In May 2010 the Federal Council initiated proceedings to adopt a new information security law, applicable to all federal government levels, in light of the fact that federal authorities were likely to:
- become increasingly exposed to new dangers introduced by IT advancements; and
- have to process increasingly large volumes of data (eg, personal data, business and manufacturing secrets and classified information) on a daily basis.
On 18 December 2020, after almost 10 years, the parliamentary chambers approved the Information Security Act (ISA).(1)
The ISA defines the minimum requirements that all federal authorities must fulfil to protect their information and IT infrastructure. It combines various key measures relating to:
- risk management;
- information classification;
- IT security;
- security checks on people; and
- federal support for operators of critical infrastructures in the field of information security.
To improve information security sustainability and cost efficiency and achieve levels of security that are as uniform as possible among federal authorities, the ISA focuses on the most critical information systems and aims to harmonise federal measures.
However, the ISA does not establish any specific information security measures. This omission is deliberate; the speed of technological developments could render such measures obsolete. Instead, the ISA intends to create a formal legal framework based on which federal authorities can implement information security as uniformly as possible through ordinances and internal directives.
Notably, the ISA maintains the principle of administrative transparency. Therefore, Article 4 of the ISA expressly provides for the primacy of the Freedom of Information Act 2004.(2)
Further, security checks on people will be regulated through the ISA instead of the Federal Act on Measures to Safeguard Internal Security 1997.(3) The provisions which govern these checks will be adapted to existing information security needs. The Federal Council intends to limit the amount of security checks to the minimum necessary to identify considerable risks. Therefore, the number of checks should be significantly reduced.
While the ISA is primarily aimed at federal authorities, the Federal Council also intends to improve cooperation with the cantons, which must ensure that equivalent information security measures are in place when they process classified federal information or use federal IT resources.
Similarly, while the private sector is not targeted directly, Article 9 of the ISA requires federal authorities to ensure that the requirements and measures that the act provides for are included in any contracts that they enter into with third parties. Further, under Article 29(1)(c) of the ISA, private entities must undergo a security check if an authority subject to the ISA requires them to carry out services that involve the performance of a 'sensitive activity', as defined by Article 5(b) of the ISA.
The Federal Council is yet to establish when the ISA will enter into force. However, its approval is a welcome milestone which represents the conclusion of a long parliamentary process and will re-establish information security principles in the federal public sectors.