ISG revision: consequences & obligations for critical infrastructure operators [Part 1]

Author
Markus Limacher
Published
14. April 2023

Both information security and cyber security will be strengthened at the legislative level in 2023. Switzerland’s Federal Information Security Act (ISG) and its revision place obligations on a wide range of players, regulate their duties and roles and also contain guidelines. Companies – especially operators of critical infrastructures – should therefore make sure they are properly informed and prepared at an early stage. We will help you do just that in a two-part blog article in collaboration with MME.

First, the remaining articles of the Information Security Act (ISG) will take effect this year (2023). The Act aims to regulate the security of the Swiss government’s information and IT resources uniformly across all federal authorities and organisations with the aim of strengthening overall information security. The focus will be on the critical information and systems as well as the standardisation of measures.

And second, the ISG is going through some changes related to cyber security. The revision of the ISG – provisional version – should also come into force this year. This introduces a reporting obligation for cyber attacks, which, due to the broad definition of the term, places a particular obligation on the operators of critical infrastructures. This obligation applies both to the operators of critical infrastructures themselves as well as for example to the developers of the systems used by the critical infrastructures. 

 

--- Update as of April 2024 ---

The Information Security Act (Informationssicherheitsgesetz, ISG) and the associated Ordinance on Information Security in the Federal Administration and the Armed Forces (Informationssicherheitsverordnung, ISV), the Ordinance on Personnel Security Checks (VPSP) and the Ordinance on Operational Security Procedures (VBSV) entered into force on 1 January 2024.

A revision of the ISG (obligation to report cyber attacks on critical infra-structure) has been adopted and is scheduled to enter into force on 1 January 2025. In addition, the former National Cyber Security Centre (NCSC), which was previously part of the Federal Department of Finance (FSF), has been transformed into the new Federal Office for Cyber Security (Bundesamt für Cybersicherheit, BACS). BACS has now been integrated into the Federal Department of Defence, Civil Protection and Sport (DDPS).

New requirements and duties due to the ISG and its revision

The ISG contains a whole range of requirements (Art. 6-26 ISG) relating to information security for qualifying organisations and authorities (definition in Art. 2 ISG). These include, but are not limited to:

  • Information Security Management System (ISMS): Qualifying authorities and organisations must create and implement an ISMS that meets the requirements of the ISG. This includes assessing the need for protection of information (Art. 6 ISG) and, if necessary, classifying it (Art. 11-15 ISG), identifying and continuously assessing risks (Art. 8 ISG), establishing a security procedure as well as security measures related to information technology resources (Art. 16-19 ISG) and ensuring both personnel-based as well as physical protection (Art. 20-23 ISG) along with identity management systems (Art, 24-26 ISG).
  • Information: Qualifying authorities and organisations must identify information they process, assess its need for protection (Art. 6 ISG) and classify the information (Art. 11-15 ISG). In addition, it must be ensured that appropriate protective measures are taken to protect this information from unauthorised access, loss, disruption or misuse (Art. 6-10 ISG).
  • Risk management: Qualifying authorities and organisations must have risks under control in their own area of responsibility as well as in cooperation with third parties. The most suitable measures for risk avoidance and reduction must be taken. Residual risks must be clearly identified, and evidence provided that they have been accepted and are being managed accordingly (Art. 8 ISG).
  • Information technology resources: Qualifying authorities and organisations shall establish a security procedure to ensure information security when using information technology resources. The IT resources must be assigned a security level, which also entails minimum requirements and security measures (Art. 16-19 ISG).
  • Personnel: Qualifying authorities and organisations must ensure that individuals who have access to federal information, information technology resources, premises, and other infrastructure are carefully selected and identified according to risk. They must be informed about the requirements of the ISG and the relevant security measures and undergo initial and ongoing training in accordance with their pay grade (Art. 20 ISG).
  • Premises and areas: Qualifying authorities and organisations must reduce those risks posed by physical threats (human actions, natural hazards). Premises and areas may be assigned to security zones, which may involve appropriate controls (e.g. bag checks, etc.) (Art. 22-23 ISG).
  • Cooperation with third parties: When cooperating with third parties that are not subject to the ISG, the qualifying authorities and organisations must ensure that the statutory measures are observed when placing and executing orders. The security measures shall be regulated by contract (Art. 9 ISG).

