Switzerland is not a member of the European Union and is not bound by EU Regulation 2024/1689. It nonetheless sits at the centre of a web of AI governance obligations in 2026: the revised Federal Act on Data Protection is fully in force, FINMA has formalised its AI supervisory expectations for financial institutions, and Switzerland signed the Council of Europe Framework Convention on Artificial Intelligence in September 2024. Operators deploying AI in Switzerland, or exporting AI products and services to EU customers, must navigate each of these instruments without the benefit of a single horizontal AI statute. This guide sets out what applies, how the obligations interact, and what a compliance programme should address.

Key takeaways

  • Switzerland has no comprehensive AI statute. AI governance obligations flow from the revised Federal Act on Data Protection (nFADP, in force September 2023), FINMA supervisory circulars, sector-specific rules, and the Council of Europe Framework Convention on AI (CETS No. 225), which Switzerland signed in September 2024.
  • Article 21 of the nFADP gives individuals the right to be informed of automated decisions with significant effects, the right to state their position, and the right to request human review. Controllers must explain key parameters of automated decisions on request.
  • FINMA Circular 2023/1 on Operational Risks and Resilience applies directly to AI and algorithmic systems used by supervised financial institutions. FINMA's December 2023 AI position paper confirmed a risk-based supervisory approach that scales governance requirements to the autonomy and consequence of each AI system.
  • The Council of Europe AI Convention requires parties to implement transparency obligations, risk-based lifecycle management, prohibitions on AI uses that violate human rights and democratic processes, and independent oversight mechanisms. Ratification is pending as of June 2026 but the Convention's requirements represent the direction of Swiss regulatory travel.
  • Swiss companies placing AI systems on the EU market or whose outputs affect persons in the EU must independently assess EU AI Act applicability. Existing bilateral agreements do not incorporate EU AI Act obligations automatically.

The Swiss regulatory architecture for AI

Switzerland's approach to AI governance as of 2026 reflects a deliberate federal policy choice documented in the Federal Council's December 2023 report on artificial intelligence. The Federal Council's interdepartmental working group on AI, established in 2023, reviewed whether Switzerland should enact a horizontal AI statute comparable to the EU AI Act and concluded that a sector-specific, risk-based approach was more appropriate for the Swiss regulatory tradition and legal structure. The working group recommended monitoring EU AI Act developments and assessing where Swiss adaptation might be necessary, particularly for companies operating in both jurisdictions.

This means that AI governance obligations in Switzerland derive not from a single statute but from four overlapping sources: the revised Federal Act on Data Protection (Datenschutzgesetz, DSG, or nFADP in its new form), sector-specific regulation particularly from FINMA for financial services, the Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (CETS No. 225), and general private law obligations in contract and tort that apply to harmful AI outputs.

The practical effect for operators is that compliance analysis must proceed instrument by instrument. The data protection analysis applies to any AI system that processes personal data in a consequential way. The financial services analysis applies to supervised institutions and their third-party technology suppliers. The Convention analysis applies as a forward-looking compliance horizon. And the EU dimension applies separately for any Swiss company with EU market exposure.

The revised Federal Act on Data Protection and automated decisions

The revised Federal Act on Data Protection (nFADP) entered into force on 1 September 2023 after an extended transition period. The revision brought Swiss data protection law substantially into alignment with the General Data Protection Regulation, including provisions that directly address automated decision-making.

Article 21 nFADP is the central provision for AI operators. It governs decisions made solely by automated means that produce legal effects concerning an individual or that significantly affect the individual in any other way. Where such a decision is made, the controller must notify the data subject that the decision was made by automated means. On request from the data subject, the controller must give the individual the opportunity to state their position regarding the automated decision. The controller must also allow the individual to request that a natural person reviews the decision. If the data subject exercises this right, the controller must carry out that review, and the review must be substantive rather than perfunctory.

Article 21 further requires the controller to explain the key parameters of the automated decision to the data subject upon request. This is an explainability obligation that applies specifically to consequential automated decisions and is not limited to the financial sector. Credit decisions, recruitment scoring, insurance underwriting, content moderation with suspension consequences, and algorithmic benefit assessments are all potential Article 21 use cases where operators must be prepared to explain model logic to affected individuals in terms they can understand.

The Federal Data Protection and Information Commissioner (EDÖB) is responsible for supervising compliance with the nFADP. The EDÖB can initiate investigations, issue recommendations, and refer matters to criminal prosecution. Articles 60 to 63 nFADP establish criminal sanctions for intentional violations, with fines reaching CHF 250,000. The sanctions apply to natural persons responsible for violations within an organisation rather than to the organisation itself, which distinguishes Swiss enforcement from the administrative fine model of the GDPR and the EU AI Act. The practical effect is that senior executives and data protection officers bear direct personal exposure for intentional non-compliance with Article 21 obligations.

