Regulatory requirements are becoming stricter, AI is changing attack patterns, and cost pressure is increasing. A classification from 2025 shows that cybersecurity will become a strategic management task in 2026, with cyber resilience, governance, and technological foresight being crucial. Those who prioritize in a structured manner now will reduce risks, costs, and regulatory friction. This article assesses the developments of the past year and outlines the strategic course for CISOs and CIOs. A checklist summarizes the three key areas of action.

As in previous years, the past year was characterized by a variety of different key topics related to new technologies, increasing regulatory requirements and the growing threat situation. A look ahead shows: If you want to understand cybersecurity in 2026, there is no getting around a precise look back.

FINMA and revDSG explained: What obligations apply today?

FINMA Circular RS 2023/1 and the revised Data Protection Act (revDPA) have been in force for some time.

The requirements of FINMA Circular RS 2023/1 are strictly monitored by supervisory audits, and FINMA publishes supervisory communications with guidance and explanations at irregular intervals (e.g. FINMA Supervisory Communication 05/2025 "Operational resilience at banks, persons under Art. 1b Banking Act, securities firms and financial market infrastructures").

Financial institutions must implement a bundle of complementary technical and organizational measures (TOMs) in order to demonstrate holistic management of cyber and ICT risks, the protection of critical data, end-to-end incident handling (detection, analysis, assessment, response, compliance with reporting deadlines) and effective risk management by service providers. They are also required to strengthen resilience and review this regularly.

The revised Data Protection Act (revDSG) did not cause too much of a stir in the media. However, it requires that data breaches (e.g. a data outflow as part of a ransomware attack) must be reported to the Federal Data Protection and Information Commissioner (FDPIC) if there is a high risk to data subjects.

NIS2 and DORA: Known requirements, stricter enforcement in Switzerland

Although Switzerland is not a member of the EU, NIS2 (Network and Information Security Directive 2) and DORA ("Digital Operational Resilience Act" - NIS2 for the financial sector) are also becoming (more) relevant in this country. Swiss companies operating in the EU must implement the corresponding requirements such as stricter reporting obligations, resilience tests, end-to-end incident handling (detection, analysis, assessment, response) and ICT risk management.

The national implementation of NIS2 poses various legal, organizational and technical challenges for companies. The directive is deliberately technology-neutral and leaves the EU member states room for interpretation, which leads to different national minimum standards. Various countries have not yet passed national legislation, which leads to a lack of legal certainty.

CRA: Why product safety is crucial over the entire life cycle

Regardless of the fact that Switzerland is not a member of the EU and that the Cyber Resilience Act (CRA) is not yet binding during a transition period, the requirements must be taken into account in the life cycle (from development and testing through to maintenance and support) of products. Procurers in European companies are already demanding proof that the safety of such products is ensured throughout their entire service life.

AI in everyday life: when artificial intelligence plays an invisible role in decision-making

The use of AI has increased rapidly, whether through integration into search engines, productivity software (such as Microsoft Office) and browsers (e.g. Microsoft Edge) or through its use in companies to automate or digitalize processes. It is becoming increasingly difficult for users to recognize where AI is already part of processes and workflows. At the same time, companies are in a constant race with AI providers to ensure secure and compliant use.

Cyberattacks in transition: automated ransomware hits big and small

Attackers are increasingly relying on AI to create phishing emails and malware or to circumvent security solutions. The result is highly personalized and automated ransomware attacks with a significantly higher success rate. Increasingly, double or triple extortion with the stolen data also took place. Opportunistic attacks that exploit (unpatched) vulnerabilities should not be neglected. The ecosystem of attackers continues to function successfully, and the specialization among attacker groups will continue to increase.

Supply chain and cloud: third-party risk management is mandatory

Today, hardly any company relies exclusively on its own resources. A modern business model is hardly possible without the use of IT providers, external service providers or cloud services. At the same time, attacks via suppliers, service providers and partners have steadily increased in recent years. Systematic third-party risk management (TPRM) has become a "must" for companies and has also become a focus for regulators.

Cyber hygiene: vulnerability management, backups and awareness as a foundation

Proven procedures for ensuring basic resilience - known as cyber hygiene for short - are still in focus. Especially when it comes to quickly and purposefully establishing a security system that can successfully withstand attacks. Last year, too, successful attacks were often made possible by fundamental shortcomings such as inadequate vulnerability management and a lack of backups. Deficits in security culture, security awareness and monitoring further intensified this effect.

