Switzerland is not an EU member state and sits outside the EEA. Its government has looked directly at the EU AI Act's risk-tiered model and chosen a different path: adapt existing sectoral law rather than legislate horizontally. Operators deploying AI agents into the Swiss market, or running Swiss-based operations that also touch the EU, need to understand what actually binds them today and what is likely to bind them once Switzerland's Council of Europe commitments are implemented.
Key takeaways
- Switzerland has no dedicated, horizontal AI statute in 2026. The Federal Council decided in November 2024, following an OFCOM/BAKOM mandated report, not to pursue an EU-AI-Act-style law and instead ordered a sector-by-sector review of existing legislation.
- The revised Federal Act on Data Protection (revFADP, in force since 1 September 2023) already contains an automated decision-making right at Article 21, enforced by the FDPIC, with fines up to CHF 250,000 against responsible individuals rather than turnover-based penalties.
- FINMA treats AI risk as part of its existing operational risk and outsourcing supervisory framework for banks and insurers rather than through a standalone AI regime.
- Switzerland's pending accession to the Council of Europe Framework Convention on AI (2024) is the most likely source of new binding obligations, with domestic implementation work expected through 2026 and 2027.
- Because Switzerland is outside the EU and EEA, the EU AI Act does not apply directly to Swiss-only deployments, but it does apply extraterritorially to any operator placing AI systems on the EU market from a Swiss base, and Swiss commentators describe the domestic approach as "same risks, same rules" in explicit contrast to the EU's model.
The regulatory landscape: the November 2024 Federal Council decision
In 2023 the Federal Office of Communications (OFCOM, known domestically as BAKOM) was mandated to analyse regulatory options for artificial intelligence in Switzerland. The resulting report was presented to the Federal Council, Switzerland's collective executive body, in November 2024.[1] The central question the report addressed was whether Switzerland should follow the EU's path and adopt a horizontal, cross-sectoral AI statute comparable to the EU AI Act (Regulation 2024/1689), or whether it should rely on its existing body of sectoral law and adapt it where AI exposes genuine gaps.
The Federal Council chose the second path. Rather than legislating a single AI act, it directed the relevant federal offices to examine Switzerland's existing laws, covering data protection, product safety, financial market supervision, medical devices, and road traffic, and to assess whether each already addresses the risks that AI systems introduce within that sector. Where a gap is identified, the instruction is to adapt the existing sectoral law rather than create a parallel AI-specific regime. This is the origin of what Swiss legal commentators now describe as a "same risks, same rules" approach: a technology-neutral, sector-by-sector method that treats an AI-driven credit decision, for example, as a credit decision first and an AI question second.
This is a materially different starting point from the EU AI Act's model, which classifies AI systems by risk tier regardless of sector and imposes a single harmonised set of provider and deployer obligations across the internal market. Operators used to the EU's horizontal logic should not expect to find a Swiss equivalent of Annex III, a Swiss AI Office, or a Swiss conformity marking scheme. The obligations that do bind AI deployments in Switzerland are found inside laws that were not written with AI specifically in mind, and the depth of each sector's coverage varies considerably.
revFADP Article 21: automated decision-making and FDPIC enforcement
The most directly relevant binding provision for AI operators predates the November 2024 decision entirely. Switzerland's revised Federal Act on Data Protection (revFADP, referred to domestically as the nDSG) entered into force on 1 September 2023, well ahead of any AI-specific policy debate.[2] Article 21 of the revFADP addresses automated individual decision-making. In certain cases it requires that a data subject be informed of a decision that is reached solely through automated processing and produces a legal effect or significantly affects them, and that the data subject be given the right to have the decision reviewed by a human being.
This structure is conceptually similar to GDPR Article 22 and to the deployer transparency logic embedded in EU AI Act Article 26, but it is narrower in two respects. First, it is triggered by the specific fact pattern of a fully automated decision with legal or similarly significant effect, not by a system's risk classification. Second, it is a data protection right sitting inside a data protection statute, so it governs the informational and review rights of the affected person rather than imposing upstream obligations on system design, testing, or documentation of the kind the EU AI Act requires of providers and deployers of high-risk systems.
