Understand to take control

The risks of AI in business, in Switzerland

AI creates value, but it carries real risks: errors, data leaks, dependency, lack of traceability. We help you manage them on the technical and operational side.

European hostingProtected dataAuditable actions

14'137+ sites created in the last 30 days

actif
🇪🇺 Europe
Falkenstein
Helsinki
Nürnberg

Hetzner · Europe

US cloud
European hosting
Protected data
Auditable actions

A growing share of Swiss businesses have already deployed AI at scale. Yet only a minority have established clear rules about what data their employees can share with these tools. The gap between adoption and governance creates a real zone of vulnerability: legal, operational, and strategic. This guide maps out concrete risks, explains the applicable legal framework in Switzerland, and proposes practical steps forward.

14'137+
sites created in the last 30 days
16
languages
100%
European hosting
0
US cloud

The real risks, and how we handle them

No panic, just concrete safeguards.

Errors and hallucinations

Models can be wrong. We add validations, checks and clear limits to prevent things from going off the rails.

Data security

We work on European infrastructure, without sending your data to third-party APIs, to reduce the risk surface.

Traceability

Every automated action is logged and auditable, so you know who did what and when.

Managed dependency

Open source models and portable architecture: no lock-in to a single vendor.

Risk landscape: four categories to understand

AI-related risks in business are not monolithic. They fall into four distinct categories, each with its own causes, consequences, and mitigation levers. Understanding this map is the essential first step before any deployment.

  • Legal risks: nLPD non-compliance, civil liability, exposure to the European AI Act
  • Operational risks: errors, hallucinations, outages, systemic dependency
  • Ethical risks: algorithmic bias, discrimination, infringement of fundamental rights
  • Strategic risks: vendor lock-in, skills drain, absence of governance

Legal risks: nLPD, the Code of Obligations, and the AI Act

Switzerland does not yet have specific AI legislation. The approach chosen is one of technological neutrality: existing laws apply. In practice, three legal frameworks directly govern AI use in business.

The new Federal Act on Data Protection (nLPD, in force since September 2023) applies directly to AI-based processing. It requires transparency about the purpose and sources of data, impact assessments where high risks are involved, and a right to human review of automated decisions (art. 21 nLPD). Penalties can reach 250,000 CHF and expose senior executives to personal liability.

The Code of Obligations (art. 41 CO) requires the user organization to compensate any damage caused by an AI system it operates. The company is liable, not the system. The Federal Product Liability Act may also apply if the AI is classified as a defective component.

The European AI Act, adopted in March 2024 and entering into force progressively until 2026, directly concerns Swiss companies that operate in the European market or whose AI systems are deployed in the EU. It classifies AI into four risk levels (unacceptable, high, limited, minimal) and imposes documentation, audit, and CE marking requirements for high-risk systems.

  • nLPD: penalties up to 250,000 CHF, personal liability for executives
  • Art. 21 nLPD: right to oppose automated decisions and mandatory human review
  • Art. 41 CO: the user organization is legally liable for damages caused by AI
  • AI Act: 4 risk levels, documentation and audit requirements for high-risk systems
  • Swiss companies exporting to the EU or using AI from EU providers are subject to the AI Act
  • No specific Swiss AI law: a gradual sector-based approach expected by 2027

Operational risks: errors, hallucinations, and dependency

Generative AI produces statistically probable outputs, not necessarily accurate ones. The hallucination phenomenon, where the model generates false information presented with confidence, is documented across all major current models. In a professional context, this can lead to poorly drafted contracts, erroneous financial analyses, incorrect customer responses, or flawed medical decisions.

Operational dependency is a risk that is often underestimated. When a critical process relies entirely on an AI system from an external vendor, an outage, a change in terms of service, or a price increase can disrupt operations. Without a business continuity plan, the vulnerability is structural.

