MilesGuard
DE
nDSGData ProtectionSMECompliance

nDSG and IT Security: 10 Technical Measures for SMEs

9 March 2026|7 min read

The new Swiss Data Protection Act requires technical and organisational measures to protect personal data. Only 42% of Swiss SMEs feel adequately protected. Here are 10 concrete measures you can implement.

The revised Swiss Data Protection Act (nDSG) has been in force since September 2023. It requires every company to implement appropriate technical and organisational measures (TOMs) to protect personal data. The problem: according to the SME Cyber Study 2025, only 42% of Swiss SMEs feel adequately protected. Many do not know where to start.

Measures 1 to 5: Quick Wins

The first five measures cost little and deliver a lot. First, multi-factor authentication (MFA) for all user accounts, especially email, VPN and cloud services. Second, encryption of data in transit (TLS 1.3) and at rest (BitLocker, LUKS, FileVault). Third, a documented access control policy based on the least-privilege principle. Fourth, automated patch management with a maximum of 72 hours for critical security updates. Fifth, regular backups following the 3-2-1 rule, tested and stored offline.

Measures 6 to 10: The Next Level

The next five measures require somewhat more effort. Sixth, network segmentation so that a compromised system does not endanger the entire network. Seventh, logging and monitoring with centralised log collection (Syslog, SIEM). Eighth, email security with SPF, DKIM and DMARC plus phishing filtering. Ninth, Endpoint Detection and Response (EDR) instead of traditional antivirus. Tenth, a documented data deletion policy with automated enforcement.

Proportionality and Liability

The nDSG does not demand perfection, but proportionality. An SME with 80 employees does not need a Security Operations Centre. But a documented security concept, regular risk assessments and demonstrable measures are mandatory. The FDPIC (Federal Data Protection and Information Commissioner) can launch investigations, and since the nDSG came into force, responsible individuals face fines of up to CHF 250,000.

Next Steps

MilesGuard creates nDSG-compliant TOM documentation for SMEs: we analyse your current security posture, prioritise measures by risk and support the implementation. The result is documented evidence that stands up to scrutiny by the FDPIC.

Quellen

  • [1] nDSG (fedlex.admin.ch)
  • [2] SME Cyber Study 2025 FHNW/digitalswitzerland
  • [3] FDPIC
Share:LinkedIn

Weitere Beiträge

ISG Reporting Obligation: What Swiss Companies Need to Know Now

6 April 2026

Ransomware Attack on Your SME: The First 60 Minutes

23 March 2026

Cybersecurity for Fiduciaries: How to Protect Client Data

20 April 2026

Related Services

Security Audits →SIEM & Cloud Security →
Miles Strässle

Miles Strässle

Founder, MilesGuard GmbH

Security questions? Talk to us.

Our blog posts are continually updated on the original site. For individual advice, we are available at any time.

Schedule a Consultation