EU 20th-package managed-security-services ban in force from 25 May — Switzerland adopted listings only; MSS prohibition deferred

Resolving the open W21 compliance question. The EU's 20th Russia sanctions package introduced — effective 25 May 2026 — a prohibition on providing managed security services (cybersecurity risk management, incident handling, penetration testing, security audits and related consulting) to the Russian government and Russian-established entities, extending to Russian subsidiaries of EU-incorporated companies absent a national-competent-authority licence. No European Commission interpretive guidance on the MSS scope had been published by end-May, so a conservative reading still applies. The Swiss answer is now confirmed: Switzerland's 22 May adoption covered the listings only — the substantive measures, including the MSS prohibition, were deferred (reporting points to a summer timeline). The practical consequence is a temporary CH/EU asymmetry: an EU-incorporated MSSP is already barred from servicing a Russian-established client, while the equivalent Swiss obligation is not yet in domestic force. Cross-border CH firms with EU entities should govern to the stricter EU line now rather than the Swiss timeline, and re-confirm no EDR/SIEM/connector service is operated under contract with a Russian-established entity.