The Federal Data Protection and Information Commissioner (FDPIC) is the enforcement authority for the revFADP.[3] Its powers include investigation of complaints, orders to bring processing into compliance, and administrative fines for the most serious violations, which reach CHF 250,000. A structurally important detail for operators is that the fine is imposed on the responsible individual, not calculated as a percentage of the company's global turnover. This is a fundamentally different enforcement architecture from the EU AI Act, where penalties can reach 7 percent of global annual turnover or EUR 35 million, whichever is higher, levied against the undertaking. The Swiss ceiling is fixed, individual, and an order of magnitude smaller in absolute terms for any operator of meaningful size.
For AI agents specifically, Article 21 exposure arises wherever a system reaches a fully automated conclusion about a Swiss data subject that has legal or similarly significant consequences: an automated credit decision, an eligibility determination, or a content moderation outcome with material effect on the individual. Operators should map which agentic workflows terminate in such a decision without a human step, and confirm that the required notice and human review right are actually available in practice, not merely stated in a privacy policy.
FINMA: AI risk inside the existing supervisory framework
Switzerland's financial sector regulator, the Swiss Financial Market Supervisory Authority (FINMA), has taken the same sectoral-adaptation approach that the Federal Council endorsed at the national level. FINMA has published guidance treating AI-related risks, including model risk, governance, explainability, and third-party AI vendor risk, as falling within its existing technology and operational risk supervisory framework for banks, insurers, and other regulated institutions, rather than creating a standalone AI supervisory regime.[4] Its approach draws directly on existing circulars addressing operational risk and outsourcing.
The practical consequence for an AI operator selling into the Swiss financial sector is that there is no separate FINMA AI licence or AI-specific conformity process to navigate. Instead, a Swiss bank or insurer deploying an AI agent, whether built in-house or procured from a vendor, must fit that deployment inside its existing model risk management and outsourcing governance obligations. Vendors supplying AI systems to FINMA-regulated entities will find that their contractual obligations, model documentation requirements, validation evidence, and incident reporting expectations flow downward from the regulated entity's own FINMA obligations, in much the same way that EU AI Act Article 25 pushes value-chain responsibilities down a supply chain. The absence of a dedicated AI circular does not mean the absence of AI governance expectations; it means those expectations are already embedded in supervisory frameworks that predate the current generation of AI systems and are being applied to them by extension.
The Council of Europe Framework Convention on AI: Switzerland's pending accession
The clearest signal of where binding Swiss AI obligations are heading is not domestic legislation but an international treaty. The Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law, opened for signature in 2024, is notable for being open to non-Council-of-Europe-member states; the United States, Canada, Japan, and other non-European states were involved in its negotiation alongside Council of Europe members.[5] The Federal Council's November 2024 decision confirmed Switzerland's intention to sign the Convention, and Switzerland is among its signatories.
The Convention's substantive content centres on a risk-based approach, transparency obligations, accountability mechanisms, and human rights impact assessment requirements for AI systems with significant effect. Signature alone does not create binding domestic obligations; ratification requires domestic implementation work to bring Swiss law into alignment with the Convention's principles, a process expected to unfold through 2026 and 2027. This is the mechanism by which Switzerland's currently light AI-specific footprint is expected to gradually thicken: not through a single omnibus statute of the kind the EU adopted, but through incremental adjustments to existing sectoral law as each area is brought into conformity with the Convention's principles.
Operators with a multi-year Swiss market horizon should treat Convention implementation, not a hypothetical future Swiss AI Act, as the regulatory development to track. The direction of travel is toward human rights impact assessment for significant AI systems and stronger transparency and accountability expectations, applied through the same sector-by-sector method the Federal Council has already committed to, rather than a horizontal EU-style instrument.
