Does the EU AI Act apply to Swiss companies?

It does not apply directly, because Switzerland is not in the EU. It can, however, have extraterritorial reach: as soon as your AI system or its output is used in the EU, or you offer it there, you may fall under the AI Act as a provider or deployer - regardless of where your company is based. Purely domestic use within Switzerland does not trigger the AI Act obligations; there the Swiss Federal Act on Data Protection (FADP) is primary.

Which law is primary for my Swiss SME - the FADP or the EU AI Act?

The revised Federal Act on Data Protection (revFADP), in force since 1 September 2023. The Federal Data Protection and Information Commissioner (FDPIC) has confirmed that the FADP is drafted in a technology-neutral way and applies directly to AI-supported data processing. The EU AI Act only comes in as an additional layer if you have an EU nexus.

How high are the fines under the EU AI Act?

For prohibited AI practices (Art. 5), up to 35 million euros or 7 per cent of worldwide annual turnover, whichever is higher. For breaches relating to high-risk systems and transparency obligations, up to 15 million euros or 3 per cent. For false information supplied to authorities, up to 7.5 million euros or 1 per cent. For SMEs and start-ups, the lower of the two amounts applies in each case.

Does my SME already need to run AI training?

The AI literacy obligation (Art. 4 EU AI Act) has applied since 2 February 2025 to providers and deployers with an EU nexus. Under the Digital Omnibus it is set to be softened; a provisional political agreement on that change was reached on 7 May 2026, but it had not been formally adopted as of June 2026. Either way, staff competence in using AI is sensible in its own right, for data protection and due diligence reasons.

The EU AI Act and Switzerland: What Your SME Must Do Now - and What It Need Not

For months the same sentence has been landing in Swiss management meetings: “We have to do something because of the EU AI Act.” What usually follows is either frantic activity or a shrug - both wrong. The sober truth: for an average Swiss SME based in Reinach, Aarau or Zug, the EU AI Act often changes little in day-to-day operations. But there are clearly definable cases in which it does apply, and then matters become serious. This article shows you how to decide in ten minutes whether you are affected, and what actually takes precedence in Swiss law.

The short version: what really applies to Swiss SMEs

The EU AI Act (Regulation (EU) 2024/1689) has been in force since 1 August 2024 and does not apply directly in Switzerland, because Switzerland is not an EU member.
It can, however, have extraterritorial reach: as soon as your AI system or its output is used or offered in the EU, you may come under obligation as a provider or deployer - regardless of where your company is based.
For Swiss firms, the revised Federal Act on Data Protection (revFADP) is and remains primary. It has been in force since 1 September 2023, is technology-neutral and, according to the Federal Data Protection and Information Commissioner (FDPIC), applies directly to AI applications.
Switzerland is not adopting the EU AI Act. On 12 February 2025 the Federal Council decided on a sector-based approach and intends to ratify the Council of Europe’s AI Convention. A consultation draft is to be prepared by the end of 2026.

So anyone who works only in Switzerland, sells no AI products into the EU and applies no AI to EU citizens is governed first and foremost by the FADP - not by Brussels.

Decision tree: is my SME affected?

Work through the following questions in turn. As soon as you arrive at a “Yes” anywhere, a closer examination is due.

Do you offer an AI system or a product with an AI function in the EU - selling, distributing, providing as SaaS? If so, you may qualify as a provider and fall under the AI Act.
Is the output of your AI system used in the EU - for example texts, analyses or decisions affecting persons in the EU? This too triggers the extraterritorial effect.
Do you use AI in a sensitive area - personnel selection, creditworthiness, access to education or insurance, biometric recognition, critical infrastructure? Such applications may qualify as high-risk.
Do you use prohibited practices, such as manipulative AI behaviour, social scoring or impermissible biometric surveillance? These have been prohibited since 2 February 2025 and carry the highest fines.

If you answer “No” to all four questions and use AI only internally in Switzerland (drafting texts, research, internal automation with no EU nexus), then the AI Act is of secondary importance for you. Your actual set of obligations is then called the FADP: transparency towards the persons concerned, security of data, correct processing. That applies independently of the AI Act.

Extraterritorial effect: the point many underestimate

The misunderstanding is widespread: “We are based in Switzerland, so the EU rule does not affect us.” Wrong. What matters is not where the company is based, but where the AI system and its output take effect. A Swiss software provider that sells its AI-supported platform to customers in Germany or France is a provider within the meaning of the AI Act. A Swiss service provider that uses an AI system to pre-sort applications from EU citizens is a deployer.