Controllers operating automated decision systems in Switzerland should also ensure that their general data protection documentation covers AI-specific risks. Data protection impact assessments, required under Article 22 nFADP for processing operations that are likely to result in a high risk to the personality or fundamental rights of individuals, will frequently be triggered by consequential AI systems. A system that makes or substantially influences credit, employment, or insurance decisions using personal data almost certainly requires an assessment under Article 22 before deployment.

FINMA supervision of AI in financial services

Financial institutions supervised by FINMA face the most structured AI governance obligations of any sector in Switzerland. FINMA does not have a standalone AI regulation but supervises AI through its existing risk-based framework, with FINMA Circular 2023/1 on Operational Risks and Resilience as the primary instrument.

Circular 2023/1 entered into force on 1 January 2024 and applies to banks, insurance companies, securities firms, and other supervised entities above specified materiality thresholds. The circular sets requirements for governance and organisation of operational risk management, including requirements for the identification, assessment, monitoring, and mitigation of risks arising from the use of technology systems. AI and algorithmic systems used in consequential financial operations are squarely within scope: the circular requires institutions to understand their material technology risks, maintain audit trails for consequential system decisions, and ensure that governance arrangements are proportionate to the risk profile of each system.

FINMA's December 2023 position paper on artificial intelligence in financial services established its supervisory philosophy for AI more explicitly. The paper confirmed a risk-based approach: FINMA scales its supervisory attention to the autonomy, complexity, and consequence of AI systems used by supervised entities. Systems used in credit decisioning, algorithmic trading, client suitability assessments, fraud detection with consequential outputs, and claims processing receive closer attention than lower-stakes automation. FINMA expects supervised institutions to be able to explain the outputs of consequential AI models, to demonstrate that model performance is monitored on an ongoing basis, and to maintain documentation of the governance decisions made around each material AI system.

For credit scoring specifically, the combination of FINMA supervision and Article 21 nFADP creates overlapping obligations. A bank using an automated credit scoring model must comply with Article 21's notification and review rights for rejected applicants, and must also be able to demonstrate to FINMA that the model is governed within the framework required by Circular 2023/1. These obligations are complementary but distinct in their supervisory chains: EDÖB for data protection, FINMA for financial services prudential governance.

Third-party providers supplying AI systems to FINMA-supervised institutions should expect their institutional clients to impose contractual governance requirements that reflect FINMA's supervisory expectations. Due diligence questionnaires, audit rights, and explainability documentation requirements are increasingly standard in Swiss financial services procurement contracts for AI systems.

The Council of Europe Framework Convention on AI

The Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (CETS No. 225) was adopted by the Committee of Ministers of the Council of Europe in May 2024 and opened for signature in September 2024. Switzerland signed in September 2024 as part of the initial group of signatories, which also included the European Union, the United States, the United Kingdom, and a number of Council of Europe member states.

The Convention is the first binding international treaty on artificial intelligence. Its scope covers AI systems that affect human rights, democracy, and the rule of law, applied throughout the full lifecycle from design to decommissioning. The Convention adopts a risk-based approach: parties must implement measures that are proportionate to the risks and potential harms presented by AI systems in scope.

The Convention's substantive obligations fall into several clusters. Transparency and oversight obligations require parties to ensure that individuals are informed when they interact with AI systems and that the basis for AI-assisted decisions is explainable. Risk management obligations require parties to implement lifecycle risk assessment and mitigation measures for AI systems that affect Convention-protected interests. Prohibition obligations require parties to prohibit or restrict AI uses that produce outcomes incompatible with human rights standards or that undermine the integrity of democratic processes, including disinformation systems designed to manipulate electoral processes. Independent oversight obligations require parties to establish or designate independent bodies with the mandate and capacity to monitor and enforce Convention obligations.

For Switzerland, the Convention represents a compliance horizon rather than a current binding obligation. Signature is a political commitment; ratification requires parliamentary approval, and ratification had not been deposited as of June 2026. The Convention enters into force for each party three months after ratification. Swiss operators should nonetheless treat its requirements as indicative of the direction of Swiss regulatory travel, given the Federal Council's stated policy of aligning Swiss AI governance with European norms.

Switzerland and the EU AI Act

The EU AI Act (Regulation 2024/1689) entered into application progressively from August 2024, with the first compliance deadlines applying in August 2025 for prohibited practices and the high-risk system obligations applying from August 2026 (subject to potential revision under the Digital Omnibus package). Switzerland is not an EU member state and is not bound by the Regulation. Existing bilateral agreements between Switzerland and the EU, including the sectoral agreements that cover much of the bilateral relationship, do not incorporate the EU AI Act.