Incident response and BCM: standstill or business continuity?

The expansion of capabilities for rapid detection, containment and response to cyber incidents has continued. At the same time, the focus is shifting to measures to increase resilience with the aim of addressing business continuity holistically. Existing emergency plans were increasingly reviewed and analyzed in greater depth and expanded to include the integration of service providers and cloud services. This made a significant contribution to strengthening companies' cyber resilience against attacks in the long term.

As in 2024, the focus was on topics such as stricter regulatory requirements, strengthening resilience against attacks and the rapidly growing importance of AI.

Strategic outlook: What will shape cyber security from 2026?

Companies are required to constantly review and consistently tighten their security measures. Only those who systematically rectify identified vulnerabilities will remain responsive and cyber-resilient in the face of a dynamic threat situation.

The outlook for 2026 classifies the key trends, challenges and innovations.

Data sovereignty and data sovereignty: where cloud use creates legal uncertainties

The use of international cloud services (Microsoft, Google, Amazon, etc.) means that it is not always clear where data is physically processed and stored. At the same time, data is increasingly subject to several legal systems in parallel, such as those of Switzerland, the EU and the USA. Determining the applicable law in each case is becoming considerably more difficult and can lead to uncertainty.

Artificial intelligence in transition: when attackers and defenders learn at the same pace

The use of generative AI is steadily increasing, while at the same time risks from uncontrolled ("shadow") AI use are growing: employees use AI tools that are not or cannot be controlled by IT/security (especially with bring-your-own-device, BYOD).

The pressure to establish governance and effective controls for the use of AI is increasing. If a company wants to set up and operate its own AI infrastructure, the associated risks must be identified, assessed and addressed.

At the same time, attackers are using generative AI and increasingly also the next stage of development, namely agent-based AI, for autonomous attacks. These techniques are used in particular for customized phishing campaigns, deepfake fraud and other attack techniques. Companies should consider AI not only as a supporting tool, but urgently as part of the risk environment. The use of AI-supported threat detection and automated defense mechanisms are essential in order to be able to react appropriately and promptly.

Tool landscapes: How less complexity creates more security

In recent years and decades, companies have used a myriad of specialized tools and technologies to respond adequately to new threats and risks. This has led to increased heterogeneity and complexity, redundancies, limited efficiency and constantly rising costs. Stagnating or even decreasing financial resources are increasing the pressure to consolidate tool landscapes and automate processes to a greater extent.

Cloud, identities and zero trust: control across system and provider boundaries

The use of cloud infrastructures will continue to increase. This requires new governance and control mechanisms, as traditional control models are reaching their limits. At the same time, new attack models are opening up that require the further development of existing security arrangements. The management of identities across system boundaries poses a particular challenge. Concepts such as Zero Trust Architecture (ZTA) are increasingly becoming a necessity.

Recent outages at Amazon and CloudFlare have highlighted the risks of vendor lock-in. In an emergency, companies are no longer able to provide their services or maintain central business processes.

Regulation and compliance in the boardroom - there is no time to delay!

In line with increasing digitalization, cross-border data flows and the ubiquitous use of AI, the regulatory and compliance requirements that companies must meet continue to evolve. As a result, questions of regulatory control and liability are increasingly becoming the responsibility of management boards and executive committees:

Stronger requirements for critical infrastructures: driven by ongoing attacks and extortion, the requirements for critical infrastructures are likely to increase further (e.g. in the areas of traffic and transportation, utilities, healthcare, water supply).
AI laws: AI regulations (including the CH and EU AI regulation) require companies to carry out risk assessments for AI systems. These are becoming mandatory, especially for high-risk applications such as biometric identification.
NIS2: With the increasing number of national implementation laws being passed, the pressure on companies to be able to confirm compliance is growing. The sometimes differing minimum requirements in the EU member states are becoming a challenge, especially for companies with local or distributed infrastructures

Companies must anticipate regulatory trends at an early stage and take measures to ensure the required conformity in good time.

Supply chains under attack: why vendor risk management is becoming indispensable

The growing number of successful attacks on third-party providers and software supply chains is intensifying the requirements for risk management. Software Bills of Material (SBOMs), supply chain transparency and structured vendor risk management processes are therefore becoming a prerequisite.

Ransomware: when the constant threat reaches several levels of escalation

Ransomware attacks remain a persistent threat. However, their nature is changing due to the spread of double and triple extortion models that combine encryption, data publication and DDoS attacks. Critical infrastructures such as banks, hospitals and energy suppliers are particularly affected, as analyses by the Federal Office for Cybersecurity (BACS) show.