In practical terms this means: every Swiss company with EU customers or an EU nexus should work through once, cleanly, which role it holds - provider, deployer, importer or distributor. For providers of high-risk systems from third countries - and from the EU’s perspective Switzerland is a third country - there may additionally arise the obligation to appoint an authorised representative in the EU. That is not a detail but a tangible organisational requirement.

The good news: the bulk of operational AI use in an SME does not fall into the high-risk category. An AI agent that prepares quotations or records bookings is generally minimal or limited risk. For limited risk, the main provisions are transparency obligations (Art. 50): anyone interacting with a chatbot must be able to recognise that they are speaking with a machine; AI-generated content must, under certain conditions, be labelled as such.

Training obligation and timetable: what applies when

The AI Act’s obligations come into force in stages. Here are the documented key dates - with one important caveat that we will return to shortly.

Date	What applies
1 August 2024	AI Act entered into force
2 February 2025	Prohibited practices (Art. 5) and AI literacy obligation (Art. 4) applicable
2 August 2025	Rules for general-purpose AI models (GPAI)
2 August 2026	Transparency obligations (Art. 50); originally also high-risk rules

The training obligation (Art. 4) required, from 2 February 2025, that providers and deployers ensure a sufficient level of AI literacy among their staff - for all employees who work with AI, not only technical staff. Important for you: this obligation is in flux. Under the Digital Omnibus (Commission proposal of 19 November 2025), Art. 4 is to be softened - away from a hard obligation on companies, towards a promotion duty on the part of the EU and member states. A provisional political agreement on this proposal was reached between the Council and Parliament on 7 May 2026; as of June 2026 the change had not yet been formally adopted and published in the Official Journal.

The high-risk deadlines were also postponed under the Digital Omnibus: for stand-alone high-risk systems under Annex III a postponement to 2 December 2027 is envisaged, and for systems embedded in products under Annex I to 2 August 2028. These dates, too, had not yet definitively entered into force as of June 2026. So do not rely blindly on a single date; check the current state of play before taking important decisions.

Our sober advice: regardless of the precise fate of Art. 4, it makes sense in any case for employees to understand what an AI system can do and where it produces nonsense. That is not a Brussels imposition but part of ordinary due diligence - and the FADP requires responsible data processing in any event.

The fines - and why SMEs are treated differently

The AI Act’s penalties are real, but graduated. As a matter of legal fact (not as a scare tactic), these are the maximum amounts anchored in the legislation:

Prohibited practices (Art. 5): up to 35 million euros or 7 per cent of worldwide annual turnover - whichever is higher.
Breaches relating to high-risk systems and transparency obligations: up to 15 million euros or 3 per cent.
False or misleading information supplied to authorities: up to 7.5 million euros or 1 per cent.

For SMEs and start-ups there is a relief: here the lower of the two amounts applies in each case, not the higher one (Art. 99(6)). In addition, for SMEs - in particular small and micro-enterprises - established or with a presence in the EU, the AI Act provides for simplified documentation forms (Art. 11) and priority, free access to regulatory sandboxes. The latter, however, presupposes an EU presence - a purely Swiss base is not enough.

Plain Swiss terms: FADP first, AI Act as required

Let us summarise what is sensible for a Swiss SME:

Take stock rather than panic. List where you use AI and whether an EU nexus exists. That one list answers the most important question.
Meet the FADP properly. Transparency, data security, correct processing - that applies to every AI application in Switzerland, with or without the EU.
Check the EU nexus. If you sell AI into the EU or your systems affect persons in the EU, clarify your role and the specific obligations - if in doubt, with legal support.
Build competence. Employees who can assess AI soberly are an advantage in every scenario.

At Vollmer Labs we see this from practice: our own productive building blocks - the RFQ assistant for LED signage behind rfqbuddy.com, the shooting-sports platform ballistic.club, or accounting agents that we run productively, in anonymised form, in day-to-day fiduciary operations - are almost throughout applications of minimal or limited risk. Precisely where most SME use cases lie. High-risk cases arise less often than the headlines suggest.

One principle matters to us here that counts in regulatory terms too: release rather than automatic action. Our workflow solution jeffri.ch for kitchen studios, for instance, orchestrates the process from planning to invoice, but never acts of its own accord on financial and contractual steps - the human gives the go-ahead. Having a live reference of our own in one sector does not automatically mean that we can already point to full operation in every sector. Where that is not the case, we say so honestly: the building blocks run productively, just not yet in full operation in the sector concerned.

If you use AI in manufacturing and industry, or are considering AI automation and AI agents, the sober look comes first: which role, which nexus, which risk. From that follows your actual set of obligations - not from a general fear of “the AI Act”.