Both information security and cyber security will be strengthened at the legislative level in 2023. Switzerland’s Federal Information Security Act (ISG) and its revision place obligations on a wide range of players, regulate their duties and roles and also contain guidelines. Companies – especially operators of critical infrastructures – should therefore make sure they are properly informed and prepared at an early stage. We will help you do just that in a two-part blog article in collaboration with MME.
First, the remaining articles of the Information Security Act (ISG) will take effect this year (2023). The Act aims to regulate the security of the Swiss government’s information and IT resources uniformly across all federal authorities and organisations with the aim of strengthening overall information security. The focus will be on the critical information and systems as well as the standardisation of measures.
And second, the ISG is going through some changes related to cyber security. The revision of the ISG – provisional version – should also come into force this year. This introduces a reporting obligation for cyber attacks, which, due to the broad definition of the term, places a particular obligation on the operators of critical infrastructures. This obligation applies both to the operators of critical infrastructures themselves as well as for example to the developers of the systems used by the critical infrastructures.
--- Update as of April 2024 ---
The Information Security Act (Informationssicherheitsgesetz, ISG) and the associated Ordinance on Information Security in the Federal Administration and the Armed Forces (Informationssicherheitsverordnung, ISV), the Ordinance on Personnel Security Checks (VPSP) and the Ordinance on Operational Security Procedures (VBSV) entered into force on 1 January 2024.
A revision of the ISG (obligation to report cyber attacks on critical infra-structure) has been adopted and is scheduled to enter into force on 1 January 2025. In addition, the former National Cyber Security Centre (NCSC), which was previously part of the Federal Department of Finance (FSF), has been transformed into the new Federal Office for Cyber Security (Bundesamt für Cybersicherheit, BACS). BACS has now been integrated into the Federal Department of Defence, Civil Protection and Sport (DDPS).
The ISG contains a whole range of requirements (Art. 6-26 ISG) relating to information security for qualifying organisations and authorities (definition in Art. 2 ISG). These include, but are not limited to:
The revision of the ISG (BBI 2023 84 – Botschaft zur Änderung des Informationssicherheitsgesetzes – Einführung einer Meldepflicht für Cyber-Angriffe auf kritische Infrastrukturen) provides for new regulations regarding cyber security (Art. 73a-79 revISG):
Parliament adopted the amendments to the ISG on 29 September 2023. The implementing regulations have not yet been issued. It is currently planned that the reporting obligation will come into force on 1 January 2025.
The Law on Public Access (BGÖ) takes precedence over the ISG (Art. 4 para. 1 ISG). This essentially means that all persons have access to the Swiss government’s official documents and information, unless exceptions or a balancing of interests apply. The revision of the ISG makes an exception to this rule in that third-party information of which the BACS becomes aware through the receipt and analysis of cyber incident reports is excluded from the right of access under BGÖ (Art. 4 para. 1bis revISG).
This means that the BACS may not generally publish or share information about cyber incidents that contains personal data or data about legal entities unless consent has been obtained for this purpose (Art. 73c revISG). The BACS may only share information that allows conclusions to be drawn about the notifiers or persons concerned without permission (Art. 73d revISG) in two exceptional cases:
In order to further underpin the relationship of trust, note that at the legislative level that authorities and organisations subject to the reporting obligation are not required to provide any information that would incriminate them under criminal law (Art. 74e revISG).
Let’s summarise: The ISG and its revision contain a whole range of requirements for qualifying players, especially operators of critical infrastructures, and also provides for new regulations with regard to cyber security. Likewise, trust between the BACS and the notifiers should be strengthened. The second part of the article contains further information, other consequences and obligations faced by the players and the specific next steps for you. You don’t want to miss it? Then subscribe to our blog updates for email alerts about the latest articles.
This blog article was created in friendly cooperation with MME. Many thanks to Dr. Martin Eckert (Legal Partner) and Noëlle Glaus (Legal Associate) for their professional contribution. On MME’s blog you can also find an article on the new Information Security Act.