On 8 November 2023, the Federal Council brought the Information Security Act (FAISC) and its four implementing ordinances into force on 1 January 2024. The four ordinances are:
The operators of critical infrastructures, i.e. infrastructures that are essential for the functioning of society, the economy and the state, play a special role here. In addition to the federal and cantonal authorities and the state security organisations, this concerns the sectors
- Information Security Ordinance (ISO)
- Ordinance on Security Checks on Persons (VPSP)
- Ordinance on the Company Security Procedure (VBSV)
- Ordinance on Federal Identity Management Systems and Directory Services (IAMV)
The Information Security Act (FAISC) replaces the following ordinances:
- Cyber Risks Ordinance (CyRV from 27 May 2020)
- Information Protection Ordinance (IPO from 4 July 2007)
Obligation to report cyber attacks on critical infrastructures (Source VBS)
On 29 September 2023, Parliament passed an amendment to the Information Security Act (FAISC), which introduces a reporting obligation for cyberattacks on critical infrastructure.
This reporting obligation is not yet in force, as implementing provisions must be drawn up to implement this change. The Federal Council is expected to conduct a consultation on this in the first half of 2024. Planning is currently geared towards the reporting obligation coming into force from 1 January 2025.
The Information Security Act (FAISC) at a glance
The aim of the Act is, on the one hand, the secure processing of information for which the Confederation is responsible, and, on the other hand, the secure use of the Confederation’s IT resources. The FAISC obliges not only the federal authorities, but also cantonal authorities and private-law companies that support the Confederation in the fulfilment of its tasks.
Key areas of the new ISG
Not least due to the rapid pace of technological development, the FAISC does not specify any detailed measures. It merely creates a formal legal framework on the basis of which the federal authorities specify information security as uniformly as possible at ordinance and directive level. The FAISC addresses the following topics in particular:
- Information security
- Risk management
- Cooperation with third parties
- Information security breaches (incident management)
- Classification of information
- IT security (incl. OT security)
- Personnel measures
- Physical protection
- Identity management systems (identity and access management IAM)
- Personal security checks
- Operational security procedures (awarding security-sensitive contracts to external partners)
- Operation of critical infrastructures
Significance for operators of critical infrastructures
The operators of critical infrastructures, i.e. infrastructures that are essential for the functioning of society, the economy and the state, play a special role here. In addition to the federal and cantonal authorities and state security organisations, this concerns the following sectors
- Energy and drinking water supply
- Waste disposal
- Finance
- Healthcare
- Information and communication
- Food and drink
- Transport and traffic
- Safety and security
and thus large parts of the private sector in our country.
The Information Security Ordinance (ISO) at a glance
The Information Security Ordinance (ISO) regulates the tasks, responsibilities and competences for ensuring information security. Based on the FAISC, it defines a security organisation for the Federal Council, the departments and the administrative units. A distinction is made between responsible and mandated roles with regard to information security of the Federal Council, the departments and the administrative units as well as the Federal Information Security Unit, which is part of the new State Secretariat for Security Policy (Sepos) of the DDPS. In addition, the Federal Office for Cybersecurity (BACS), formerly the National Cyber Security Centre (NCSC), which will also be located within the DDPS, will be launched on 1 January 2024.
The ISO regulates the core areas of the FAISC defined above in detail. A particular focus was placed on the management of information security and minimum requirements were defined in the following areas:
- Development and operation of an information security management system (ISMS)
- Maintaining the statutory basis and contractual obligations
- Inventory of assets
- Risk management
- Co-operation with third parties
- Training and sensitisation
- Incident management
- Controls and audits
- Reporting
The most important point is the establishment of an information security management system (ISMS). If the ISMS is set up in accordance with the internationally recognised ISO 27001:2022 standard, the other topics mentioned above are addressed directly in the implementation of the standard.
Transitional deadlines
The ISO defines the following transition periods:
- By 31 December 2024: Creation of the classification catalogue
- By 31 December 2025: Conduct protection needs analysis and classification of IT in accordance with new legislation
- By 31 December 2026: Development ISMS
Information Security Act: Advice and support
If you are wondering whether your company is affected by the provisions of the new FAISC, you have come to the right place.
An overview of our services:
- Advice on all aspects of the FAISC: We closely follow the developments of the FAISC in order to provide you with the best possible advice.
- Setting up an information security management system (ISMS): We have extensive experience in setting up and operating ISMSs in accordance with ISO 27001:2022, including at federal level. We can support you as a project manager, with an entire project team or as a consultant and coach.
- Development and training of security organisations: We train the role holders of security organisations so that they can perform their tasks.
- Reporting obligations: We help you to develop a system for recognising incidents and clarify which reporting obligations you are subject to. This is always in coordination with other legal requirements such as the Data Protection Act.
- Contract management: Advice and support in drawing up contracts with third parties that take information security aspects into account.
- Synergies and process optimisation: We create interfaces with other regulations or areas of integral security (data protection, IT security, business continuity and crisis management, physical security). Our goal: to standardise and optimise processes and exploit synergies.
Please get in touch with us!
We are at your disposal for all questions relating to the FAISC. Simply send your enquiries directly to us – we will provide you with comprehensive and competent advice.