Blog Home

FINMA Compliance: DevSecOps Strategies for Securing the Swiss Financial Ecosystem

Danny Parizada

By Danny Parizada, JFrog Senior Solution Engineer

6 min read

The Swiss Financial Market Supervisory Authority (FINMA) sets strict requirements to ensure that financial institutions operating in Switzerland maintain robust security and operational resilience. FINMA’s guidelines are crucial for protecting sensitive financial data, minimizing risks, and maintaining trust in the Swiss financial ecosystem. As part of that, software supply chain security plays an essential role in meeting these compliance requirements.

At JFrog, we help organizations meet FINMA compliance requirements by strengthening their security posture, securing their software supply chain, and ensuring they adhere to the applicable cybersecurity and risk management standards.

Who Needs to Comply?

FINMA compliance applies to Swiss-based organizations and foreign entities offering services within Switzerland’s financial market, including:

  • Banks and Financial Institutions: Retail, investment, and private banks.
  • Insurance Companies: Life, non-life, and reinsurance providers.
  • Asset Managers and Investment Funds: Companies managing portfolios for institutional and private investors.
  • Financial Market Infrastructures: Stock exchanges, central securities depositories, and payment systems.
  • Outsourcing Partners: Third-party providers handling critical IT, software, or operational services for regulated institutions.
  • Foreign Entities: Entities offering services directly to the Swiss market or partnering with FINMA-supervised organizations.

What is FINMA Compliance?

As of January 2025, FINMA compliance is mandatory for all financial institutions operating in the Swiss market, with an emphasis on robust security measures and DevSecOps practices. Essentially, FINMA compliance means adhering to regulations set by the Swiss Financial Market Supervisory Authority to ensure financial institutions operate securely, manage risks effectively, and maintain high standards of cybersecurity, stability, and operational reliability. As digital tools become more pervasive in finance, FINMA places increased emphasis on cybersecurity and software supply chain integrity, requiring DevSecOps practices that safeguard software artifacts and continuously monitor for vulnerabilities.

Top Guidelines for Achieving FINMA Compliance and Securing the Software Supply Chain

Below is a list of the key areas that must be considered to meet the latest guidelines:

  1. Governance and Risk Management: Security must be integrated into governance frameworks and DevOps practices, ensuring proactive risk management and compliance throughout the software development lifecycle (SDLC).
  2. IT and Cyber Risks: IT and cyber risks have to be mitigated by embedding security throughout the SDLC,  including continuous monitoring, threat assessment and vulnerability management.
  3. Inventory and Risk Classification: A centrally managed inventory of software components and dependencies should be maintained, with risk classifications that recommend which security measures should be taken based on threat analysis and prioritization.
  4. Data Quality for AI: Ensure data used in AI systems is accurate, representative, and secure to prevent vulnerabilities, biases, and operational risks.
  5. Continuous Testing and Monitoring: Continuous testing and monitoring must be integrated  across the software supply chain to ensure security, compliance, and performance stability.

How can the JFrog Platform help?

Achieving compliance can become complex, especially when managing security across DevOps, MLOps, and general Software Supply Chain  operations.

A platform approach helps organizations meet these requirements by integrating security, risk management, and compliance throughout the software development lifecycle.

Here are some recommendations on how to  address the top challenges:

Governance and Risk Management

Challenge: Integrating security into governance frameworks and ensuring continuous compliance across DevOps practices can be overwhelming, especially with distributed teams and evolving software supply chains.

Platform Approach:

  • Release Lifecycle Management (RLM) provides visibility and control over the entire software lifecycle, allowing teams to enforce governance policies at every stage.
  • Evidence Management helps document every build, artifact, and deployment, ensuring audit readiness for compliance purposes.

IT and Cyber Risks

Challenge: Cyber risks can enter at any point in the software lifecycle, particularly through third-party dependencies and open-source components. Continuous security monitoring is essential to mitigate these risks.

Platform Approach:

  • JFrog Curation automatically filters and blocks non-compliant or malicious open-source packages before they enter your pipeline.
  • JFrog Runtime extends protection to live environments, helping detect and remediate vulnerabilities in real time.

Inventory and Risk Classification

Challenge: Managing a comprehensive inventory of software components, dependencies, and their associated risks is crucial for prioritizing security efforts and ensuring regulatory compliance.

Platform Approach:

  • JFrog Artifactory is a centrally managed  software artifact repository  providing full traceability of all software components for every application at all stages of the SDLC.
  • JFrog Advanced Security offers Contextual Analysis that allows to prioritize vulnerabilities based on actual impact, reducing false positives and focusing on what matters most.

Data Quality for AI

Challenge: Poor-quality or unverified data can lead to flawed AI models, biases, and security vulnerabilities, which FINMA specifically addresses in its guidelines for AI governance.

Platform Approach:

  • JFrog ML enables end-to-end management of AI models and data pipelines, ensuring that only trusted data is used for model training and deployment.
  • Scanning AI repositories  such as Hugging Face, help secure third-party data and models, protecting against backdoor attacks and malicious packages.

Continuous Testing and Monitoring

Challenge: Ensuring that applications remain compliant and secure requires continuous testing, monitoring, and validation throughout the software lifecycle.

Platform Approach:

  • Automated vulnerability scanning and policy enforcement through JFrog’s security tools ensures continuous compliance checks for all artifacts in development and production.
  • Continuous monitoring of all artifacts and  AI models helps detect anomalies and prevent issues related to data drift and bias.

JFrog’s Platform Approach to FINMA Compliance

The JFrog Platform provides security and compliance verification at every stage of the SDLC

By adopting a unified platform approach, organizations can reduce complexity, enhance visibility, and integrate security seamlessly into DevOps, MLOps and Security practices. This ensures that security and compliance are not afterthoughts but embedded throughout the development process.

This approach aligns well with FINMA’s focus on governance, risk management, and operational resilience, enabling institutions to respond quickly to emerging threats while staying audit-ready by providing compliance verification that is recognized by regulatory authorities.

See for yourself how JFrog helps meet the latest FINMA guidelines by taking an online tour or schedule a one-on-one demo at your convenience.

Popular Tags