Federal Act on Information Security in the Confederation (ISG)

Switzerland's Federal Act on Information Security in the Confederation (Informationssicherheitsgesetz, ISG), effective January 1, 2024, establishes the legal framework for information security in the Swiss federal administration and for operators of critical infrastructure. The ISG replaces the previous Information Protection Ordinance and creates a comprehensive, risk-based information security framework. Key provisions include: mandatory information security management systems for federal bodies; classification of information assets; security requirements for critical infrastructure operators; incident reporting obligations; and requirements for cloud services and outsourcing. The ISG establishes the National Cyber Security Centre (NCSC) as the central federal authority for cybersecurity and grants it authority to issue binding security recommendations. Critical infrastructure operators must report cybersecurity incidents to NCSC within 24 hours. The ISG is complemented by the Ordinance on Information Security (ISV) which provides detailed implementation requirements. Switzerland's cybersecurity framework is increasingly aligned with EU NIS2 requirements despite Switzerland not being an EU member state.