The Information Security Act aims in particular to minimise the risks of critical infrastructures

In December 2020, the National Council and the Council of States adopted the new Federal Act on Information Security at the Confederation (Information Security Act, ISG). Subject to a successful referendum, the new law will probably enter into force in the course of 2021.

The aim of the Act is, on the one hand, the secure processing of information for which the Confederation is responsible, and, on the other hand, the secure use of the Confederation's IT resources. The ISG obliges not only the federal authorities, but also cantonal authorities and private-law companies that support the Confederation in the performance of its tasks. The Confederation thus seeks close cooperation with the cantons and the private sector in order to counter the current, ever-increasing cyber dangers.

The operators of critical infrastructures, i.e. infrastructures that are essential for the functioning of society, the economy and the state, play a special role here. In addition to the federal and cantonal authorities and the state security organisations, this concerns the sectors

• Energy
• Waste disposal
• Finance
• Health
• Information and Communication
• Food
• Transport

and thus large parts of the private sector in our country.

The new ISG is based on internationally recognised standards, in particular ISO 27001. In order to sustainably and economically improve information security at the Confederation and to achieve the most uniform level of security possible between the federal authorities, the law focuses on the most critical information and systems as well as on the standardisation of security measures.

Not least because of the rapid technological development, the ISG does not specify detailed measures. It merely creates a formal legal framework on the basis of which the federal authorities can specify information security as uniformly as possible at the ordinance and directive level. The ISG addresses the following topics in particular:

• Risk management
• Information classification
• IT security
• Personnel measures
• Physical protection
• Identity and Access Management (IAM) systems
• Individual security screening
• Operational security assessment (awarding of security-sensitive contracts to external partners)
• Operation of critical infrastructures

All federal and cantonal authorities, as well as private companies subject to the Act, must in principle implement the requirements by the time the Act comes into force. Transition periods are only provided for individual requirements.

Information Security Act: Advice and support

Is your company affected by the Information Security Act when it comes into force?

In order to be able to advise our clients optimally, we continue to follow the development of the new Information Security Act closely. We would be happy to advise you on whether and in what form the ISG could also affect your company or organisation.