Switzerland and the EU Tighten Cybersecurity Legislations

Published August 23, 2023, and updated on November 16, 2023.

Blog Image - EU IT Security Laws - NIS2 CH by Gregor Erismann.png

The Information Security Act in Switzerland Today

Latest Updates: On November 8, 2023, the Federal Council decided to bring the new Information Security Act (ISG) and the associated implementing ordinances into force from January 1, 2024. The ISG bundles the relevant legal bases for cybersecurity in one law and leads to a fundamental restructuring of cybersecurity by the federal government. The National Cyber Security Centre (NCSC) will be transformed into a federal office (BACS) and will no longer be responsible for IT security in the federal administration.

From January 1, 2024 onwards, a new specialist unit for information security will be set up, which will issue directives on IT security for the entire Federal Administration, can order audits and is responsible for dealing with major IT attacks. These tasks and responsibilities for the Confederation's self-protection will be transferred from the NCSC to the State Secretariat for Security Policy (SIPOL), which the Federal Council has also created within the Defence Department DDPS. In the future, the NCSC will focus solely on the protection of Switzerland's critical infrastructures.

Switzerland is speeding up its legal base for a secure digitalization: on September 1st, 2023, the totally revised Data Protection Act (DPA) and the implementing provisions in the new Data Protection Ordinance (DPO) will come into force. Due to the strong orientation towards the GDPR, there will be extra regulations (and extra adaption work for the companies) compared to the currently applicable Swiss data protection law: E.g. to run a register of processing activities, having data protection impact assessments for risk data processing, preparing for the granting of data subject rights, just to state some of it.

Already in 2020, the Federal Act on Information Security at the Confederation (Informationssicherheitsgesetz, ISG) passed the National Council as well as the Council of States. While the exact entry into force date of the law is still pending, some of the provisions will become directly effective without a transition period. The law is based on international information security standards, in particular ISO 27001, and aims to strengthen the Swiss information infrastructure.

With the Informationssicherheitsgesetz (ISG), the Swiss government has introduced IT security and cybersecurity management obligations for many parts of the Swiss administration, for important organizations and for companies such as – and especially – critical infrastructure.

The ISG is intended to ensure that obligated authorities and organizations, as well as critical infrastructure operators, minimize potential risks, continuously test and maintain their system stability and business continuity.

Accordingly, authorities, governmental and federal organizations, federal courts, the National Bank and many more are subject to the ISG (Art. 2) as well as organizations cooperating with them (Third Party) (Art. 9). Legal terms are declared (in Art. 5) especially on which IT resources are classified as "high protection” and the validation of the law on critical infrastructures and facilities, essential for the functioning of the economy or population, which include, among others, wastewater supply, energy supply, banks, insurance companies, health, transport, etc.

First and foremost, the ISG contains requirements for organizations, companies and authorities regarding information security (Art. 6-23 ISG). Under the Information Security Act (ISG), they are required to maintain and evaluate comprehensive and proactive information security and to take appropriate measures to protect data and digital assets from cyber incidents. It is particularly important to ensure the organizations ability to respond quickly to incidents and to monitor and improve the effectiveness of the protective measures taken or to assess the threat situation on an ongoing basis.

Information Security Management Systems in a Nutshell

Specifically, the ISG requires companies to establish an ISMS (Information Security Management System) that meets the requirements of the law. This includes:

assessing the need for protection (Art. 6),
classifying data (Art. 11-15),
assessing risks (Art. 8),
and ensuring IT practices (Art. 16-19).

Other crucial highlights of the required ISMS include:

Organizations covered by the law must continue to identify and assess the protection needs of their data (Art. 6) (Art. 11-15) in order to protect data, worthy of protection from loss and attack. Risk management (Art. 8) describes the measures taken to control risks internally and to third parties. Measures are defined to avoid and reduce risks and to manage residual risks.
For IT resources, security procedures must be defined, security levels assigned, and minimum requirements formulated (Art. 16-19).
Personnel measures include the careful selection of employees as well as their education and training on ISG and appropriate training (Art. 20).
When working with non-ISG partners, their compliance with the ISG Legal Ordinance (Art. 9) must be observed and contractually fixed.
Physical threats are to be countered by ISG companies through the designation of security zones with appropriate controls (Art. 22-23).

Specifically, the ISG requires companies to establish an ISMS (Information Security Management System) that meets the requirements of the law.

Reporting Duties, Deadlines and Fines: The Revision paragraphs

The revision of the ISG (73a-79 rev) adopted on January 12, 2022, describes, amongst other things, a reporting obligation for cyber-attacks on critical infrastructures as well as reporting options for cyber incidents and security breaches. Accordingly, operators of critical infrastructures must report cyber-attacks with the potential to cause damage to the authorities within 24 hours. If companies and responsible parties fail to do so intentionally or through gross negligence, they face fines of up to CHF 100,000 for violating the reporting obligation or failing to comply with deadlines (Art. 74a-h rev).

