Episode 10

Regulation, Responsibility, Skills

And what you can do

15:00 February 23, 2027 with Cynthia, Robert, Lukas, Chris
▸ Listen to Episode 10

What this episode is about

The season finale. We tie together ten episodes, look at the 2026 regulatory landscape and what Swiss companies need to do in the coming twelve months — and we close with the detailed CAS pitch that has accompanied this series.

Three pillars for 2026

Chris opens with three pillars for every Swiss cyber leader. First: EU AI Act, because many Swiss companies operate in EU markets. Second: ISO 42001 and NIST AI RMF as practical management frameworks. Third: the Swiss position — sectoral, pragmatic, non-comprehensive. Anyone operating without a clear relationship to these three pillars over the next twelve months builds up risk.

EU AI Act — deadline and uncertainty

The AI Act has been in force since August 1, 2024. Application is staggered. Already in effect: the ban on certain AI practices — social scoring, manipulative systems, real-time biometrics in public spaces with narrow exceptions. Since August 2025, obligations apply for general-purpose AI models. The decisive deadline for this episode is August 2, 2026 — from then the high-risk provisions for Annex III systems should apply: security and law-enforcement applications, biometric identification, education, employment, critical infrastructure. Penalties up to fifteen million euros or three percent of global annual revenue.

Lukas names the political reality: on May 7, 2026 — a few days before this episode — Council and Parliament reached a political agreement that would postpone these deadlines. Annex III to December 2, 2027. Product-integrated systems like elevators or toys to August 2, 2028. But — and this is the crux — the postponement is not yet formally adopted. As long as that doesn’t happen, August 2, 2026 remains legally binding. Robert derives the operational consequence: Swiss CISOs cannot wait for the postponement. With larger client engagements, this was set up in Q1 2026 — inventory AI systems, check high-risk classification, begin conformity assessment, document the risk management system. Not because we know it will apply in August 2026 — but because we don’t know it won’t.

ISO 42001 and NIST AI RMF in practice

ISO 42001 has been published since December 2023 — the first international management-system standard explicitly for AI. Methodologically classic — Plan-Do-Check-Act, similarly structured to ISO 27001 for information security. Concretely it requires: an AI system inventory, documented AI risk management, an AI policy with roles and responsibilities, a Statement of Applicability with the ISO 42001 controls applied, impact assessments for individual AI applications, regular audits. Those with 27001 compliance can extend it.

NIST AI RMF is American, voluntary, but de facto standard in US business. Four functions — Govern, Map, Measure, Manage. The Generative AI Profile NIST AI 600-1 appeared in 2024 and provides explicitly GenAI-specific controls. Anyone doing 42001 can apply RMF in parallel — the two overlap heavily without being identical. 42001 certification takes around nine to fifteen months at a mid-market Swiss company. Stage 1 is documentation review, Stage 2 is effectiveness audit. Lukas formulates the methodological limitation: management-system standards measure process, not outcome. A company can be 42001 certified and still operate insecure AI systems. Necessary, not sufficient.

Switzerland and skills gap

The Federal Council adopted the report on Postulate 23.3861 in 2025 — AI as catalyst, not game changer. The consequence is a deliberately sectoral approach: no comprehensive Swiss AI law, but adjustments in existing laws — data protection, criminal law, consumer protection, sectoral regulations for finance, health, transport. ISACA and ENISA report in 2024 and 2025 workforce studies a global cybersecurity skills gap of 3.5 to 4 million open positions. AI security profiles are among the most highly sought. The complaint is the same everywhere — professionals who understand the bridge between cybersecurity and ML are extremely rare. Robert confirms from field experience: anyone who can do this can choose their employer; the Swiss salary curve follows.

The CAS — recommendation in one sentence

Chris presents the CAS AI-Driven Cybersecurity and Strategic Defence. Three profiles fit particularly well. First: SOC analysts and detection engineers wanting to build their work on machine learning rather than only signatures — they learn anomaly detection, user behavior analysis, application of ML in triage pipelines. Second: ML engineers and data scientists moving to security-critical applications — we cover adversarial ML, model robustness, explainable AI. Third: CISOs, security leaders, compliance professionals making strategic decisions about AI tooling — they get the methodological frame for ISO 42001, NIST AI RMF and the EU AI Act in practice. Fourteen on-campus days, fifteen ECTS credits, alongside work, with a capstone project from the participants’ own practice. CHF 9,800 including materials and certificate. Campus Rapperswil-Jona. Start September 18, 2026. Standalone CAS or part of the planned MAS Cybersecurity.

What you take away from this season

AI in cybersecurity is in 2026 neither marketing hype nor an apocalyptic scenario. It is a craft you can learn. Three observations at the close. From practice (Robert): anyone as a CISO in 2026 thinking this is still future is already behind. From research (Lukas): the research frontier moves faster than the tooling frontier. Anyone who doesn’t read research results regularly misses threats that go productive in two years. From the AI view (Chris): the methodology is well established — agentic loops, adversarial ML, anomaly detection. What Swiss companies need in 2026 are people who can translate this into their contexts. That is exactly what the CAS exists for.

Sources and references

  1. European Commission. (n.d.). Timeline for the implementation of the EU AI Act. AI Act Service Desk. https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act
  2. Council of the European Union. (2026, May 7). Artificial intelligence: Council and Parliament agree to simplify and streamline rules [Press release]. Consilium. https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/
  3. International Organization for Standardization. (2023). ISO/IEC 42001:2023 — Information technology — Artificial intelligence — Management system. https://www.iso.org/standard/42001
  4. National Institute of Standards and Technology. (2024). AI Risk Management Framework (NIST AI 100-1 and Generative AI Profile NIST AI 600-1). https://www.nist.gov/itl/ai-risk-management-framework
  5. Schweizerischer Bundesrat. (2025). Bericht in Erfüllung des Postulats 23.3861 — Wirkung von KI auf die Cybersicherheit. Bundesamt für Cybersicherheit BACS. https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2025/po233861.html
  6. OST – Ostschweizer Fachhochschule. (2026). CAS AI-Driven Cybersecurity and Strategic Defence [Programmseite, 15 ECTS, 14 Präsenztage, Campus Rapperswil-Jona]. https://www.ost.ch/de/weiterbildung/weiterbildungsangebot/informatik/cybersecurity-networks/cas-ai-driven-cybersecurity-and-strategic-defence