Switzerland isn't in the EU — but the EU AI Act still reaches you. Like the GDPR before it, the Act applies extraterritorially: if the output of your AI system is used in the EU, you're in scope. For Swiss banks, insurers and asset managers with EU clients or branches, that's most of the book.
The uncomfortable part is the classification. "High-risk" isn't just facial recognition and self-driving cars. It explicitly includes AI used to evaluate creditworthiness, to price and underwrite life and health insurance, and certain uses in employment and access to essential services. A "simple" chatbot can also trigger transparency duties. Many institutions are running high-risk AI without having named it as such.
What a board should be doing now
- Inventory every AI use — including the pilots and the shadow tools a team spun up on a SaaS account.
- Classify each one against the Act's risk tiers (prohibited, high-risk, limited, minimal).
- For anything high-risk, put the controls in place: human oversight, logging and traceability, data governance, technical documentation, and clear user transparency.
- Assign ownership. "Compliance will look at it later" is how you end up retrofitting — the most expensive way to do this.
Why this is our whole thesis
None of this is a reason to avoid AI. It's a reason to build it properly the first time. At Operal we call it Jurisdictional Integrity: systems that are source-grounded ("no source, no answer"), auditable end-to-end, human-overseen, and Swiss-hosted by default.
That isn't a slide we made for the AI Act. It's how we built the award-winning compliant chatbot for ASGA Pension fund — thousands of member queries answered 24/7, every answer traceable — well before "high-risk obligations" was a line item on anyone's roadmap.
The firms that treated compliance as the architecture, not the afterthought, don't have a scramble ahead of them. They have a head start.