs.bern on behalf of AXA revealed that over 60% of Swiss SMEs have only partially or not at all implemented the revised Data Protection Act (DSG). This is not a minor offence, but a significant risk.
Especially with the EU AI Act in mind, which primarily concerns the EU but also directly impacts Swiss companies through cross-border data traffic and the use of AI systems, this stance can prove costly. The notion that one can retreat to the "island of Switzerland" is naive and dangerous. Those who still rely on Excel spreadsheets or dismiss regulatory compliance as a tiresome duty overlook the strategic importance of compliance for reputation and competitiveness.
The reality is: those who do not proactively adapt to the new circumstances will not only lose the trust of customers and partners but also risk substantial fines. It's not just about avoiding penalties, but about securing the business foundation in an increasingly regulated digital world.
📊 Key Facts at a Glance:
- Market Growth: The compliance software market is projected to reach USD 68 billion by 2026. (Source: The Next Web, 2026)
- Broad Support: Cloud compliance tools support adherence to regulations like GDPR, HIPAA, PCI-DSS, or CCPA. (Source: SentinelOne, 2025)
- AI Monitoring: AI assistants continuously monitor updates from FINMA, GDPR/DSG, and cantonal regulations. (Source: what.digital, 2025)
- Reporting Deadlines: The deadline for reporting data breaches is 72 hours; without clear processes and contacts, this can easily be missed. (Source: datenschutzkonform.ch, 2026)
Which Compliance Platforms are Best Suited for Swiss SMEs to Meet GDPR and AI Regulation Requirements?
The best platforms for Swiss SMEs are characterised by scalability, user-friendliness, and, above all, a strong focus on the Swiss legal landscape. Pure GDPR solutions often fall short when it comes to the specific requirements of the revised Swiss Data Protection Act (DSG) and the particularities of FINMA regulation for financial service providers. A good compliance platform must be able to do both: understand European requirements while also reflecting Swiss specificities.
Many SMEs overstretch themselves trying to find an "all-in-one" solution that covers everything. This often leads to expensive, oversized systems that are barely used. I repeatedly see companies investing millions in complex GRC (Governance, Risk & Compliance) suites when they only need a fraction of the functionalities. For an SME, it is crucial to choose a solution that is modular and can grow with their own needs.
Platforms like heyData or CASUS offer a pragmatic approach here. They are often cloud-based, which is ideal for SMEs with limited IT resources, and offer specialised modules for data protection. It's important that these platforms not only provide document templates but can also map processes, for example, for handling data subject requests or conducting Data Protection Impact Assessments (DPIAs). A DPIA, with its eight steps – from describing the processing to risk assessment and measures – is not just a paper tiger project; it needs to be actively lived. Without a platform that systematically guides this process, it quickly becomes an administrative burden.
Crucially, during selection, the platform must answer not only the "what" question (what needs to be done?) but also the "how" question (how do I implement it?). A good platform should, for instance, integrate a risk matrix that assesses the probability and impact of risks. This is a core component of any serious risk assessment, as also required by frameworks like NIST or ISO 42001.
💡 Recommendation: Focus on Scalability and Swiss Relevance
Choose a platform that explicitly covers not only GDPR but also the revised Swiss Data Protection Act (DSG). Look for Swiss hosting options and the ability to integrate specific cantonal or industry-specific regulations (e.g., FINMA). A modular architecture allows you to start with lower initial investments and expand functionalities as needed. Check if the platform supports common frameworks like NIST or ISO 42001.
How Can Swiss SMEs Ensure Compliance with the EU AI Act, Especially When Using AI Systems?
Compliance with the EU AI Act requires Swiss SMEs developing or using AI systems to conduct proactive risk assessments and implement robust governance processes. Even though the AI Act is an EU law, it affects Swiss companies that export products or services to the EU, or act as suppliers to EU companies using AI systems. High-risk AI systems, such as those used in credit scoring or application management, are subject to strict requirements.
Many SMEs underestimate the scope of the AI Act. They think, "we're not in the EU." This is a fallacy. If you use an AI-powered tool for fraud detection in a Swiss financial company whose clients are also from the EU, you are indirectly affected. Or if you sell HR software with AI components to a German company, you must comply with the AI Act's provisions. This is about liability, reputation, and access to key markets.
The AI Act mandates, among other things, a quality management system, conformity assessment procedures, human oversight, and transparency and explainability requirements. This means an AI model cannot simply be a "black box." It must be comprehensible how decisions are made. This is where concepts like Model Cards or SHAP values come into play, making the functioning of AI models transparent. Without this transparency, compliance is hardly possible.
