Service
Cyber & digital-resilience counsel (NIS2 / DORA / CRA).
NIS2, DORA and the EU Cyber Resilience Act impose overlapping cyber and operational-resilience duties on regulated entities, their ICT providers, and manufacturers of products with digital elements. The firm advises on which regimes apply to the client, builds the governance and incident-reporting frameworks they require, and addresses the contractual and Swiss ISG touchpoints. The work is delivered as per-regime assessment modules plus an ongoing advisory retainer.
Who this is for
- EU-regulated entities and their ICT providers caught by NIS2 or DORA.
- Manufacturers of products with digital elements under the Cyber Resilience Act.
- Swiss entities with information-security obligations under the ISG.
What's included
- Applicability and scoping: determining whether the client is an essential or important entity or an in-scope supplier under NIS2, a financial entity or ICT third-party provider under DORA, or a manufacturer of products with digital elements under the CRA, and in which capacity.
- Governance and risk-management frameworks: the technical, operational and organisational risk-management measures NIS2 requires of essential and important entities (Art. 21 NIS2), translated into governance documents, policies and accountability lines.
- Incident-reporting frameworks: the notification duties for significant incidents (Art. 23 NIS2) and the corresponding DORA incident regime, built into playbooks that legal, security and management can execute under deadline pressure.
- ICT third-party contracting under DORA: financial entities must manage ICT third-party risk (Art. 28 DORA) and carry defined key contractual provisions in their ICT contracts (Art. 30 DORA); the firm negotiates those terms on either side of the table.
- Product cybersecurity under the CRA: the manufacturer's obligation to design, develop and produce products with digital elements in accordance with the essential cybersecurity requirements (Art. 13 and Annex I CRA), and the supporting documentation and vulnerability-handling processes.
- Swiss ISG touchpoints: Swiss information-security obligations, including under the ISG, mapped alongside the EU regimes; specific provisions are confirmed at engagement. The work is delivered as per-regime assessment modules plus an ongoing advisory retainer.
How it works
- Applicability. The firm determines which of NIS2, DORA and the CRA apply, and in which capacity.
- Gap assessment. The firm compares current governance and controls against each applicable regime.
- Frameworks. The firm builds the governance, incident-reporting and third-party-management frameworks.
- Contracts. The firm aligns ICT third-party and supplier contracts with the requirements.
- Ongoing advisory. The firm supports incident handling and change management on a retainer.
Indicative pricing
Fixed-fee modules + subscription
from CHF 5,000 / month
Per-regime assessment CHF 9,000 to 18,000.
Indicative starting prices, net and exclusive of Swiss MWST (VAT) where applicable; final fee per written engagement letter.
Frequently asked questions
- Financial-sector customers are asking for DORA compliance: can the firm help?
- Yes; this is a core part of the service. DORA, the EU Digital Operational Resilience Act, binds financial entities such as banks, insurers and investment firms, and it reaches their ICT third-party providers through requirements those customers must push down by contract: security and resilience terms, audit and access rights, incident-reporting, sub-contracting controls and exit arrangements. For an ICT or SaaS provider serving financial entities, the firm assesses what DORA requires of the provider in that role, negotiates the contractual terms its customers present, and builds the supporting governance, so the provider can meet what its financial customers are obliged to demand.
- Do NIS2 and the Cyber Resilience Act apply to a Swiss company?
- They can apply extraterritorially or through the supply chain: a Swiss entity may be in scope as part of an EU essential or important entity's supply chain (NIS2), or as a manufacturer placing products with digital elements on the EU market (CRA). Scoping is the first step; specific thresholds are confirmed at engagement.
- How do these regimes relate, and where does Swiss law fit?
- They target different things: NIS2 sets baseline cybersecurity and incident-reporting duties for essential and important entities; DORA is the financial-sector operational-resilience regime that reaches ICT providers by contract; the CRA governs the cybersecurity of products with digital elements. Swiss information-security obligations (including under the ISG) sit alongside all three. The firm maps them together so a cross-border business has one coherent framework.
- Does the firm implement the technical security measures?
- No. The firm provides the legal layer: which regimes apply and in which capacity, the governance and incident-reporting frameworks they require (for example the risk-management measures under Art. 21 NIS2 and the reporting duties under Art. 23 NIS2), the contractual terms under Art. 30 DORA, and the legal side of incident response. The technical implementation, from network controls to vulnerability handling, sits with the client's security function or its providers, and the firm works alongside them so the documentation and the controls tell the same story.