Comparison with the EU AI Act
Switzerland's posture is best understood as a deliberate rejection of the EU AI Act's specific architecture, not a rejection of AI governance as a subject. There is no Swiss Annex III style high-risk classification list, no general mandatory conformity assessment obligation for AI systems as such, and no EU AI Act style penalty regime calculated as a percentage of global turnover. The revFADP's Article 21 automated decision-making right is the closest functional analogue to EU AI Act Article 26 deployer obligations, but it is narrower in trigger conditions and privacy-focused rather than AI-safety-focused in orientation.
Territorial scope is the point operators most often get wrong. Because Switzerland is not an EU member state and not part of the EEA, the EU AI Act does not apply directly to a deployment that is Swiss-only: a Swiss company using an AI agent purely for its Swiss operations, on Swiss data subjects, with no EU-facing activity, is not brought within the Act's scope simply because it exists next door. However, the EU AI Act's extraterritorial reach under Article 2 means that any operator, wherever based, that places an AI system on the EU market or whose output is used in the EU, remains fully subject to the Act for that EU-facing activity. A Swiss-headquartered provider selling an AI agent into Germany or France cannot rely on its Swiss domicile to avoid EU AI Act obligations for that portion of its business. The two regimes run in parallel for any operator with cross-border reach: Swiss sectoral law and the revFADP for the Swiss book of business, the EU AI Act in full for the EU-facing book, with no netting between them.
Beyond the binding comparison, Switzerland participates in the same standards infrastructure the EU AI Act references. Swiss standardisation bodies, principally the Swiss Association for Standardization (SNV), take part in ISO/IEC JTC 1/SC 42 AI standards work, including ISO/IEC 42001, and Switzerland is an OECD member country engaged in the OECD AI Principles process, revised in 2024.[6] An operator building an AI governance programme around ISO/IEC 42001 or the OECD principles will find that programme travels reasonably well across both the Swiss and EU contexts, even though the binding legal requirements diverge sharply.
What operators should do
The minimum compliance programme for an AI operator active in Switzerland has five elements.
First, map every AI-driven workflow that reaches a fully automated decision about a Swiss data subject with legal or similarly significant effect, and confirm the revFADP Article 21 notice and human review right are genuinely available, not just documented in policy. This is the one binding, immediately enforceable AI-relevant obligation that applies regardless of sector.
Second, if operating in or selling into Switzerland's financial sector, treat FINMA's existing operational risk and outsourcing expectations as your governing framework for AI. There is no separate FINMA AI approval process to seek; there is an existing supervisory relationship into which AI-specific model risk, explainability, and vendor governance evidence must fit.
Third, separate your Swiss-only activity from your EU-facing activity with precision. Do not assume Swiss domicile shields any part of the business that places AI systems on the EU market or whose outputs are used within the EU. Where both apply, run both compliance tracks in full rather than attempting to satisfy the stricter regime as a proxy for the other; the obligations are structurally different, not merely different in degree.
Fourth, track the domestic implementation of the Council of Europe Framework Convention on AI through 2026 and 2027 as the primary source of new binding Swiss obligations, rather than watching for a hypothetical horizontal Swiss AI act. Human rights impact assessment requirements for significant AI systems are the most likely near-term addition.
Fifth, where an existing EU AI Act or ISO/IEC 42001 governance programme is already in place, use it as the backbone for Swiss compliance rather than building a parallel Swiss-specific programme from scratch. The documentation, model validation, and human oversight practices that satisfy EU or ISO expectations will generally exceed what Swiss sectoral law currently requires, leaving the operator with headroom rather than a gap.
For a comparison of how a non-EU jurisdiction with an active, if less prescriptive, approach handles AI-adjacent obligations, see the South Africa AI regulation guide. For the EU deployer obligations that remain the highest-stringency benchmark against which any non-EU regime is measured, see the Article 26 deployer obligations guide on agentliability.eu. Operators assembling documentation evidence for cross-border AI governance programmes may also find agentcertified.eu useful as a reference point for certification-style AI governance frameworks.