  • Hallucinations: false information presented with confidence, risk in legal drafting, analysis, and advice
  • Cascading errors: an incorrect automated decision can trigger further actions without human intervention
  • Systemic dependency: service stopped or modified by the vendor without sufficient notice
  • Lack of traceability: inability to reconstruct the reasoning behind a decision
  • Training data quality: biased or outdated data produces unreliable outputs
  • User overconfidence: employees accept AI outputs without critical verification

Ethical risks: algorithmic bias and discrimination

A model trained on historical data inherits the biases present in that data. In recruitment, credit granting, insurance pricing, or performance evaluation, a biased algorithm can lead to discriminatory decisions under Swiss and European law, even without any intent to harm.

The absence of human oversight over these decisions worsens the risk: the discrimination is not visible in the process, it only appears in the outcomes. In Switzerland, the nLPD requires that automated decisions with significant legal effects on an individual be subject to a right of human review.

  • Representation bias: under-representation of certain groups in training data
  • Discrimination in recruitment, credit, insurance: legal and reputational risks
  • Model opacity: inability to explain an automated decision to the person affected
  • Deepfakes and disinformation: malicious uses of generative AI against the company or its partners
  • Copyright: ownership of AI-generated content not yet clarified under Swiss law
  • Employee surveillance via AI: risks under labor law (art. 26 OLT 3)

Data risks: sovereignty and localization

Most consumer-grade AI tools (ChatGPT, Copilot, Gemini) process data on servers located in the United States. When an employee enters confidential information, customer data, trade secrets, or personal data into these tools, that data leaves the company's perimeter and potentially the Swiss and European jurisdiction.

Global computing power remains heavily concentrated in the United States, leaving Europe structurally dependent on American hyperscalers. This reality creates a sovereignty risk that Swiss companies, particularly in regulated sectors (finance, healthcare, insurance, public administration), can no longer ignore.

Where data is hosted is a security criterion, not merely a matter of preference. Alternatives exist, including open-source models hosted on European infrastructure, which allow sensitive data to be processed without transferring it outside the EU.

  • Data transfers outside the EU via consumer AI tools: potential nLPD non-compliance
  • Trade secrets and customer data exposed in models trained on user inputs
  • Dependency on US hyperscalers (AWS, Azure, GCP): geopolitical and regulatory risk
  • Open-source models on EU infrastructure: a concrete alternative for sensitive data
  • Data reuse for training purposes: check the terms of service for each tool
  • Data localization: a compliance criterion for regulated sectors (FINMA, Swissmedic)

Strategic risks: absent governance and lock-in

Many Swiss companies have adopted AI, but strategy often lags behind. Adoption without governance is itself a risk: use cases multiply in an uncoordinated way, responsibilities remain unclear, and no framework defines what data can be shared with which tools.

Vendor lock-in is a form of strategic dependency. When a company's processes rely on a proprietary AI tool, migrating to an alternative becomes costly, risky, and technically complex. Over time, the vendor gains market power that erodes the company's negotiating position.

The lack of internal expertise is one of the primary obstacles to structured adoption. SMEs generally cannot build an AI governance team on their own. External support, whether advisory, training, or technical services, is therefore a risk reduction factor, not a luxury.

  • No internal AI policy: uncontrolled use cases, unclear responsibilities
  • Vendor lock-in: dependence on a proprietary tool that is difficult to replace
  • Skills drain: employees trained on a specific tool rather than on AI reasoning
  • Internal resistance: the human factor underestimated, superficial adoption without genuine buy-in
  • Migration costs: switching AI platforms underestimated in ROI calculations
  • Absence of performance metrics: no way to know whether AI is actually delivering value

Swiss regulatory framework: what applies today

Switzerland has opted for a technologically neutral approach: no single AI law, but application of existing sector-specific legislation. In practice, in 2025-2026, the following texts apply directly to AI use in business:

The FDPIC (Federal Data Protection and Information Commissioner) has confirmed that the nLPD applies directly to AI-based processing, without ambiguity. The authority is particularly monitoring cases of facial recognition, behavioral surveillance, and automated processing of sensitive data.

For companies exposed to the EU, the AI Act adds a regulatory layer. The first prohibitions (unacceptable risk level) came into force in February 2025. Obligations for high-risk systems are being phased in progressively until August 2026.

