Skip to content
Rautaki
Does the EU AI Act apply to Swiss nonprofits?

EU AI Act: What applies to Swiss nonprofits?

Yes — potentially. The EU AI Act reaches Swiss nonprofits through its extraterritorial effect whenever AI outputs are used in the EU.

Published

Yes — in certain circumstances. The EU AI Act (Regulation (EU) 2024/1689) applies not only to organisations based in the EU: through its extraterritorial effect it also captures Swiss nonprofits — namely whenever the output of their AI system is used in the EU. For purely domestic Swiss applications, such as a chatbot intended exclusively for Swiss members, the Regulation generally does not apply directly; here the revised Data Protection Act (revDSG) governs today, and a dedicated Swiss AI regulation is in preparation. What matters is the current state of play: the key deadlines shifted in 2026 — the obligations for high-risk systems now apply only from December 2027, while the prohibitions and the AI literacy obligation have been in force since February 2025.

The key points at a glance

  • Extraterritorial: What is decisive is not your registered office but where the output of your AI system is used. If the output lands in the EU, the AI Act can apply (Art. 2).
  • Four risk classes: From "unacceptable" (prohibited) through "high" and "limited" (transparency) to "minimal". The obligations follow the risk class, not the technology deployed.
  • Deadlines shifted: The Digital Omnibus (June 2026) moved the high-risk obligations from August 2026 to December 2027. The prohibitions and AI literacy, however, have applied since February 2025.
  • Switzerland separate: Not EU law, but the revDSG today — and a consultation draft implementing the Council of Europe AI Convention is announced for the end of 2026.

When the EU AI Act affects Swiss organisations

The territorial scope is set out in Article 2 of the Regulation. What is decisive is not your organisation's registered office but your role and the place where the effect occurs. The AI Act captures providers and deployers from third countries — and Switzerland is legally a third country — as soon as the output produced by their AI system is used in the Union.

For a Swiss nonprofit, this means in concrete terms:

  • Donor scoring with an EU nexus: A model that prioritises donors and, in doing so, also assesses individuals in the EU produces an output that takes effect in the EU.
  • Chatbot for EU users: An advisory or support chatbot that you deliberately make accessible to individuals in the EU as well falls under the transparency obligations.
  • Programmes with an EU offshoot: If you run a chapter or project in an EU country and deploy an AI system there, you are a deployer there within the meaning of the Regulation.

If, by contrast, an AI system is operated exclusively in Switzerland and for Swiss purposes, it generally falls outside the direct scope — the revDSG remains unaffected by this.

The risk classes in brief

The AI Act regulates risks, not technologies. It distinguishes four levels — the same logic applied by our EU AI Act Compliance Checker (tool in German):

  • Unacceptable risk (Art. 5): Prohibited practices such as social scoring, manipulative techniques or emotion recognition in the workplace and in educational institutions. These systems are banned without exception.
  • High risk (Annex III): Systems in sensitive areas such as employment, education, creditworthiness or the administration of public benefits. They are subject to the most extensive obligations: risk management, technical documentation, human oversight and conformity assessment.
  • Limited risk (Art. 50): Transparency obligations. Anyone speaking to a chatbot or viewing AI-generated content must be able to recognise this.
  • Minimal risk: The vast majority of applications — such as spam filters or text suggestions. No specific obligations, though voluntary standards are recommended.

The timeline — as of July 2026

The Regulation entered into force on 1 August 2024 and becomes applicable in stages. The much-cited deadline of 2 August 2026 has since lost some of its bite: with the Digital Omnibus, which the Council of the EU finally adopted on 29 June 2026, the obligations for high-risk systems were pushed back.

  • Since 2 February 2025: Prohibited practices (Art. 5) and the AI literacy obligation (Art. 4) apply.
  • Since 2 August 2025: Obligations for general-purpose AI models (GPAI).
  • From 2 August 2026: Transparency obligations under Art. 50 (chatbots, AI-generated content). This deadline stands.
  • Now from 2 December 2027: Obligations for standalone high-risk systems (Annex III) — postponed from August 2026.
  • From 2 August 2028: High-risk systems embedded in regulated products (Annex I).

The formal publication in the EU Official Journal was expected for mid to late July 2026; the new deadlines become legally binding once the amendment enters into force. The postponement creates breathing room for high-risk preparation — but it lifts neither the applicable prohibitions nor the AI literacy obligation.

And Switzerland?

Switzerland is not an EU member — the AI Act does not apply here as such. What governs today is the revised Data Protection Act (revDSG), in force since September 2023. It applies to any processing of personal data by AI systems: transparency, a record of processing activities and, for automated individual decisions, specific information obligations.

A dedicated Swiss AI regulation is taking shape. On 12 February 2025, the Bundesrat (Federal Council) decided to ratify the Council of Europe AI Convention; to that end, the Bundesamt für Justiz (Federal Office of Justice) is preparing a consultation draft by the end of 2026, intended to address transparency, data protection, non-discrimination and oversight. In doing so, Switzerland is opting for a sector-specific approach rather than a comprehensive horizontal law along EU lines.

For practical purposes, this means: the EU AI Act serves as a de facto reference framework. Anyone who aligns their systems today with its risk classes not only meets potential EU obligations but is also well prepared for the forthcoming Swiss regulation.

What Swiss nonprofits should do now

  1. Create an inventory. List all AI systems your organisation uses — including bought-in tools and AI features within existing software.
  2. Check for EU exposure. For each system, establish whether an output is used in the EU or concerns individuals in the EU. This determines whether it falls within scope.
  3. Determine the risk class. Assign each system to one of the four classes. In twelve questions, the EU AI Act Compliance Checker provides an initial classification.
  4. Build AI literacy. The AI literacy obligation (Art. 4) already applies. For volunteer-run (militia) structures, a pragmatic, lightly documented training of the active members is often sufficient.
  5. Factor in the revDSG. Independently of the AI Act, Swiss data protection law applies to any AI application involving personal data. Review transparency and your record of processing activities.

Unsure which risk class your system falls into? In twelve questions, the EU AI Act Compliance Checker gives you an immediate risk classification with a concrete list of measures. And if you would like to sharpen the assessment for your organisation together, arrange a free initial consultation.

This article provides general guidance and does not constitute legal advice.

Harry Witzthum
Harry Witzthum

Founder of Rautaki · Doctor of Philosophy · NPO manager VMI


Facing a concrete decision? We will assess your starting position in a free initial consultation.