However, the EU AI Act has extraterritorial scope that is directly relevant to Swiss companies. The Regulation applies to providers that place AI systems on the EU market, regardless of where they are established, and to deployers that use AI systems within the EU, regardless of establishment. A Swiss company that develops an AI system and sells or deploys it to customers in EU member states is, in respect of that activity, a provider subject to the EU AI Act's obligations as they apply to systems of the relevant risk category. The company's Swiss headquarters does not insulate it from those obligations with respect to its EU-facing activities.

The practical implication for Swiss companies with EU customers is that they must assess EU AI Act scope separately from their Swiss compliance obligations. A Swiss fintech that provides algorithmic credit scoring to EU-based banks is likely a provider of a high-risk AI system under Annex III of the EU AI Act, with the full technical documentation, conformity assessment, and registration obligations that this entails. A Swiss recruitment software company whose tools are used by EU employers faces equivalent analysis under the employment and worker management category of high-risk systems.

For a comprehensive analysis of those obligations, the EU AI Act operator obligations guide on agentliability.eu sets out the full framework. The relationship between EU AI Act obligations and data protection requirements, which Swiss companies will also need to navigate in their EU operations, is addressed in the resources section of this site.

Employment and recruitment

The State Secretariat for Economic Affairs (SECO) has responsibility for employment policy in Switzerland and has taken note of the growing use of AI in recruitment and workforce management. No dedicated SECO regulation on algorithmic recruitment exists as of June 2026, but the intersection of Article 21 nFADP and general employment law creates obligations that operators in this space must address.

An automated system that screens job applications, scores candidates, or makes shortlisting decisions using personal data is subject to Article 21 nFADP if its decisions significantly affect the individuals assessed. Recruitment processes that result in a candidate being excluded from consideration on the basis of an automated score, without any human review of that exclusion, are vulnerable to challenge under Article 21 if the candidate requests review and is refused. Swiss employers using algorithmic screening tools, and software providers whose tools are used in Swiss recruitment, should ensure their processes include a documented human review mechanism for candidates who exercise their Article 21 rights.

The federal government's own use of AI systems in administrative decision-making is subject to a separate governance framework through Syna, the Swiss AI Network for the Administration, which establishes internal governance standards for AI use across federal departments. Syna standards are not directly applicable to private sector operators but represent the federal government's articulation of responsible AI governance and are referenced by EDÖB in its supervisory approach.

What operators should do now

Given the multi-instrument structure of Swiss AI governance, a practical compliance programme for 2026 should address four areas in sequence.

First, inventory AI systems against the Article 21 nFADP threshold. For each AI system that makes or substantially determines a decision affecting individuals using their personal data, determine whether the decision produces legal effects or significant effects on those individuals. If so, implement the notification, explanation, and human review mechanisms required by Article 21 and document them in your records of processing activities. Ensure that data protection impact assessments under Article 22 nFADP have been completed for high-risk processing operations involving AI.

Second, if you operate in financial services under FINMA supervision, review your AI and algorithmic systems against the model risk governance requirements in FINMA Circular 2023/1 and the supervisory expectations in the December 2023 AI position paper. Document the governance arrangements for each material AI system, including the responsible function, the monitoring cadence, the performance metrics, and the escalation path for model failure or drift. Ensure that systems used in credit, trading, or client assessment decisions have explainability documentation sufficient to support a FINMA supervisory inquiry.

Third, treat the Council of Europe Convention obligations as a forward-looking compliance standard. Review your AI systems against the Convention's transparency, risk management, and prohibition requirements. Systems that produce outputs affecting human rights or democratic processes warrant specific attention. This review costs relatively little if conducted as a documentation exercise and positions the organisation for ratification without remediation work under time pressure.

Fourth, if your AI systems are placed on the EU market or affect EU persons, conduct a separate EU AI Act scoping exercise. Determine whether your systems fall within the prohibited practices list, the high-risk categories of Annex III, or the general-purpose AI provisions. The EU analysis is jurisdictionally distinct from the Swiss analysis and must be conducted on its own terms. See the frameworks overview for a structured mapping of EU AI Act obligations by system category.

The penalty landscape

Switzerland does not have a dedicated AI penalty regime, and the absence of an AI-specific fine structure is one of the distinguishing features of the Swiss framework compared to the EU AI Act, which provides for fines of up to EUR 35 million or 7 per cent of global annual turnover for the most serious violations.

