AnyLearn
All lessons

DORA and Swiss Banking Secrecy: Two Regimes, Two Jobs

The EU Digital Operational Resilience Act governs how financial entities withstand ICT disruptions, while Article 47 of the Swiss Banking Act is a criminal confidentiality duty over client data. This advanced lesson dissects both mechanisms, their exceptions, and why an institution can fall under both at once.

Not signed in: your progress and quiz score won't be saved.
Progress1 / 11

Two rules that get confused

DORA and Swiss banking secrecy are frequently bundled as "financial-sector data rules," but they govern different things and sit in different legal systems.

  • DORA (Regulation (EU) 2022/2554, applying from 17 January 2025) is an EU operational-resilience regime: it dictates how financial entities keep information and communications technology (ICT) systems running through disruption.
  • Swiss banking secrecy (Article 47 of the Banking Act) is a Swiss criminal confidentiality duty: it makes unlawful disclosure of client information a punishable offence.

One is prescriptive process regulation about systems; the other is a confidentiality obligation about client identity and financial data. They are not in conflict, and neither substitutes for the other. This lesson takes each apart mechanically, then shows where a single institution meets both.

Full lesson text

All 11 steps on one page, for reading, reference, and search.

Show

1. Two rules that get confused

DORA and Swiss banking secrecy are frequently bundled as "financial-sector data rules," but they govern different things and sit in different legal systems.

  • DORA (Regulation (EU) 2022/2554, applying from 17 January 2025) is an EU operational-resilience regime: it dictates how financial entities keep information and communications technology (ICT) systems running through disruption.
  • Swiss banking secrecy (Article 47 of the Banking Act) is a Swiss criminal confidentiality duty: it makes unlawful disclosure of client information a punishable offence.

One is prescriptive process regulation about systems; the other is a confidentiality obligation about client identity and financial data. They are not in conflict, and neither substitutes for the other. This lesson takes each apart mechanically, then shows where a single institution meets both.

2. DORA: purpose and who it binds

DORA exists so that financial entities can withstand, respond to, and recover from ICT-related disruptions under one harmonised EU framework, replacing a patchwork of national and sectoral rules.

Its scope is deliberately broad. It binds, among others:

Entity typeExamples
Credit institutionsBanks
InsuranceInsurers, reinsurers
InvestmentInvestment firms
PaymentsPayment and e-money institutions
CryptoCrypto-asset service providers
MarketsTrading venues, central counterparties

Beyond financial entities themselves, DORA reaches critical ICT third-party providers (CTPPs) through a dedicated Union oversight regime. So a cloud host or data-analytics vendor that many financial entities depend on can be pulled directly into supervision, not merely governed through its clients' contracts.

3. DORA's five pillars

The five interlocking pillars that make up the DORA framework.

flowchart TD
  A["DORA operational resilience framework"] --> B["Pillar 1: ICT risk management framework"]
  A --> C["Pillar 2: ICT incident management and reporting"]
  A --> D["Pillar 3: Digital operational resilience testing"]
  A --> E["Pillar 4: ICT third-party risk management"]
  A --> F["Pillar 5: Information sharing on cyber threats"]
  B --> G["Governance, identify, protect, detect, respond, recover"]
  C --> H["Classify incidents and report to competent authorities"]
  D --> I["Threat-led penetration testing for significant entities"]
  E --> J["Contracts, register of information, concentration risk"]
  E --> K["Union oversight of critical ICT third-party providers"]

4. Pillar 1: ICT risk management

The first pillar is the backbone. Each financial entity must maintain a documented ICT risk management framework covering the full lifecycle: governance, identification of assets and dependencies, protection and prevention, detection, response, and recovery.

Two structural features matter most:

  1. Management-body responsibility. The entity's management body owns the framework. It approves, oversees, and remains accountable for ICT risk. This cannot be fully delegated away to a technical team or a vendor.
  2. Proportionality. Requirements scale to the size, risk profile, and complexity of the entity. A large systemic bank and a small payment institution are not held to identical operational detail, but both must have a coherent framework.

The point is not a one-off audit. It is a continuously maintained, board-owned capability that identifies dependencies before they fail.

5. Pillar 2: Incident management and reporting

The second pillar turns disruptions into a disciplined process. Entities must detect, manage, classify, and report ICT-related incidents.

Classification is not cosmetic. DORA sets criteria (such as clients affected, duration, geographic spread, data losses, and economic impact) that determine whether an incident is major and therefore triggers mandatory reporting to the competent authority.

The reporting rhythm is staged:

  • an initial notification,
  • an intermediate report as understanding develops,
  • a final report with root cause and remediation.

This structure exists so supervisors get comparable, timely signals across the whole EU financial system rather than inconsistent, delayed disclosures. Voluntary notification of significant cyber threats is also contemplated, separate from mandatory incident reporting.

6. Pillar 3: Resilience testing and TLPT

The third pillar requires entities to test their digital operational resilience, not just document it. A baseline testing programme covers tools and systems using methods such as vulnerability assessments, scenario-based tests, and gap analyses.

On top of that baseline sits threat-led penetration testing (TLPT) for entities identified as significant. TLPT is an intelligence-led, red-team style exercise that simulates realistic adversary behaviour against live production systems, coordinated with authorities and, where relevant, across borders.

Baseline testing is periodic and broad. TLPT is deep, targeted, and reserved for the entities whose failure would matter most.

The design principle: assurance should be proportional to systemic importance. Not every entity runs a full TLPT, but those that could destabilise the system must prove resilience against sophisticated attack.

