Legislative update – the new Cybersecurity Ordinance and anti-money laundering framework

Cybersecurity Ordinance consultation

In September 2023, the Federal Assembly adopted the revised Information Security Act (ISA), introducing a reporting obligation for authorities and organisations regarding cyberattacks on critical infrastructure. The ISA also established the National Cyber Security Centre (NCSC) as the reporting body.

The Federal Council has now sent the Cybersecurity Ordinance to the consultation process.

This Ordinance further clarifies the ISA, fleshing out the reporting obligation and specifying:

• the types of cyberattacks that necessitate reporting;
• the required contents of the report; and
• deadlines for reporting.

The ISA exempts authorities and companies if disruptions caused by cyberattacks have only a minor impact on the functioning of the economy or the well-being of the population. Crucially, the Ordinance defines the scope of this exemption as follows:

• In some sectors (e.g., energy and transport), the Ordinance defines thresholds, so that only authorities and organisations that rise above such thresholds are required to report.
• An exemption applies to companies with 50 or fewer employees, an annual turnover or annual balance sheet total of less than CHF 10 million, and authorities responsible for fewer than 1,000 inhabitants.

The new legislative framework aims to boost Switzerland’s cybersecurity and will now enter a process of debate during the consultation process (until 13 September 2024).

These legislative developments are fundamental to the regulation of cybersecurity in Switzerland and should be carefully monitored. Sanctions for non-reporting are significant: any entity that wilfully fails to report a cyberattack within the deadline set by the NCSC is liable to penalties under Art. 74h ISA – with a fine of up to CHF 100,000 for failure to comply with the order.

Anti-money laundering framework strengthened

The Federal Council submitted draft legislation to strengthen Switzerland’s existing anti-money laundering framework for consultation in August 2023. The consultation process has now concluded and, while the draft legislation was largely well received, those professions affected by the new rules also voiced some concerns.

The revised draft legislation sets out to reinforce Switzerland’s integrity as a leading financial centre, with the following changes:

• Federal UBO (ultimate beneficial owner) register:

Under the current legal framework, companies must keep a non-public register of beneficial owners.

The new Federal Act on the Transparency of Legal Entities and the Identification of Beneficial Owners introduces a non-public and centralised federal register, in which legal entities must enter information on their beneficial owners. This non-public register should allow specified public authorities (including criminal authorities, such as Prosecution Offices) to identify the person behind a legal structure more quickly and with more certainty. This is in line with developments in the EU, where the ECJ determined that general public accessibility of UBO registers violates rights guaranteed in the EU Charter of Fundamental Rights.

• Additional due diligence obligations:

Advisory activities with a high risk of money laundering are subject to new anti-money laundering due diligence rules, which take into consideration the duties of professional secrecy. The due diligence rules apply to legal advice in areas carrying an elevated risk of money laundering, such as consultancy relating to the structuring of companies, corporate transactions, or advice on real estate transactions. It should be noted that self-regulatory organisations (SROs) are the ones tasked with the supervision of the implementation of the duties, not regional bar associations (as envisaged prior to the consultation phase).

• Further measures:

Additional measures, including those preventing the circumvention or breach of sanctions under embargo legislation, are also introduced. For instance, financial intermediaries must analyse any risks that arise from their activities in relation to sanctions, and take corresponding organisational measures to prevent violations of the embargo legislation.

On 22 May 2024, the Federal Council sent its dispatch to the Federal Assembly, which is expected to debate the proposal in the next parliamentary session.

The possible impact of the revised anti-money laundering framework is not to be underestimated: the introduction of a UBO register marks a fundamental change in Swiss law and the new due diligence obligations will require additional efforts and expertise from law firms and financial intermediaries.

The legislation is unlikely to enter into force before 2026 – keep an eye on this space for any updates.