The operative penalty channels in Switzerland are the nFADP and FINMA's supervisory toolkit. Under Articles 60 to 63 nFADP, intentional violations of the Act's provisions, including Article 21 automated decision obligations, carry criminal fines of up to CHF 250,000. Importantly, these are personal criminal sanctions on the natural persons responsible within an organisation: the data protection officer, senior manager, or other individual whose intentional act constituted the violation. The organisation itself is not subject to direct administrative fines under the nFADP model, though civil liability claims from affected individuals remain possible under general tort and contract law.

FINMA's supervisory powers are more extensive for supervised financial institutions. FINMA can issue remediation orders, impose conditions on authorisation, temporarily or permanently withdraw an authorisation, and impose fines on individuals in leadership positions for serious supervisory violations. FINMA can also publish enforcement decisions, which in the Swiss financial market context is a significant reputational sanction. For AI systems that cause material operational failures or that are deployed without adequate governance, FINMA's enforcement response can include both individual accountability measures and institutional remediation requirements.

For AI liability in European markets more broadly, including the insurance and contractual indemnity dimensions that Swiss companies with EU operations must address, the agentliability.eu EU regulatory desk provides analysis of how the EU AI Act's liability provisions interact with national product liability law and the proposed AI Liability Directive.

Frequently asked questions

Does the EU AI Act apply to Swiss companies?

Switzerland is not bound by EU Regulation 2024/1689 as a matter of Swiss law. However, the EU AI Act has extraterritorial scope: it applies to providers placing AI systems on the EU market and to deployers using AI systems whose outputs affect persons in the EU, regardless of where the company is established. Swiss companies that export AI products or services to EU customers, or whose AI system outputs affect EU persons, must assess EU AI Act applicability independently. Existing Swiss-EU bilateral agreements do not incorporate EU AI Act obligations automatically.

What does FADP Article 21 require for automated decisions?

Article 21 of the nFADP applies where a controller makes a decision based solely on automated processing that produces legal effects or significantly affects an individual. The controller must notify the individual that the decision was automated. On request, the controller must allow the individual to state their position and to request human review of the decision. The controller must also explain the key parameters of the automated decision on request. These obligations apply to any sector, not just financial services.

What does FINMA require of AI systems in financial services?

FINMA supervises AI through FINMA Circular 2023/1 on Operational Risks and Resilience, which requires supervised institutions to govern material technology risks proportionate to their consequence and complexity. FINMA's December 2023 AI position paper confirmed a risk-based approach: institutions must be able to explain consequential AI outputs, demonstrate ongoing performance monitoring, and maintain governance documentation for material AI systems. Supervised institutions should also ensure that third-party AI suppliers can support these requirements contractually.

Has Switzerland ratified the Council of Europe AI Convention?

Switzerland signed CETS No. 225 in September 2024, indicating political commitment. Ratification, which requires parliamentary approval and deposit of an instrument of ratification, had not been completed as of June 2026. The Convention enters into force for each party three months after ratification. Swiss operators should treat the Convention's requirements as a compliance horizon consistent with the direction of Swiss regulatory alignment with European norms.

Is there a penalty regime specific to AI in Switzerland?

No dedicated AI penalty regime exists in Switzerland as of June 2026. Penalties for AI-related data protection violations flow from Articles 60 to 63 nFADP, which provide criminal fines of up to CHF 250,000 for intentional violations by responsible natural persons. FINMA can impose supervisory measures including withdrawal of authorisation, remediation orders, individual fines, and public disclosure against supervised financial institutions. No AI-specific administrative fine structure exists equivalent to the EU AI Act's penalty regime.

References

  1. Federal Act on Data Protection (Datenschutzgesetz, DSG / nFADP), SR 235.1, in force 1 September 2023, Article 21 (automated individual decisions) and Article 22 (data protection impact assessment).
  2. Federal Data Protection and Information Commissioner (EDÖB), Guide to the revised Federal Act on Data Protection, 2023.
  3. FINMA Circular 2023/1, Operational Risks and Resilience, in force 1 January 2024.
  4. FINMA, Position Paper on Artificial Intelligence in Financial Services, December 2023.
  5. Swiss Federal Council, Report on Artificial Intelligence, December 2023 (report of the interdepartmental working group on artificial intelligence).
  6. Council of Europe, Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (CETS No. 225), adopted 17 May 2024, opened for signature 5 September 2024.
  7. EU Regulation 2024/1689 of the European Parliament and of the Council (EU AI Act), OJ L 2024/1689, 12 July 2024.
  8. Swiss Federal Chancellery, Syna: Swiss Artificial Intelligence Network for the Administration, governance framework, 2023.
  9. State Secretariat for Economic Affairs (SECO), AI and Employment Policy Monitoring Report, 2024.
  10. OECD Principles on AI, updated 2024 revision, OECD Legal Instruments OECD/LEGAL/0449.
  11. Council of Europe, Explanatory Report to CETS No. 225, September 2024.