On 27 May 2026 the Swiss Federal Council opened consultation proceedings on a partial revision of the Telecommunications Act (Fernmeldegesetz, FMG), aimed squarely at protecting telecom infrastructure and the services running over it against cyberthreats. Administered through DETEC and the Federal Office of Communications (OFCOM/BAKOM), the draft is open for comment until September 2026 (admin.ch; BAKOM consultations). It is a serious, mostly well-targeted package — and it is also where Switzerland will decide whether "security" stays a technical discipline or becomes a vehicle for industrial protectionism.
What is actually on the table
The revision bundles several distinct measures. Operators of critical telecom infrastructure would face hardened resilience obligations and serious-incident reporting to the Federal Office for Cybersecurity (BACS). A new "technical system leadership" function would shore up the availability of emergency calling so that reaching police, fire, and ambulance services survives a partial network failure. Consumer-protection provisions target caller-ID spoofing and number misuse, empowering Fedpol and BACS to block fraudulent numbers and domains (Netzwoche).
Two provisions are more consequential. First, providers would be required to diversify equipment across multiple suppliers, explicitly to "reduce dependence on individual companies," with the state reserving authority to bar equipment from suppliers judged to be controlled by hostile foreign powers. Second, the draft would require the major operators — Swisscom, Sunrise, and Salt, plus full MVNOs — to run their network and security operations centres exclusively inside Switzerland (ICLG Telecoms 2026).
The strongest case for acting
The regulator's case is not a strawman, and it deserves to be stated at full strength. Telecom networks are the substrate everything else depends on, and a single dominant vendor in the radio access or core network is a genuine single point of failure — technically and geopolitically. Europe learned this the hard way over 5G, and the EU has since moved from voluntary guidance to binding rules: the draft Cybersecurity Act revision presented on 20 January 2026 would force mobile operators to rip out components from designated high-risk suppliers within three years (Taylor Wessing). Against that backdrop, Switzerland's instinct to mandate supplier plurality and to keep incident-response capability close to home is defensible. Concentration is a real risk, and a small open economy that imports nearly all its network gear is right to think about leverage in a crisis.
Much of the package follows directly from that logic and should be welcomed. Incident reporting to BACS simply codifies the 24-hour rule already binding on critical-infrastructure operators since April 2025 (ICLG). Hardening emergency-call resilience is the kind of narrow, high-value intervention regulation exists for. Anti-spoofing measures protect consumers against a fraud vector that imposes real losses. None of this is heavy-handed; it is the maintenance work of a modern network state.
Where proportionality starts to fray
The trouble lies in the two structural provisions, where the drafting shifts from managing risk to managing markets. A discretionary power to ban suppliers "controlled by hostile states" is only as good as the criteria and process attached to it. Switzerland's neighbours have demonstrated both how to do this and how not to: blanket, name-the-vendor bans invite retaliation, strand sunk investment, and substitute political signalling for engineering judgment. If the FMG empowers the executive to exclude suppliers without published, evidence-based criteria, an appeal route, and proportionality review, it will chill investment and hand the government a lever that outlives any specific threat.
The onshoring mandate is more worrying still. Requiring that every operations and security centre sit physically in Switzerland conflates location with security. A SOC's resilience is a function of its architecture, staffing, and access controls — not its postcode. For three operators in a market where Swisscom already holds roughly 54% of mobile subscriptions, a hard localization rule raises fixed costs, forecloses the shared and cross-border security operations that smaller players rely on, and entrenches the incumbent that can most easily absorb the expense. The likely result is less competition and higher prices, paid by Swiss consumers, in exchange for a security gain that good contractual and technical controls could deliver without the geographic straitjacket.
Getting the consultation right
The fix is not to abandon the bill but to discipline it. Supplier-exclusion powers should be anchored in transparent, technology-neutral risk criteria, applied through a reviewable administrative process rather than executive fiat, and paired with realistic transition timelines so operators are not forced into costly rip-and-replace on short notice. The diversification duty should be framed as an outcome — demonstrable resilience and absence of single points of failure — not as a quota that regulators police vendor by vendor. And the onshoring requirement should be replaced with capability and sovereignty-of-control standards: Switzerland can insist that authorities retain effective access and oversight in a crisis without dictating where a server room sits.
Switzerland enters this debate from a position of strength — a liberalized market open to foreign capital for 25 years, with an independent regulator and competitive infrastructure. The consultation running to September gives operators, vendors, and civil society the chance to keep it that way: to ensure the FMG revision buys genuine resilience rather than a more expensive, more concentrated, and quietly more protectionist telecom sector. Security and openness are not in tension here. The drafting just has to be honest about which one each clause is actually serving.