Lukas Huber
Founder & AI Strategist
Swiss SMEs face AI Governance & Compliance challenges. Get practical insights on legal and ethical frameworks for AI adoption.
Every Swiss SME knows the pressure: increase efficiency, remain competitive, find innovative paths. Many see Artificial Intelligence (AI) as the next big promise. However, the euphoria often masks a central challenge that goes far beyond technical questions: AI governance and compliance.
The reality is sobering: Only a fraction of Swiss SMEs have seriously considered the legal and ethical frameworks for AI deployment so far. This is risky. Because while AI systems are making their way into businesses, so too are the expectations of regulatory authorities and society for responsible handling – not tomorrow, but today.
A practical example illustrates the urgency: A Swiss trust company testing AI tools for automated document processing had to halt the project because fundamental data protection and liability issues remained unresolved. Management had underestimated the complexity of governance. Experiences like these cost not only money but also trust and valuable time, which SMEs don't have in abundance.
📊 Facts at a glance:
- Fact: 99.7% of companies in Switzerland are SMEs (fewer than 250 employees). (Source: KMU.admin.ch, 2026)
- Fact: SMEs in Switzerland are responsible for two-thirds of jobs and over 60% of value creation. (Source: Swisspeers Blog, 2026)
How can Swiss SMEs meet the new AI governance requirements of the revised Swiss Data Protection Act (revDSG) and the EU AI Act?
Compliance with these requirements demands a structured approach that extends beyond pure technology issues. Governance and compliance are not optional add-ons but fundamental pillars for any secure and responsible AI deployment. Governance, in this context, means designing the system: establishing roles, policies, and processes. Compliance, on the other hand, verifies adherence to these provisions through monitoring, audits, and corrective actions.
For Swiss SMEs, two external conditions are primarily relevant: the revised Swiss Data Protection Act (revDSG) and the EU AI Act. Although the revDSG is already in effect, its full implications in the context of AI are often underestimated. It requires a transparent and proportionate handling of personal data, which directly applies to many AI applications trained on or processing such data. Concepts like "Privacy by Design" and conducting Data Protection Impact Assessments (DPIAs) are not optional extras here, but mandatory.
While the EU AI Act is a European Union law, it has significant implications for Swiss companies exporting AI systems to the EU, operating in the EU, or whose systems target EU citizens. The Act follows a risk-based approach: the higher the risk of an AI system to fundamental rights or safety, the stricter the requirements. For Swiss SMEs, this means they must assess their AI applications for potential risks and implement the corresponding compliance measures. This can range from documentation obligations to conformity assessment procedures.
| Requirement | Relevance for Swiss SMEs | Concrete Measures |
|---|---|---|
| Revised Swiss Data Protection Act (revDSG) | Applies to all AI applications processing personal data. Focus on transparency, purpose limitation, and data minimisation. |
|
| EU AI Act | Affects SMEs offering or using AI systems in the EU, or whose output impacts individuals in the EU (e.g., through services). Risk-based approach. |
|
| ISO/IEC 42001 (AIMS) | International standard for an AI Management System. Provides a framework for governance and compliance. Voluntary, but highly recommended. |
|
💡 Recommendation: Proactive Risk Analysis
Don't wait for a problem to arise. Conduct a risk analysis for your AI applications early on. Identify what data is processed, what decisions the AI makes, and what potential impact this has on individuals or your business. This will help you address the requirements of the revDSG and the EU AI Act (if applicable) in a targeted manner and avoid unnecessary costs or reputational damage.
What concrete steps must a Swiss SME take to implement ISO/IEC 42001 for AI Governance?
Implementing ISO/IEC 42001 provides a clear roadmap for a robust AI Management System (AIMS). While this international standard is not mandatory, it offers an excellent structure for systematically addressing governance and compliance. As Lukas Huber, founder of schnellstart.ai, I've repeatedly seen in my practice how SMEs benefit from such a framework. It's not about creating a massive bureaucratic monster, but about a practical structure that builds security and trust.
The first step is an inventory: Where do you stand with your current AI initiatives? Are there already policies or processes in place? Often, individual elements exist uncoordinated in SMEs. A gap analysis will show which areas still need to be established or improved according to ISO 42001.
This is followed by the development of specific AI policies. These include ethics guidelines that ensure fair and non-discriminatory use of AI, data protection policies that regulate the handling of sensitive data, as well as incident and change policies for the operation and further development of AI systems. These documents form the backbone of your AI governance. They must be formulated concretely and understandably so that they can be lived out in everyday practice.
💡 Tip: Focus on Pragmatism
As an SME, you don't need to rush into complex concepts. Start with a manageable AI project. Document the insights gained and iteratively adapt your governance structure. A "General AI Governance Policy Template.pdf" can be a good starting point, but it must be tailored to your specific situation. The goal is for governance to support your business operations, not hinder them.
