Blogs | 6clicks

The Swiss GRC calendar for 2026: Every deadline and duty in one place

Written by Elaine Suezo | Jul 07, 2026

 

 


TL;DR

 

Between the revFADP, the NCSC reporting duty, FINMA's resilience transition dates, and Switzerland's emerging AI rules, Swiss compliance leaders are tracking a lot at once. This is your orientation piece: what's already in force, what's landing in 2026, and how to prioritise — so nothing important slips.

The state of Swiss GRC going into 2026

Several obligations are already live. The Revised Federal Act on Data Protection (revFADP) has applied since September 2023 under FDPIC enforcement, mandating new obligations for service providers and federal agencies processing personal data.

 

FINMA Circular 2023/1, which establishes rules for risk management and operational resilience measures for banks and financial institutions, has been in force since January 2024, with its transition periods closing around the start of 2026.

 

The NCSC/BACS 24-hour reporting duty for critical infrastructure took effect on April 1, 2026, requiring the submission of an initial report for material incidents in sectors like energy, water, and transport within the allotted timeframe.

 

And finally, Switzerland's sector-specific AI approach—anchored in implementing the Council of Europe AI Convention into Swiss law—is expected to result in consultation-ready proposals by the end of 2026. 

How to prioritise when everything feels urgent

The trap is treating these as four unrelated projects. They overlap far more than they appear: incident-reporting readiness serves both FINMA and the NCSC; a strong ISMS underpins revFADP, FINMA, and NCSC obligations alike; and vendor risk cuts across all of them. Prioritise by what's both imminent and foundational — resilience evidence and incident-reporting readiness first, given the 2026 FINMA transition and the live NCSC clock, then data governance proof, then AI governance as its rules crystallise.

One platform behind the whole calendar

This is the argument for a unified GRC program rather than a stack of point solutions. 6clicks lets Swiss organisations manage the revFADP, FINMA resilience, NCSC reporting, and AI governance from a single control library, reusing evidence across obligations and giving leadership one real-time view of where they stand. Its Sovereign GRC Infrastructure keeps all of it resident in Switzerland — across cloud, on-premises, and restricted environments — which for Swiss firms is often the deciding factor. Whether you serve government, critical infrastructure, or finance, the goal is the same: retrieve your compliance posture; don't reconstruct it.

 

Get one clear view of your 2026 obligations and a plan to meet them — book a strategy call with 6clicks.

Frequently asked questions