Skip to content
All Blogs

The Swiss GRC calendar for 2026: Every deadline and duty in one place

Published
The Swiss GRC calendar for 2026: every deadline and duty in one place
The Swiss GRC calendar for 2026: Every deadline and duty in one place
2:52

 

 


TL;DR

 

Between the revFADP, the NCSC reporting duty, FINMA's resilience transition dates, and Switzerland's emerging AI rules, Swiss compliance leaders are tracking a lot at once. This is your orientation piece: what's already in force, what's landing in 2026, and how to prioritise — so nothing important slips.

The state of Swiss GRC going into 2026

Several obligations are already live. The Revised Federal Act on Data Protection (revFADP) has applied since September 2023 under FDPIC enforcement, mandating new obligations for service providers and federal agencies processing personal data.

 

FINMA Circular 2023/1, which establishes rules for risk management and operational resilience measures for banks and financial institutions, has been in force since January 2024, with its transition periods closing around the start of 2026.

 

The NCSC/BACS 24-hour reporting duty for critical infrastructure took effect on April 1, 2026, requiring the submission of an initial report for material incidents in sectors like energy, water, and transport within the allotted timeframe.

 

And finally, Switzerland's sector-specific AI approach—anchored in implementing the Council of Europe AI Convention into Swiss law—is expected to result in consultation-ready proposals by the end of 2026. 

How to prioritise when everything feels urgent

The trap is treating these as four unrelated projects. They overlap far more than they appear: incident-reporting readiness serves both FINMA and the NCSC; a strong ISMS underpins revFADP, FINMA, and NCSC obligations alike; and vendor risk cuts across all of them. Prioritise by what's both imminent and foundational — resilience evidence and incident-reporting readiness first, given the 2026 FINMA transition and the live NCSC clock, then data governance proof, then AI governance as its rules crystallise.

One platform behind the whole calendar

This is the argument for a unified GRC program rather than a stack of point solutions. 6clicks lets Swiss organisations manage the revFADP, FINMA resilience, NCSC reporting, and AI governance from a single control library, reusing evidence across obligations and giving leadership one real-time view of where they stand. Its Sovereign GRC Infrastructure keeps all of it resident in Switzerland — across cloud, on-premises, and restricted environments — which for Swiss firms is often the deciding factor. Whether you serve government, critical infrastructure, or finance, the goal is the same: retrieve your compliance posture; don't reconstruct it.

 

Get one clear view of your 2026 obligations and a plan to meet them — book a strategy call with 6clicks.

Frequently asked questions

Data protection proof under revFADP must already be in place, given its enforcement since 2023. For financial institutions, FINMA resilience requirements and incident-reporting readiness against the NCSC should be secured next. AI governance follows closely.

Heavily. A shared control foundation and one incident-reporting process can satisfy multiple duties, which is why an integrated approach beats siloed projects.

The official sources: fedlex.admin.ch and edoeb.admin.ch (revFADP), finma.ch (FINMA), ncsc.admin.ch (NCSC), and admin.ch (AI and Federal Council decisions). 

Ready to transform GRC with 6clicks?

Let’s show you how it works for your team.

awards-mobile-v3