A critical point is the clear assignment of roles and responsibilities. Who is responsible for data quality? Who approves new AI models? Who monitors performance? A RACI model (Responsible, Accountable, Consulted, Informed) can provide clarity here. It is crucial that these roles are operationally assigned and that the corresponding competencies are available. Without this clear assignment, any governance initiative will fade away.
Finally, controls must be implemented and evidence collected. This includes technical controls to ensure data integrity and model security, as well as organisational controls such as regular employee training. Regularly measure KPIs (Key Performance Indicators) of AI systems and conduct internal audits. Only then can you verify the effectiveness of your governance and continuously improve it. Remember: governance is not a one-off project, but an ongoing process.
🚀 Practical Example: The Regional Building Supplier
A Swiss building supplier with 80 employees implemented an AI to optimise its inventory. To gradually meet ISO/IEC 42001, a part-time "AI Officer" role was created to document data origins and model updates. A simple "AI Ethics Checklist" was developed to ensure that order suggestions did not cause discrimination against suppliers. Monthly, brief reviews with management served as audits. This demonstrated that a meaningful start is possible even with limited resources.
Why is the integration of roles, processes, and controls crucial for compliance in the AI deployment of Swiss companies?
A fragmented view of roles, processes, and controls inevitably leads to compliance gaps and increases risk for your company. Those who view AI solely as a technology project overlook the organisational and human factors that are crucial for success and safety. An AI model is never detached from the context in which it is developed and deployed. It operates within a system that must be designed, monitored, and corrected by humans when necessary.
Imagine a Swiss service SME using AI for personnel selection. If the responsibilities for checking the fairness of the algorithm are not clearly defined (role), no processes exist that mandate regular bias checks (process), and no technical controls are implemented to detect suspicious patterns (control), then the door to discrimination is wide open. Such incidents can not only lead to legal consequences but also permanently damage the company's reputation.
Integration means that these three elements – roles, processes, controls – are not considered in isolation but are designed as a tightly interwoven system. A well-formulated policy (process) is worthless if no one is responsible for its implementation (role) or if there is no way to verify its adherence (control). This is the core of the "Block 3 Analysis" approach I use in my work: Are policies, roles, processes, controls, KPIs, and audits truly integrated and aligned?
A concrete example of a lack of integration is often seen in risk assessments. Technical risks (model errors, data breaches) may be addressed, but organisational risks (lack of training, unclear instructions) or ethical risks (bias, lack of transparency) are overlooked. Yet, it is precisely the latter that are of utmost importance for an SME's reputation and liability. Transparency and explainability are not abstract concepts here but must be demonstrable in concrete "Model Cards" or using SHAP values.
The continuous measurement of KPIs and regular audits are the hinge between governance and compliance. They are proof that your system does not just exist on paper but also functions in practice. Without solid evidence that policies are being followed and controls are effective, you cannot demonstrate compliance in a critical situation. The DSFA Guideline 1, which I use in my work, emphasises precisely this need for traceability and documentation. It's about creating "evidence-based" compliance.
⚠️ Warning: The "Black Box" Myth
Many SMEs believe AI is an opaque "black box" whose decisions are incomprehensible. This is a dangerous myth. While some models are complex, established methods exist (e.g., SHAP values, LIME) to improve explainability and identify the key factors influencing AI decisions. Your duty as a responsible party is to demand and ensure this transparency, especially for high-risk applications. A lack of explainability is not an excuse, but a governance problem.
The integration of roles, processes, and controls is ultimately an expression of professionalism and responsible corporate management. It not only minimises legal risks but also builds trust with customers, employees, and partners. A Swiss SME that takes this integration seriously positions itself as future-proof and reliable – a crucial competitive advantage in an increasingly data-driven world.
As Lukas Huber from schnellstart.ai, I've found that SMEs that consider this integration from the outset experience significantly fewer setbacks. They can scale AI faster and more securely because the fundamental framework is in place. It's an investment that pays off in the long run.
The ability to not only master AI technically but also to manage its governance and compliance will become a decisive factor for the business success of Swiss SMEs. It's the difference between a short-term hype and sustainable value creation.
Conclusion
AI governance and compliance are not optional add-ons but the foundation for a secure, responsible, and therefore ultimately successful deployment of Artificial Intelligence in Swiss SMEs. The revDSG and the EU AI Act set clear frameworks that must be actively managed. Those who act now will create a decisive competitive advantage and protect their company from unnecessary risks.
✅ Understand the Fundamentals: Clearly distinguish between governance (system design) and compliance (system verification). Both are essential.
✅ Act Proactively: Assess your AI applications for revDSG and EU AI Act relevance. An early risk analysis will save you costly corrections later.
✅ Integrate Systematically: Establish clear roles, define transparent processes, and implement measurable controls. Only holistic integration leads to robust compliance.
Would you like to learn more about how to pragmatically implement AI governance and compliance in your Swiss SME? Contact us for a no-obligation initial consultation.
Related Articles
Newsletter
Receive our weekly briefing on Swiss AI & Deep Tech.