A dedicated AI governance platform or a module within an existing GRC solution can help here. These tools support the documentation of AI systems, risk assessment according to the AI Act's criteria, and tracking compliance with technical requirements. They must be capable of monitoring the entire value chain of AI deployment, from data acquisition and training to deployment and continuous monitoring.
| Aspect | Traditional DSG Compliance (without AI) | AI Act Compliance (with AI) |
|---|---|---|
| Primary Focus | Protection of personal data, transparency of data processing, data subject rights. | Minimisation of risks from AI systems, protection of fundamental rights, technical robustness and security. |
| Core Requirements | Data Protection Impact Assessment (DPIA), record of processing activities, Privacy by Design, data security. | Risk management system, quality management system, human oversight, transparency, explainability, robustness, cybersecurity. |
| Affected Systems | All systems processing personal data. | AI systems, especially those with high risk (e.g., critical infrastructure, HR, credit scoring). |
| Key Technologies | Encryption, anonymisation, pseudonymisation, access controls. | Explainable AI (XAI), model validation, bias detection, adversarial robustness. |
| Relevant Frameworks | DSG, GDPR, NIST Privacy Framework. | EU AI Act, NIST AI Risk Management Framework, ISO 42001. |
💡 Practical Example: Swiss Financial SME
A Swiss SME in the financial sector uses AI for customer analysis and fraud detection. These applications are often considered high-risk AI systems. Without a suitable platform, it is almost impossible to meet the requirements of the revised DSG and the potential implications of the EU AI Act. By using a specialised compliance platform that offers both data protection and AI governance functions – such as a module from CASUS for risk assessments according to the AI Act or a specialised solution for data governance and model monitoring – the SME can ensure compliance. This not only minimises regulatory risks but also strengthens the trust of customers and partners, which is crucial for securing contracts in the financial sector.
What Concrete Steps Must My Swiss SME Take to Meet the Requirements of the Revised DSG and Avoid Liability Risks?
To meet the requirements of the revised DSG and minimise liability risks, every Swiss SME must conduct a systematic inventory, create a clear plan of responsibilities, and ensure data processing operations are transparent and traceable. Those who hesitate now are acting negligently and putting the company's existence at risk.
The first step is a comprehensive inventory: Which personal data is processed, where, and for what purpose? Who has access to it? How long is it stored? Without this transparency, which often culminates in a record of processing activities, you are operating blind. This record is the backbone of your data protection compliance and must be updated regularly.
This is followed by risk analysis. Every data processing operation carries risks. These risks must be identified, assessed, and minimised with appropriate measures. A risk matrix, quantifying the probability of occurrence and the potential impact (e.g., reputational damage, fines, loss of trust), is helpful here. Consider technical risks (e.g., insufficient encryption), organisational risks (e.g., lack of employee training), and also social/ethical risks, which are particularly relevant in the context of AI (e.g., discrimination by algorithms).
A key point often underestimated is the assignment of responsibilities. Who is the data protection advisor? Who is responsible for reporting data breaches? A RACI matrix (Responsible, Accountable, Consulted, Informed) can provide clarity here. Especially with a 72-hour deadline for reporting data breaches to the Federal Data Protection and Information Commissioner (FDPIC), a clear process with defined contact persons is essential. Without this, the deadline is quickly missed, which can lead to additional sanctions.
Not to be forgotten are the principles of "Privacy by Design" and "Privacy by Default." This means data protection must be integrated from the outset into the development of new products, services, and IT systems. It is not an afterthought "fix" but a fundamental attitude. Tools that guide developers and specialist departments in implementing data protection-friendly settings as standard and consistently checking the proportionality of data processing are helpful here.
⚠️ Warning: Non-Compliance is Not a Cost-Saving Strategy
The assumption that non-compliance with data protection and AI regulations saves costs is a fallacy. Potential fines under the revised DSG can be up to CHF 250,000, not to mention the financial and intangible damages from loss of reputation, customer churn, and legal disputes. Effective compliance management is an investment in the future and stability of your company, not just a burden.
💡 Tip: Involve Stakeholders Early
Create a stakeholder list and involve all relevant departments early on. This includes not only IT and legal departments but also management (CEO, Board for strategic direction and reputational risk), customer service (direct impact on data subject requests), and product development. Without their acceptance and input, any compliance initiative will remain mere lip service. A RACI chart helps to clearly define responsibilities.
In his practice, Lukas Huber from schnellstart.ai has repeatedly observed that companies that view compliance as a strategic competitive advantage are more successful in the long run. It's about building trust and demonstrating that you take responsibility for customer data and the ethical use of technologies seriously.
Choosing the right compliance platform is just one building block. Much more important is the corporate culture that sees compliance as an integral part of business processes. A platform can support, but the responsibility ultimately lies with the people and the defined processes within the company.
Conclusion
Navigating the compliance requirements of the revised Swiss Data Protection Act and the EU AI Act is not an option for Swiss SMEs, but a necessity. Those who invest now – in knowledge, processes, and the right tools – secure a decisive competitive advantage and protect their company from significant risks.
✅ Proactive Planning Pays Off: Don't wait until it's too late. Early implementation of compliance measures and platforms minimises risks and costs.
✅ Swiss Focus is Crucial: Choose platforms that explicitly address the specifics of the Swiss legal landscape and offer Swiss hosting options.
✅ AI Compliance is More Than Data Protection: The EU AI Act requires a separate strategy for risk management, transparency, and governance when using AI systems, going beyond traditional data protection management.
Would you like to know how your SME can master compliance requirements efficiently and pragmatically? Contact us for a no-obligation initial consultation.
Related Articles
Newsletter
Receive our weekly briefing on Swiss AI & Deep Tech.