7. Pillars 4 and 5: Third parties and sharing

Pillar 4 - ICT third-party risk governs the supply chain. Entities must impose specific contractual requirements on ICT providers (audit rights, security, exit strategies, subcontracting terms) and keep a register of information listing all contractual arrangements. They must also monitor concentration risk, the danger of too many entities depending on one provider.

Layered above this is the Union oversight framework: providers designated as critical ICT third-party providers are supervised directly by a Lead Overseer, who can issue recommendations and request information from the provider itself.

Pillar 5 - information sharing enables entities to exchange cyber-threat intelligence (indicators, tactics, techniques) within trusted arrangements. It is permissive, not mandatory: it removes friction from collective defence while keeping participation voluntary and rules-bound.

8. Article 47: a criminal duty

Now the Swiss side. Banking secrecy is not a marketing slogan; it is grounded in Article 47 of the Federal Act on Banks and Savings Banks (the Banking Act).

What makes it distinctive is that it is a criminal confidentiality duty. Unlawfully disclosing information entrusted in the course of the banking relationship, or exploiting it, can be a punishable offence, not merely a civil or contractual breach.

Who is bound is broad. The duty reaches the bank's bodies, employees, agents, and auditors, and it persists even after the working relationship ends.

What it protects is client identity and client financial information, a professional confidentiality obligation. Note carefully what it is not: it is not an absolute, exceptionless shield. It is a strong default that yields to specific lawful processes, which the next steps set out.

9. The lawful exceptions

The secrecy duty is best read as confidential by default, with lawful exceptions. It yields to statutory duties and legal process. Key channels through which client information can lawfully leave the bank include:

  • Criminal proceedings - disclosure compelled through proper judicial process.
  • Debt enforcement and bankruptcy - information required in insolvency and collection.
  • Supervisory requests - the financial-market regulator's lawful information rights.
  • International assistance - administrative assistance and mutual legal assistance with foreign authorities under applicable treaties and law.

The common thread: secrecy binds the bank against arbitrary or unauthorised disclosure, but it does not let a bank withhold information where a statutory duty or lawful order requires it. The exception is not a loophole; it is the mechanism keeping the duty compatible with law enforcement, insolvency, and supervision.

10. Secrecy does not block tax exchange

A common misconception is that banking secrecy blocks the cross-border sharing of account information for tax purposes. It does not.

Structurally, the regime shifted from absolute secrecy to confidentiality plus lawful information exchange. Two mechanisms sit outside the shield:

  • Automatic Exchange of Information (AEOI), Switzerland's implementation of the OECD Common Reporting Standard (CRS). Financial institutions report account data on clients tax-resident in partner jurisdictions to the Swiss authority, which forwards it to the partner state.
  • FATCA, under which account information relating to United States persons is reported.

So secrecy still governs arbitrary disclosure to private parties or unauthorised requests, but account information flows to tax authorities through these standardised, treaty-based channels. Confidentiality and automatic tax reporting coexist; one does not cancel the other.

11. Where the two regimes meet

The regimes govern different objects and can apply to the same institution simultaneously.

DORAArticle 47
Legal systemEU regulationSwiss criminal law
GovernsOperational resilience of ICTConfidentiality of client data
NaturePrescriptive process rulesCriminal confidentiality duty
Trigger for the otherDoesn't touch client secrecyDoesn't touch ICT resilience

Two overlap scenarios:

  1. A Swiss bank with EU activity may fall within DORA's scope for that activity while remaining bound by Article 47 for its Swiss client relationships.
  2. An EU financial entity using Swiss ICT providers must meet DORA's third-party requirements, while the Swiss provider and bank handle data under Swiss confidentiality law.

They are not in conflict: resilience of systems and confidentiality of clients are complementary obligations. Compliance means satisfying each on its own terms, not trading one off against the other.

Check your understanding

The lesson ends with a 5-question quiz. Take it in the player above to see your score.

  1. What does DORA primarily regulate?
    • The confidentiality of client identity and financial data
    • How financial entities withstand, respond to, and recover from ICT-related disruptions
    • The taxation of cross-border financial accounts
    • The licensing of banks to operate within the EU single market
  2. Threat-led penetration testing (TLPT) under DORA is best described as:
    • A baseline vulnerability scan every entity must run annually
    • A contractual clause imposed on all ICT third-party providers
    • An intelligence-led red-team exercise required of entities identified as significant
    • The mandatory reporting of major incidents to competent authorities
  3. Which statement about the Union oversight framework in DORA's third-party pillar is correct?
    • It supervises critical ICT third-party providers directly, not only through their clients' contracts
    • It applies only to providers located inside the European Union
    • It replaces the need for entities to keep a register of information
    • It is a voluntary information-sharing arrangement between banks
  4. Why is the confidentiality duty in Article 47 of the Swiss Banking Act considered especially strong?
    • It grants clients absolute anonymity that no authority can pierce
    • It is a criminal duty, so unlawful disclosure can be a punishable offence
    • It prevents Switzerland from entering any tax-information treaties
    • It applies only to the bank's senior management, not to employees
  5. A client assumes Swiss banking secrecy prevents their account data from ever reaching a foreign tax authority. Why is this wrong?
    • Because secrecy was fully abolished and no confidentiality duty remains
    • Because account data flows to tax authorities via the AEOI/CRS and FATCA channels, which sit outside the secrecy shield
    • Because DORA overrides Swiss banking secrecy for all EU clients
    • Because banks may disclose any client data to anyone once an account is closed

Related lessons