  • nLPD (in force Sept. 2023): immediately applicable to all AI-based processing
  • Code of Obligations: civil liability of the company for damages caused by AI (art. 41)
  • Product Liability Act: liability if the AI is classified as a defective component
  • FINMA (finance): specific requirements for scoring models and automated decisions
  • Swissmedic (healthcare): medical devices using AI subject to certification
  • EU AI Act: applicable to Swiss companies operating in the EU market, phased in through 2026
  • Swiss-specific AI regulation: under consultation, expected 2027

Seven practical recommendations for managing AI risks

AI risk management does not require halting everything or starting from scratch. It calls for a structured approach, proportionate to the size and sector of the organization. Here are the priority steps identified by Swiss practitioners in the field.

  • Map current use: inventory all AI tools in use across the organization, including informal employee usage
  • Classify data: distinguish public, internal, confidential, and personal data, and define what may go into which tools
  • Draft an internal AI policy: define permitted uses, responsible parties, prohibited cases, and validation procedures
  • Document automated decisions: maintain a register of AI-based uses that affect individuals (recruitment, credit, performance evaluation)
  • Train employees: raise awareness of hallucinations, biases, and verification habits, not just tool usage
  • Review vendor contracts: check clauses on data reuse, data localization, and liability
  • Plan for continuity: define what to do if an AI tool becomes unavailable or if its outputs prove unreliable

The Kleap approach: enterprise AI with risk management built in

For Swiss companies looking to deploy business AI tools, customer portals, internal software, or AI agents without transferring their data to American hyperscalers, Kleap offers an approach based on three principles.

First principle: European infrastructure. Deployments rely on Hetzner (Germany, ISO 27001 certified) and open-source models whose data does not leave the EU and is not reused to train third-party models.

Second principle: guided delivery. Kleap does not sell a tool; it delivers results through a team. Three paths are available: turnkey delivery via the Lionscreative partner agency, referral to a specialist provider, or Kleap Enterprise deployment in guided mode.

Third principle: traceability. The actions of deployed AI systems are auditable. Executives can document decisions to meet nLPD requirements and prepare for AI Act compliance.

  • Hetzner hosting (DE/EU, ISO 27001 certified): data processed in Europe, not reused
  • Open-source models: no dependency on a single proprietary vendor
  • Agency support (Lionscreative): shared responsibility for delivery outcomes
  • AI action traceability: auditability for nLPD compliance
  • No customer data transferred to non-contracted third-party APIs
  • Gradual deployment: sector pilot before full rollout

How to address AI risks in 5 steps

01

1. Map

Inventory all AI tools in use across the organization, including informal usage. Identify what data is entered into them. This step typically takes a few weeks and often reveals use cases that have not been validated by management.

02

2. Classify

Distinguish data by sensitivity level: public, internal, confidential, or personal under the nLPD. Define which data may go into which tools based on their hosting location and terms of service.

03

3. Frame

Draft a simple internal AI policy defining permitted uses, responsible parties, prohibited cases, and incident procedures. Have it validated by management and communicated to all employees.

04

4. Train

Train employees in verification habits: understand what a hallucination is, know when not to trust an AI output, know how to escalate a doubt. Critical thinking skills are more valuable than mastery of any single tool.

05

5. Audit

Establish a periodic review process for AI use: output quality, incidents, regulatory developments. Document significant automated decisions. Plan an annual review with the board or management on AI governance.

Consumer AI vs. sovereign enterprise AI: the differences that matter

For professional use cases involving sensitive data, not all AI approaches carry the same level of risk. Here are the criteria that distinguish a controlled deployment from an unmanaged one.

CriterionConsumer tools (ChatGPT, Copilot...)Sovereign enterprise AI (Kleap)
Data locationUS servers, transfer outside EUEU infrastructure (Hetzner DE, ISO 27001 certified)
Data reusePossible under terms of service, variesNo, data is not reused
AI model usedProprietary, opaqueOpen source, traceable
Decision traceabilityLimited or absentAuditable actions
nLPD complianceTo be verified case by caseDesigned for nLPD compliance
Vendor dependencyHigh: terms can be modified unilaterallyLow: open-source, substitutable
SupportSelf-service, online documentationDedicated team, assured delivery

Sovereignty

Reduce risk by staying in control

The first risk is losing control of your data. We prevent that by design.

