We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
09 April 2021
In May 2010 the Federal Council initiated proceedings to adopt a new information security law, applicable to all federal government levels, in light of the fact that federal authorities were likely to:
On 18 December 2020, after almost 10 years, the parliamentary chambers approved the Information Security Act (ISA).(1)
The ISA defines the minimum requirements that all federal authorities must fulfil to protect their information and IT infrastructure. It combines various key measures relating to:
To improve information security sustainability and cost efficiency and achieve levels of security that are as uniform as possible among federal authorities, the ISA focuses on the most critical information systems and aims to harmonise federal measures.
However, the ISA does not establish any specific information security measures. This omission is deliberate; the speed of technological developments could render such measures obsolete. Instead, the ISA intends to create a formal legal framework based on which federal authorities can implement information security as uniformly as possible through ordinances and internal directives.
Notably, the ISA maintains the principle of administrative transparency. Therefore, Article 4 of the ISA expressly provides for the primacy of the Freedom of Information Act 2004.(2)
Further, security checks on people will be regulated through the ISA instead of the Federal Act on Measures to Safeguard Internal Security 1997.(3) The provisions which govern these checks will be adapted to existing information security needs. The Federal Council intends to limit the amount of security checks to the minimum necessary to identify considerable risks. Therefore, the number of checks should be significantly reduced.
While the ISA is primarily aimed at federal authorities, the Federal Council also intends to improve cooperation with the cantons, which must ensure that equivalent information security measures are in place when they process classified federal information or use federal IT resources.
Similarly, while the private sector is not targeted directly, Article 9 of the ISA requires federal authorities to ensure that the requirements and measures that the act provides for are included in any contracts that they enter into with third parties. Further, under Article 29(1)(c) of the ISA, private entities must undergo a security check if an authority subject to the ISA requires them to carry out services that involve the performance of a 'sensitive activity', as defined by Article 5(b) of the ISA.
The Federal Council is yet to establish when the ISA will enter into force. However, its approval is a welcome milestone which represents the conclusion of a long parliamentary process and will re-establish information security principles in the federal public sectors.
For further information on this topic please contact Jürg Schneider, Hugh Reeves or Ashley Robinson at Walder Wyss by telephone (+41 58 658 58 58) or email (email@example.com, firstname.lastname@example.org or email@example.com). The Walder Wyss website can be accessed at www.walderwyss.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.