Quantum computing: why post-quantum cryptography needs to be prepared

The development of quantum computers is progressing steadily. Even if it is currently not possible to predict when quantum computers will be commercially available and could therefore jeopardize current encryption techniques, precautions need to be taken. Companies are required to evaluate post-quantum cryptography and develop migration plans.

Skills shortages and competencies: New skills determine resilience

The ongoing shortage of security specialists will continue to pose significant challenges for companies in the future. In addition, new skills - such as in the areas of AI security, cloud identities and threat hunting - are becoming increasingly important in order to be able to respond adequately to current and future technological developments and threats. Targeted investment in the further training of IT specialists is therefore required.

Alternatively, a lack of specialist expertise within the company can be compensated for through the selective use of external expertise and organizational models that cushion deficits through automation and clear prioritization.

Identity management: password authentication is becoming less important

Identities are digital gold for attackers: if cyber criminals get hold of digital identities, including passwords, they gain far-reaching access to systems and data. Identity debt in particular poses a major risk. These include excessive authorizations as well as outdated, non-deactivated or deleted accounts, which is why it is essential to regularly check identities and the associated authorizations.

Passwordless authentication such as biometrics, FIDO2 or Passkey will prevail in the medium term and become the standard. Currently, the lack of interoperability still stands in the way of this.

Cost pressure: cyber resilience remains non-negotiable despite limited resources

The challenging economic situation, characterized by the tariffs introduced by the USA, inflation and rising unemployment, is increasing the pressure on companies. There is an increasing lack of funds for sustainable investment in information security. Regardless of the tense financial situation, ensuring cyber resilience against constantly evolving attacks remains a non-negotiable task.

A strategic checklist: How security managers can act proactively

The coming years will bring major challenges that will also open up strategic opportunities. Swiss companies that meet the regulatory requirements, use AI strategically and systematically strengthen their cyber resilience will not only reduce inherent risks, but also secure sustainable competitive advantages.

For practical guidance, the following checklist sets out the future priorities for CISOs, CIOs and IT security managers.

Ensure regulatory compliance
▪️ Implement FINMA, NIS2, DORA and CRA requirements
▪️ Prepare organizations such as energy supply companies for new requirements
▪️ Ensure data sovereignty/data sovereignty
Use AI and automation
▪️ Introduce AI-supported defense systems
▪️ Actively track agentic AI and autonomous threats
Minimize ransomware and supply chain risks
▪️ Implement zero trust architectures
▪️ Regularly check third-party providers
▪️ Ensure independence from suppliers
Prepare identity management and quantum resistance
▪️ Clean up IAM systems
▪️ Evaluate Zero Trust Architecture (ZTA), especially for cloud services
▪️ Evaluate post-quantum cryptography
Cost pressure and specialists
▪️ Securing financial resources despite the tense economic situation
▪️ Reducing the complexity and costs of the technologies used
▪️ Ensuring know-how and expertise within the company

The 3 fields of action of cyber security - an ongoing task at C-level

Information security remains a dynamic and constantly evolving field. It is crucial for managers to remain agile as an organization and to keep abreast of new threats and technological developments.

A regular review and development of security measures is necessary to ensure the integrity, confidentiality and availability of information and systems and thus business continuity. Assumptions should be critically scrutinized and measures consistently tightened up. Cybersecurity is not a finished state, but a continuous management and resilience task.

A structured, risk-oriented approach that goes beyond selective security measures is crucial.

In practice, the focus on three central fields of action has proven to be particularly effective:

Ensuring regulatory compliance and governance:
Systematically classify and implement requirements from FINMA circulars, NIS2, DORA or data protection requirements and anchor them in a verifiable manner.
Strengthen cyber resilience and incident response capabilities:
Expand detection, response and recovery processes in a targeted manner, safeguard business continuity and consider dependencies on service providers and cloud providers.
Prioritize technological risks and reduce complexity:
Assess identity management, cloud and supply chain risks and AI-based threats holistically and consolidate security architectures.

Gain clarity on the security status of your organization. Identify the need for action with an in-depth assessment. Our security specialists will support you in further developing your cyber resilience to ensure your ability to act even under increasing regulatory and economic pressure.

You can stay informed about further developments and current analyses on cyber security. Simply subscribe to our blog updates and receive the latest articles in your inbox! We look forward to hearing from you.