Financial-sector customers are asking for DORA compliance: can the firm help?

Yes; this is a core part of the service. DORA, the EU Digital Operational Resilience Act, binds financial entities such as banks, insurers and investment firms, and it reaches their ICT third-party providers through requirements those customers must push down by contract: security and resilience terms, audit and access rights, incident-reporting, sub-contracting controls and exit arrangements. For an ICT or SaaS provider serving financial entities, the firm assesses what DORA requires of the provider in that role, negotiates the contractual terms its customers present, and builds the supporting governance, so the provider can meet what its financial customers are obliged to demand.

Do NIS2 and the Cyber Resilience Act apply to a Swiss company?

They can apply extraterritorially or through the supply chain: a Swiss entity may be in scope as part of an EU essential or important entity's supply chain (NIS2), or as a manufacturer placing products with digital elements on the EU market (CRA). Scoping is the first step; specific thresholds are confirmed at engagement.

How do these regimes relate, and where does Swiss law fit?

They target different things: NIS2 sets baseline cybersecurity and incident-reporting duties for essential and important entities; DORA is the financial-sector operational-resilience regime that reaches ICT providers by contract; the CRA governs the cybersecurity of products with digital elements. Swiss information-security obligations (including under the ISG) sit alongside all three. The firm maps them together so a cross-border business has one coherent framework.

Service

Cyber & digital-resilience counsel (NIS2 / DORA / CRA).

NIS2, DORA and the EU Cyber Resilience Act impose overlapping cyber and operational-resilience duties on regulated entities, their ICT providers, and manufacturers of products with digital elements. The firm advises on which regimes apply to the client, builds the governance and incident-reporting frameworks they require, and addresses the contractual and Swiss ISG touchpoints, delivered as per-regime assessment modules plus an ongoing advisory retainer.

Scope a resilience assessment

Who this is for

EU-regulated entities and their ICT providers caught by NIS2 or DORA.
Manufacturers of products with digital elements under the Cyber Resilience Act.
Swiss entities with information-security obligations under the ISG.

What's included

Applicability and scoping assessments, governance and incident-reporting frameworks, ICT third-party and contractual requirements under DORA, product-cybersecurity obligations under the Cyber Resilience Act, and Swiss ISG touchpoints. Per-regime assessment modules; ongoing advisory as a retainer.

How it works

Applicability. The firm determines which of NIS2, DORA and the CRA apply, and in which capacity.
Gap assessment. The firm compares current governance and controls against each applicable regime.
Frameworks. The firm builds the governance, incident-reporting and third-party-management frameworks.
Contracts. The firm aligns ICT third-party and supplier contracts with the requirements.
Ongoing advisory. The firm supports incident handling and change management on a retainer.

Indicative pricing

Fixed-fee modules + subscription

from CHF 5,000 / month

Per-regime assessment CHF 9,000 to 18,000.

Indicative starting prices, net and exclusive of Swiss MWST (VAT) where applicable; final fee per written engagement letter.

Frequently asked questions

Financial-sector customers are asking for DORA compliance: can the firm help?: Yes; this is a core part of the service. DORA, the EU Digital Operational Resilience Act, binds financial entities such as banks, insurers and investment firms, and it reaches their ICT third-party providers through requirements those customers must push down by contract: security and resilience terms, audit and access rights, incident-reporting, sub-contracting controls and exit arrangements. For an ICT or SaaS provider serving financial entities, the firm assesses what DORA requires of the provider in that role, negotiates the contractual terms its customers present, and builds the supporting governance, so the provider can meet what its financial customers are obliged to demand.
Do NIS2 and the Cyber Resilience Act apply to a Swiss company?: They can apply extraterritorially or through the supply chain: a Swiss entity may be in scope as part of an EU essential or important entity's supply chain (NIS2), or as a manufacturer placing products with digital elements on the EU market (CRA). Scoping is the first step; specific thresholds are confirmed at engagement.
How do these regimes relate, and where does Swiss law fit?: They target different things: NIS2 sets baseline cybersecurity and incident-reporting duties for essential and important entities; DORA is the financial-sector operational-resilience regime that reaches ICT providers by contract; the CRA governs the cybersecurity of products with digital elements. Swiss information-security obligations (including under the ISG) sit alongside all three. The firm maps them together so a cross-border business has one coherent framework.

Last updated: 2026-05-31

Discuss a cyber-resilience engagement