Cloud and service providers as well as hardware and software providers whose products are used by critical infrastructures are also subject to the active reporting obligation for cyber-attacks.

Cyber incidents and vulnerabilities in IT systems can still be reported voluntarily, of course; the reporting option is open to all companies and not only to operators of critical infrastructures (Art. 73b rev). This serves well to prevent, or combat cyberattacks in the future.

The NCSC as the Point of Contact

The National Center for Cybersecurity (NCSC) is considered the central reporting point for major cyberattacks here, reports are to be submitted via an electronic reporting form. This also notifies software vendors of reported vulnerabilities to their products and sets deadlines for remediation.
The bill and its revision received a clear majority in both the National Council and the Council of States. Only the extension to include a reporting requirement for "regular" serious vulnerabilities in computer systems was rejected by the Council, as the deputies expected companies to be overburdened. The difference revision will probably result in a final law which is currently still pending in the National Council.

More affected companies and higher penalties for non-compliance in the EU

The EU NIS2 directive establishes new cybersecurity obligations for companies in critical industries in the European Union as well. With the "NIS2" directive, the authorities expanded the group of companies that must meet stronger requirements for cybersecurity and reporting obligations in the event of security incidents.

From 2024 on, companies from a wide range of industries with more than 50 employees and 10 million Euros in sales must implement a dedicated cybersecurity management.

In Germany alone, around 29,000 companies and institutions will be affected by the new European regulations for critical infrastructure. This means that many new companies will also be subject to regulation in the future, that have not yet been counted among the operators of critical infrastructure. At the same time, the requirements for the so-called “KRITIS” (Kritische Infrastruktur) operators are becoming significantly more demanding.

Blog Image - Germany KRITIS IT Security Laws - NIS2 CH by Gregor Erismann.png

NIS2 expands the scope and the obligations

The new directive provides a strict obligation for companies in Germany, Austria, and the other EU countries to report incidents with the submission of a preliminary report within 24 hours and the application of additional cyber risk management measures. After the first reporting, a full report, including an initial assessment of the incident, must follow within 72 hours.

Significant incidents and substantial hazards must be fully reported and documented to the authorities again, within the month of the incident, along with further security management measures. The NIS2 reporting obligations include precise specifications on the process, content, and time frame of the reports.

Failure to comply can result in heavy fines. If the affected companies do not comply with the requirements of the directive, they can expect high fines that can be imposed by the national authorities. Penalties of up to €10 million or 2% of annual global turnover, whichever is greater, will be imposed on the essential sectors.

For the main sectors, the maximum penalty is up to 7 million Euros, or 1.4% of their respective turnover. The directive also includes measures such as on-site inspections, audits, and even the suspension or exclusion of executives.

All 27 EU member states must transpose the new obligation into their respective national laws by September 2024.

The EU NIS2 directive in a nutshell:

Sectors: Critical, essential entities increase to eleven sectors; important entities increase to seven sectors — for a total of eighteen NIS2 sectors.
Operators: All medium and large enterprises from 50 employees/EUR 10 million turnover in the sectors will be affected.
Cybersecurity: The demands on managing and handling cybersecurity and cyber-incidents, by operators and member states are increasing cybersecurity must also be ensured in its supply chains and with 3rd party vendors.
Cooperation: The supervision and cooperation in the EU between authorities and operators will be intensified, European jurisdiction will be tightened.
Sanctions: Penalties and enforcement actions will be significantly expanded - to maximum penalties of at least EUR 7 or 10 million, depending on the sector.

NIS2 DSG ISG Article Images - Industrial plant.png

The to-dos for the concerned companies today:

Analysing and assessing the security risks of the company's IT systems: prevention, detection, identification, containment, mitigation and response to incidents (incident response activities)
Ensuring business continuity and crisis management
Ensuring security in third party procurement, development and maintenance of networks and information systems
Testing and evaluating the effectiveness of IT security risk management measures

Conclusion

Various national and EU-wide regulations have tightened cybersecurity monitoring and reporting requirements for Swiss and EU companies. This makes it essential for companies to prioritize the monitoring, detection and reporting of cyber incidents. Among other measures, Network Detection & Response is a fundamental element to meet the stricter requirements.

For more information on complying with NIS2, download the Compliance Checklist here.

The KuppingerCole Executive View on NDR is also a well-suited and helpful tool for a deeper understanding of network monitoring as a foundational element of security architecture for NIS2. It describes how the network security software solution ExeonTrace leverages Machine Learning to provide comprehensive network monitoring, instant detection of potential cyber threats and efficient responses that protect global corporations and critical infrastructure.