European hosting

Infrastructure in Europe (Hetzner), no US cloud.

Protected data

Your data is not used to train third-party models.

Auditable actions

Full logging of automated processing.

The local ecosystem

French-speaking Switzerland: strong presence of SMEs in manufacturing, watchmaking, financial services, and healthcare, all subject to sector-specific data requirements
Geneve: financial and international sector, direct exposure to the AI Act through EU subsidiaries
Vaud and the Lake Geneva region: a network of tech SMEs and startups, early AI adoption but often no governance in place
Fribourg and Valais: industrial and agri-food sectors, traceability and automated decision quality are key concerns
Neuchatel: watchmaking and microtechnology, intellectual property and industrial secrets are particularly sensitive
Cultural context in French-speaking Switzerland: cautious approach to risk, preference for local partnerships and personalized support

Frequently asked questions

Does Switzerland have a specific law on AI?

No. Switzerland takes a technologically neutral approach: existing laws apply. The nLPD (data protection), the Code of Obligations (civil liability), and sector-specific regulations (FINMA, Swissmedic) govern AI use. Specific AI regulation is expected to be introduced gradually from 2027.

Does the European AI Act apply to Swiss companies?

Yes, for companies that operate in the European market or whose AI systems are used in the EU. The AI Act has extraterritorial scope similar to the GDPR: if your product or service reaches individuals in the EU, you are subject to it.

What penalties does the nLPD provide for AI-related violations?

The nLPD provides for criminal penalties of up to 250,000 CHF. These sanctions apply to the individuals responsible (executives, data processing officers), not only to the company as an entity.

Is my company liable for errors made by an AI system it uses?

Yes. Under Swiss law, the user organization is considered liable for damages caused by the AI systems it operates, based on art. 41 CO (tort liability). It is not the AI system or its publisher that is liable, but the organization that chooses to use it.

What happens if an employee enters confidential data into ChatGPT?

That data leaves the company's perimeter and is transferred to American servers. Depending on the terms of service, it may be used to improve the models. In the absence of a Data Processing Agreement (DPA), this likely constitutes a violation of the nLPD if the data includes personal data or customer data.

How should algorithmic bias be managed in HR decisions?

By maintaining systematic human oversight over all recruitment, evaluation, or promotion decisions involving an AI system. The nLPD requires a right of human review for automated decisions with significant effects on an individual. Documenting the process is essential in the event of a legal challenge.

What is AI data sovereignty and why does it matter?

Data sovereignty means that your data is processed in a jurisdiction whose rules you understand, by systems whose operation you control. For Swiss companies in regulated sectors, this means choosing AI tools hosted in the EU, using open-source models, with contractually defined processing terms.

What is the first thing to do to reduce AI risks in my organization?

Map current usage. Most organizations discover during this exercise that many employees are already using AI tools without any oversight. This mapping then allows you to prioritize actions (internal policy, training, appropriate tool selection) according to the actual level of risk.

Are SMEs really affected by AI risks, or is this mainly a large-company concern?

SMEs are just as affected, and sometimes more so: they have fewer resources to manage an incident, less in-house legal capacity, and greater dependency on a limited number of tools. A significant proportion of very small businesses have not yet put clear rules in place for the data they entrust to AI tools.

How do I choose a reliable AI provider for my business in Switzerland?

Three essential criteria: data location (EU infrastructure preferred), contractual clarity on data reuse (signed DPA, limited purpose), and AI decision traceability (ability to document and explain system outputs). Also verify that the provider can offer ongoing support, not just tool delivery.

Deploy AI with no nasty surprises

Let's talk about your concerns and your context. We put the right safeguards in place.

Request a Custom Demo

Tell us about your team and we'll reach out within 24 hours.

We'll never share your information. Expect a response within 24h.

AI risks for business in Switzerland | How to manage them