The revision of the ISG (BBI 2023 84 – Botschaft zur Änderung des Informationssicherheitsgesetzes – Einführung einer Meldepflicht für Cyber-Angriffe auf kritische Infrastrukturen) provides for new regulations regarding cyber security (Art. 73a-79 revISG):

  • Voluntary reporting of cyber incidents and vulnerabilities: Reports of cyber incidents (including cyber threats) and vulnerabilities in information technology assets can still be voluntarily reported to the Federal Office for Cyber Security (BACS, previously: National Cyber Security Centre, NCSC). This possibility is not limited to operators of critical infrastructures, but is open to any person – even anonymously (Art. 73b revISG).
  • Removal of vulnerabilities: The BACS informs the manufacturers of the affected software or hardware about reported vulnerabilities and sets a reasonable deadline for them to remedy it. Failure to remedy the situation in a timely manner or ignoring it may be sanctioned under procurement law (Art. 73b revISG).
  • Obligation to report cyber attacks: Operators of critical infrastructures or authorities and organisations subject to reporting requirements must report cyber attacks having a serious impact to the BACS within 24 hours of their detection (Art. 74a-e revISG).
  • Violation of the obligation to report: An authority or organisation subject to the duty to report may be punished if it fails to comply with its obligation – after having been set a deadline twice – with a fine of up to CHF 100,000 (Art. 74g-74h revISG).

 

Parliament adopted the amendments to the ISG on 29 September 2023. The implementing regulations have not yet been issued. It is currently planned that the reporting obligation will come into force on 1 January 2025.

Relationship of trust between BACS and notifiers

The Law on Public Access (BGÖ) takes precedence over the ISG (Art. 4 para. 1 ISG). This essentially means that all persons have access to the Swiss government’s official documents and information, unless exceptions or a balancing of interests apply. The revision of the ISG makes an exception to this rule in that third-party information of which the BACS becomes aware through the receipt and analysis of cyber incident reports is excluded from the right of access under BGÖ (Art. 4 para. 1bis revISG).

This means that the BACS may not generally publish or share information about cyber incidents that contains personal data or data about legal entities unless consent has been obtained for this purpose (Art. 73c revISG). The BACS may only share information that allows conclusions to be drawn about the notifiers or persons concerned without permission (Art. 73d revISG) in two exceptional cases: 

  • Sharing with the Federal Intelligence Service (NDB) is permitted if the information is relevant for assessing the threat situation or for early warning of critical infrastructure.
  • Sharing with the criminal justice authority is allowed if the report contains information about serious crimes. However, the referral is solely at the discretion of the BACS manager, as the duty to report crimes has been waived for BACS employees.

In order to further underpin the relationship of trust, note that at the legislative level that authorities and organisations subject to the reporting obligation are not required to provide any information that would incriminate them under criminal law (Art. 74e revISG).

The ISG and its revision – continued in part 2

Let’s summarise: The ISG and its revision contain a whole range of requirements for qualifying players, especially operators of critical infrastructures, and also provides for new regulations with regard to cyber security. Likewise, trust between the BACS and the notifiers should be strengthened. The second part of the article contains further information, other consequences and obligations faced by the players and the specific next steps for you. You don’t want to miss it? Then subscribe to our blog updates for email alerts about the latest articles.

Subscribe to our Blog Updates now!

 

This blog article was created in friendly cooperation with MME. Many thanks to Dr. Martin Eckert (Legal Partner) and Noëlle Glaus (Legal Associate) for their professional contribution. On MME’s blog you can also find an article on the new Information Security Act. 

Share article