Switzerland and the changing cyberthreat: 2025 assessment and 2026 trends
With 65,000 incidents recorded, 2025 confirms a stability in volume but an intensification in quality of attacks. Lionel Ducommun, Cyber Project Manager, deciphers a landscape where targeted ransomware, AI-enhanced phishing and compromised supply chains redefine the risks. What developments can we anticipate in 2026? Discover the keys to strengthening your resilience.
In 2025, Switzerland confirms an already perceptible trend: while the 65,000 cyber incidents recorded (OFCS, 2025) show a certain stability in terms of volume (63,000 in 2024), the sophistication and targeting of attacks are increasing sharply.
Beyond the numbers, the year was marked by the qualitative intensity of threats affecting ever more sensitive sectors. Malicious actors are becoming better organized, using techniques that are increasingly difficult to detect. Our country, renowned for its technological resilience, is discovering that this reputation must be defended relentlessly.
Some key figures for the 2025 landscape
- 26% of reports still concern bogus “police” calls, although the volume is declining
- 19% are phishing attacks
- 9% investment scams via advertising or bogus financial Services
- 104 ransomware attacks reported (compared with 92 in 2024)
- CEO fraud explodes: 970 cases in 2025, compared with 719 in 2024
Ransomware: a more targeted, more destructive threat
Over the whole of 2025, 104 ransomware attacks were officially reported to the OFCS (compared with 92 in 2024). Behind this relatively modest number lies a profound evolution in the methods used by two very active groups.
Criminal groups are now practicing this systematically:
- encryption.
- then the gradual publication of the stolen data if a ransom is not paid.
This media and regulatory pressure (nLPD) increases the reputational risks for victims.
So-called “supply chain” attacks are on the increase, often targeting IT suppliers. Once compromised, they can cascade down to several customers. According to OFCS, this is a scenario that has been observed several times in 2025.
Akira, is a ransomware group operating on a “Ransomware-as-a-Service” (RaaS) model, very active in the Swiss ecosystem.
It is distinguished by:
- greater focus on industrial companies and SMEs;
- the ability to extract sensitive data before encryption;
- a persistent presence via compromised network accesses resold on the dark web.
LockBit, despite an international partial dismantling operation, remains present via affiliates.
These characteristics are:
- very fast encryption;
- advanced automation tools;
- a structured negotiating platform to put pressure on victims;
- a standardized “press kit” to threaten to divulge the stolen data.
AI and social engineering: a formidable phishing duo
By 2025, phishing will account for around 19% of all reported incidents. But what’s new is the credibility, immediacy and automation of these attacks.
Cybercriminals buy Google ads that precede real eBanking pages, fooling even savvy users. These campaigns can be used to steal, for example:
- bank details;
- TWINT access;
- card numbers.
Thanks to automated tools capable of intercepting multi-factor authentication (MFA) codes, criminals can neutralize certain MFA protections. This phenomenon was reported on several occasions in Swiss banks in 2025.
Fraudulent messages generated by AIs have become virtually undetectable:
- perfect logos;
- credible writing style;
- fake AI-generated bank advisors in some cases.
AI-assisted social engineering is now an operational reality that attackers use on a massive scale.
What trends and measures will 2026 bring?
So what can we expect in 2026, and what are the trends and measures to come?
Several analyses (WatchGuard, dcod.ch) are converging, warning of the emergence in 2026 ofautonomous malicious agents capable of..:
- scanner;
- to exploit;
- move or evolve if necessary;
- and persist without human intervention.
These agents will drastically reduce the time between intrusion and exploitation of the vulnerabilities and data collected.
The ransomware model will continue to evolve towards “pure extortion”:
- data theft → threat → publication.
This fast approach bypasses traditional defenses based on encryption and backup.
The CRA came into force on December 10, 2024 at European level, but reporting obligations will apply from September 11, 2026. The ARC aims to protect consumers and businesses purchasing IT tools and software, aiming to ensure that all digital products are safe from cyber threats.
Its major implications:
- obligation to integrate cybersecurity right from the design stage (“securebydesign”)
- manufacturers’ responsibility for the entire digital product lifecycle, requirements for proactive vulnerability remediation
- greater transparency on incidents and exploited vulnerabilities
- setting up a harmonized framework for hardware products, software and connected Services
Products will bear the “CE” mark to indicate that they comply with the requirements of the CRA, and national market surveillance authorities will ensure that these rules are applied. For Swiss companies working with (or exporting to) the EU, these requirements will become unavoidable from 2026-2027.
Increased vigilance and the need for support
The 2025 assessment confirms that Switzerland is no longer simply a country targeted “by opportunity”, but a strategic space for cybercriminals, be they state, financial or opportunistic.
Our organizations must therefore continue to strengthen:
- their prevention posture through ongoing employee training;
- detection capabilities;
- governance practices.
Loyco supports its customers in the face of cyberthreats
In 2025, Loyco supported more than 20 customers, focusing on three key areas:
- training/awareness-raising on cyber risks;
- assistance in obtaining cyber insurance;
- compliance with the requirements of the French Data Protection Act (nLPD).
It’s a dynamic that we want to reinforce in 2026, to enable every organization – SME, local authority, institution – to become more resilient in the face of a rapidly changing cyber landscape.
Contact us!
Lionel Ducommun
Project manager at Loyco and BenefitMe & Accompagnement global en cybersécurité
Contact Lionel by email