Frequently asked questions
Does Switzerland have a dedicated AI law in 2026?
No. In November 2024 the Federal Council decided not to pursue a horizontal, EU-AI-Act-style statute in the near term. Instead it directed federal offices to examine whether existing sectoral laws, covering data protection, product safety, financial services, medical devices and road traffic, are sufficient to address AI-specific risks, adapting them sector by sector where gaps are found. Switzerland's binding AI-relevant obligations in 2026 therefore sit inside existing laws rather than a single AI statute.
What is Article 21 of the revised Federal Act on Data Protection and how does it apply to AI?
The revised Federal Act on Data Protection (revFADP, or nDSG), in force since 1 September 2023, contains an automated individual decision-making provision at Article 21. In certain cases it requires that a data subject be informed of a decision reached solely through automated processing and be given the right to have a human review it. The structure is conceptually similar to GDPR Article 22 and EU AI Act Article 26, but narrower in scope and focused on data protection rather than AI safety generally.
What penalties can the FDPIC impose for AI-related data protection violations in Switzerland?
The Federal Data Protection and Information Commissioner (FDPIC) enforces the revFADP. Fines for the most serious violations reach CHF 250,000, and the fine is imposed on the responsible individual rather than calculated as a percentage of company turnover. This is a materially different enforcement model from the EU AI Act, which can impose fines of up to 7 percent of global annual turnover or EUR 35 million on the undertaking itself.
How does FINMA regulate AI use by Swiss banks and insurers?
FINMA has not created a standalone AI supervisory regime. It treats AI-related risks, including model risk, governance, explainability and third-party AI vendor risk, as falling within its existing technology and operational risk supervisory framework for banks, insurers and other regulated financial institutions. Its approach draws on existing circulars covering operational risk and outsourcing, meaning AI vendors to Swiss financial institutions inherit governance obligations contractually rather than through direct FINMA oversight.
How does Switzerland's approach compare to the EU AI Act, and could that change?
Switzerland rejected a horizontal, risk-tiered statute. There is no Swiss Annex III style high-risk classification, no general mandatory conformity assessment for AI systems, and no EU AI Act style turnover-based penalty regime. Because Switzerland is not an EU or EEA member, the EU AI Act does not apply directly to Swiss-only deployments, though it does apply extraterritorially to any operator placing AI systems on the EU market from a Swiss base. The clearest source of future binding obligations is Switzerland's pending accession to the Council of Europe Framework Convention on AI, with domestic implementation work expected through 2026 and 2027.
References
- Federal Council (Switzerland). Report on the need for regulation in the field of artificial intelligence, prepared on the basis of a mandate to the Federal Office of Communications (OFCOM/BAKOM), published November 2024. Available at bakom.admin.ch.
- Federal Act on Data Protection (revised), revFADP/nDSG. Entered into force 1 September 2023. Article 21 (individual automated decision-making). Available at fedlex.admin.ch.
- Federal Data Protection and Information Commissioner (FDPIC). Enforcement powers and administrative sanctions under the revFADP, including fines of up to CHF 250,000 against responsible individuals for the most serious violations. Available at edoeb.admin.ch.
- Swiss Financial Market Supervisory Authority (FINMA). Guidance on AI-related risks addressed within existing circulars on operational risk and outsourcing for banks, insurers and other supervised institutions. Available at finma.ch.
- Council of Europe. Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law, opened for signature 2024, open to non-Council-of-Europe member states. Available at coe.int.
- OECD. OECD AI Principles, revised 2024. Switzerland participates as an OECD member country. Swiss Association for Standardization (SNV) participation in ISO/IEC JTC 1/SC 42, including ISO/IEC 42001. Available at oecd.ai and snv.ch.