AI Governance & Legal Risk

Most organisations now use artificial intelligence — in recruitment, contract review, pricing, customer scoring, compliance screening. Very few have a governance structure for it. The EU AI Act is in force. Internal use of AI tools already creates legal exposure under existing Swiss and European law, even where the AI Act does not yet directly apply. The time to act is now, before regulatory scrutiny — or an incident — makes it urgent.

The EU AI Act — what it is and when it applies

Regulation (EU) 2024/1689, the "AI Act", entered into force on 1 August 2024. Its obligations are phased in: prohibitions from February 2025, governance and general-purpose AI rules from August 2025, the core regime for high-risk systems from August 2026, and the final wave of obligations by August 2027.

The Act adopts a risk-based architecture. Four categories drive the obligations:

• Unacceptable risk — practices prohibited outright: social scoring by public authorities, manipulative techniques exploiting vulnerabilities, certain biometric categorisation, real-time remote biometric identification in public spaces, save for narrow exceptions.
• High risk — systems used in employment, education, critical infrastructure, access to essential services, law enforcement and other listed areas. Subject to a full conformity regime.
• Limited risk — chatbots, emotion recognition, generative AI outputs. Subject to transparency obligations: users must know they are interacting with, or viewing content generated by, AI.
• Minimal risk — most everyday business uses. No specific obligation under the AI Act, but existing law still applies.

Switzerland is not outside the AI Act

A common misconception is that Swiss companies are unaffected because Switzerland is not an EU Member State. This is wrong. The AI Act applies extraterritorially. A Swiss company is directly within its scope where it places an AI system on the EU market, where its output is used in the EU, or where it provides services to EU-based users. Many Swiss SMEs and most Swiss multinationals are therefore subject to the Act, irrespective of where their servers, offices or staff are located.

Internal AI use — exposure already exists under existing law

The AI Act is not the only source of legal risk, and it is not even the first. Internal AI deployments today already create exposure under instruments that have been in force for years. Three families of obligations matter most.

1. Data protection — Swiss nLPD and EU GDPR

Most AI tools process personal data. The revised Swiss Federal Act on Data Protection (nLPD), in force since 1 September 2023, and the GDPR, impose obligations on automated individual decision-making, profiling, transparency, data minimisation and impact assessment. An HR screening tool, a credit-scoring algorithm or a customer segmentation model is not exempt because it is "AI" — it is exactly the kind of processing these laws were designed to govern.

2. Civil liability — Swiss Code of Obligations

Damage caused by an AI output — a wrong recommendation, a discriminatory decision, a defective contract clause produced by a generative tool — is governed by ordinary liability principles under the Swiss Code of Obligations (CO art. 41 et seq., art. 97 et seq., art. 55 for auxiliaries). The fact that a machine produced the output does not displace the company's responsibility. A board that authorises AI use without governance is taking that liability on the company's balance sheet.

3. Employment and sector-specific regulation

Automated decisions affecting employees — hiring, performance evaluation, dismissal recommendations — engage labour law duties of fairness, transparency and protection of personality (CO art. 328 and 328b). In regulated sectors, additional layers apply: FINMA expectations on outsourcing and operational risk, healthcare regulation on clinical decision support, financial services rules on algorithmic decisions. These obligations exist today, regardless of whether the AI Act directly applies.

What the AI Act requires for high-risk systems

Where a system falls into the high-risk category, the obligations are substantive, not declarative. Providers must carry out a conformity assessment before placing the system on the market, maintain technical documentation, establish a risk-management system across the lifecycle, ensure data governance and training-data quality, guarantee accuracy and cybersecurity, build in human oversight mechanisms, and provide clear information to deployers. Deployers — companies that use such a system in a professional capacity — have their own obligations: human oversight in operation, monitoring, logging, and in many cases a fundamental-rights impact assessment.

For prohibited practices, no conformity assessment will save the deployment. Use is simply forbidden, with fines reaching EUR 35 million or 7% of worldwide turnover.

Who is concerned in Switzerland?

The picture is layered, and most companies fall into more than one category.

• Companies with EU nexus — EU operations, EU customers, products placed on the EU market, services accessible from the EU: directly subject to the AI Act.
• Companies without EU nexus: not directly subject to the AI Act, but exposed under existing Swiss law (nLPD, CO, employment law, sector regulation) the moment they deploy AI internally.
• All companies using AI tools — from generative assistants to procurement scoring: bound by existing obligations regardless of AI Act applicability, and likely to be caught by future Swiss legislation. The Federal Council has confirmed that legislative alignment with the EU approach is under active consideration.

Five steps to take now

• Map the AI systems in use — across procurement, HR, finance, legal, compliance, marketing, customer-facing operations. Most companies underestimate this inventory by a factor of two or three.
• Classify each system by risk level under the AI Act framework, and by sensitivity under the nLPD and sector regulation.
• Assess legal exposure under existing law — data protection, civil liability, employment, sector rules — before turning to the AI Act.
• Design a governance framework — clear accountability, human oversight rules, incident response, documentation, vendor due diligence, board reporting.
• Report to the board. AI governance is no longer an IT topic. It is a board-level risk category.

The contractual dimension

Vendor agreements deserve specific attention. Off-the-shelf SaaS contracts allocate liability and IP in ways that rarely match the deploying company's risk profile. Five clauses should be reviewed before signature: liability allocation for AI outputs and downstream damage; transparency and explainability obligations imposed on the vendor; audit rights over training data and model updates; data governance, including confidentiality of inputs and use of customer data for further training; and ownership of AI-generated content. Negotiating these clauses is significantly easier before signature than after an incident.

The Swiss regulatory position

Switzerland has not yet enacted AI-specific legislation. The Federal Council mandated a review in 2023 and is monitoring international developments closely. Existing instruments — nLPD, CO, FINMA circulars, sector regulation — already apply, and Swiss companies with EU exposure are subject to the AI Act directly. Legislative alignment is expected over the coming years. Companies that build governance now will adapt to whatever framework emerges at marginal cost. Companies that wait will pay the catch-up premium under regulatory pressure.

This guide presents the legal framework in a general and simplified way, current as of information available in May 2026. It does not constitute legal advice: whether and how a given company is subject to the AI Act or related obligations must be assessed specifically. See also the Services page for details on AI governance mandates.