← View All Articles

  • September 5, 2024

New Information Security Law in Switzerland Effective January 2024

Switzerland enacts the Information Security Act (LSI) on January 1, 2024, to enhance cybersecurity and data protection across federal and critical infrastructures.

Starting January 1, 2024, Switzerland will enforce the Information Security Act (LSI) and its four execution ordinances, as decided by the Federal Council on November 8, 2023. The LSI consolidates essential legal bases for information and IT security, setting minimum requirements based on international standards for federal authorities and organizations.

The LSI not only secures federal IT infrastructure but also extends protection to federal information managed by third parties, cantons, and international partners. To implement the LSI, three new ordinances and a partial revision of an existing one will be introduced:

  1. Information Security Ordinance (OSI): This will replace two existing ordinances, covering information security management, classified information protection, IT security, and physical security measures. Federal offices must implement an Information Security Management System (ISMS), a standard practice in both private and public sectors.

  2. Ordinance on Security Checks for Individuals (OCSP): This governs procedures to assess if individuals in sensitive federal roles pose a security risk, based on their lifestyle, financial situation, and foreign connections. The checks will be reserved for those who could potentially cause significant harm to the Confederation.

  3. Ordinance on Security Procedures for Companies (OPSEnt): This details procedures for evaluating the reliability of companies awarded sensitive federal contracts, replacing an ordinance focused on military-classified contracts. Continuous inspections and audits will ensure compliance.

  4. Ordinance on Identification Data Management Systems (OIAM): This will be updated to create a unified system for accessing federal online services, complementing the three new ordinances.

The Federal Council has approved these ordinances following a consultation process held from August to November 2022. Additionally, from September 29, 2023, critical infrastructure operators must report cyberattacks, with the National Cyber Security Center (NCSC) designated as the central reporting body.

For more details, visit the Federal Council’s official page.

What do you think?

Related Insights

  • Related Articles
Krispy Kreme Hit by Cyberattack: What Happened and What It Means
In late November 2024, Krispy Kreme became the latest high-profile company to fall victim to
Microsoft’s Recall: Balancing AI Innovation with Privacy Risks
A Practical Guide to Navigating Data Protection Requirements and Avoiding Penalties
Robot Vacuums Hacked to Spy and Harass Users: A Warning for Smart Device Owners
Cyberattacks Target Robot Vacuums, Exposing Gaps in Smart Device Security and Privacy