[codicts-css-switcher id=”346″]

Global Law Experts Logo
information security act switzerland

Switzerland's Information Security Act (ISA) Compliance 2026, Practical Guide for Businesses

By Global Law Experts
– posted 7 hours ago

The Information Security Act Switzerland (Informationssicherheitsgesetz, ISG) has moved from a legislative framework on paper to an actively enforced compliance regime, with mandatory cyberattack reporting obligations now in force for operators of critical infrastructure. Businesses operating in or serving the Swiss market face a dual compliance landscape: the ISA governs the security of federal information and the protection of critical infrastructure, while the revised Federal Act on Data Protection (FADP) imposes parallel obligations on the handling of personal data. For in-house counsel, DPOs and CISOs, the practical challenge in 2026 is no longer understanding what the law says but implementing the concrete technical and organisational measures, vendor controls and incident-response protocols that these statutes demand.

This guide delivers exactly that, actionable checklists, sample contract clauses and step-by-step playbooks mapped to current ISA and FADP requirements.

Executive Summary, What Businesses Must Decide Now

TL;DR: If your organisation operates critical infrastructure, processes federal data, or handles personal data under Swiss law, you must implement documented technical and organisational measures (TOMs), establish a 24-hour incident-reporting capability and review every vendor and cloud contract for ISA-aligned security clauses, now.

The ISA creates binding cybersecurity compliance obligations for Switzerland that go well beyond traditional data-protection law. Whether you are a federal contractor, a utility operator or a private company caught within the critical-infrastructure perimeter, the following immediate actions should be on your board agenda:

  • Scope your ISA exposure. Determine whether your organisation qualifies as an operator of critical infrastructure, a federal authority, or a supplier to either category.
  • Conduct a gap assessment. Map your existing security controls against the ISA’s TOM requirements and the EDÖB guidance on FADP-compliant measures.
  • Review every vendor and cloud contract. Verify that data-processing agreements include audit rights, encryption commitments, subprocessor controls and ISA-aligned breach-notification coordination clauses.
  • Build a 24-hour incident-response capability. Operators of critical infrastructure must be able to notify the National Cyber Security Centre (NCSC) within 24 hours of discovering a qualifying cyberattack.
  • Document everything. Regulators expect demonstrable compliance, policies, risk assessments, training records and incident logs must be maintained and available for inspection.

What the ISA Is, Scope, Timeline and Who Must Comply Under ISA Switzerland

The Information Security Act (ISA/ISG) is a federal statute that establishes uniform standards for the security of information and information-processing systems across the Swiss Confederation. Originally adopted by the Federal Assembly, the ISA underwent significant amendment to introduce mandatory reporting obligations for cyberattacks on critical infrastructure, a provision that entered into force on 1 April 2025, as confirmed by the Swiss Federal Council.

The ISA’s scope extends across three principal categories. First, it applies directly to federal authorities, the Federal Council, federal departments, the Federal Chancellery and entities performing tasks on behalf of the Confederation. Second, it covers cantonal authorities insofar as they access federal information systems or classified information. Third, and most significant for the private sector, it applies to operators of critical infrastructure in sectors such as energy, transport, water supply, healthcare, finance, telecommunications and digital infrastructure.

Private businesses that do not operate critical infrastructure are not directly subject to the ISA’s reporting obligations. However, they remain subject to the revised FADP’s security requirements and may be drawn into ISA compliance indirectly through their contracts with federal bodies or critical-infrastructure operators.

Key ISA Definitions: Operator, Critical Infrastructure, Cyberattack

  • Operator of critical infrastructure. An entity whose systems and processes are essential for the functioning of public life, the economy or public safety in Switzerland.
  • Critical infrastructure. Infrastructure in designated sectors (energy, transport, water, healthcare, finance, telecommunications, public administration and others) whose disruption would have serious consequences for national security, the economy or public welfare.
  • Cyberattack (reportable). An attack on information systems that threatens the functioning of critical infrastructure, has led to a data manipulation or leak, or remains undetected for a prolonged period, essentially any cyber incident capable of affecting the availability, integrity or confidentiality of critical systems or data.

ISA + FADP, Interaction, Overlap and Cybersecurity Compliance Priorities

Switzerland’s information-security and data-protection frameworks are distinct statutes with different regulators, different reporting channels and different enforcement mechanisms. Yet they share a critical common element: the requirement to implement appropriate technical and organisational measures to protect the data and systems under each organisation’s control. In practice, this means compliance teams must build a single, integrated TOM framework that satisfies both regimes simultaneously.

The ISA is primarily concerned with protecting federal information, classified data and the systems of critical-infrastructure operators from cyberattacks. The revised FADP, which entered into force on 1 September 2023, focuses on the protection of personal data, including breach notification to the Federal Data Protection and Information Commissioner (EDÖB) and, in certain cases, to affected data subjects. The FADP interaction with the ISA is most visible in three areas: the scope of TOMs, the breach-reporting triggers and the treatment of cross-border data transfers.

When to Treat an Event as a Data Breach vs an ISA Incident

Not every ISA-reportable cyberattack involves personal data, and not every FADP data breach qualifies as an ISA incident. The distinction matters because each triggers different reporting channels and timelines:

  • ISA incident only. A cyberattack disrupts the availability of a critical-infrastructure system but no personal data is compromised. Report to the NCSC within 24 hours.
  • FADP breach only. A database misconfiguration exposes personal data of Swiss residents, but the affected system is not classified as critical infrastructure. Notify the EDÖB as soon as possible; notify data subjects if required to protect their rights.
  • Dual-trigger event. A ransomware attack on a critical-infrastructure operator encrypts systems and exfiltrates personal data. Both the NCSC (within 24 hours, under ISA) and the EDÖB (as soon as possible, under FADP) must be notified. Internal incident-response plans should include parallel notification tracks for both regulators.

Cross-Border Transfer Impacts

The EDÖB guidance on cross-border data transfers, including the Swiss-US Data Privacy Framework, must be factored into any ISA compliance programme that involves cloud services hosted outside Switzerland. Where a critical-infrastructure operator transfers personal data to a US-based cloud provider, both the FADP’s adequacy requirements and the ISA’s security-assurance obligations apply. Industry observers expect EDÖB enforcement activity in this area to intensify throughout 2026, making proactive vendor assessments essential.

Practical TOMs: Technical and Organisational Measures Businesses Must Implement

The Information Security Act Switzerland framework, read together with the revised FADP and EDÖB guidance, requires organisations to implement technical and organisational measures that are proportionate to the sensitivity of the data processed, the severity of potential threats and the state of the art. Below is a structured, implementation-ready TOM framework organised by control domain.

Governance and Policies

  • Assign a security owner. Designate a named individual (CISO, Head of IT Security or equivalent) with board-level reporting authority and documented responsibility for ISA and FADP compliance.
  • Maintain an information-security policy. The policy should cover scope, roles, acceptable use, incident management, vendor management and compliance review cycles.
  • Conduct regular risk assessments. Perform formal risk assessments at least annually and after any significant change to systems, processes or threat landscape. Document findings and remediation actions.
  • Implement a security-awareness programme. All employees and contractors with system access should receive documented training at onboarding and at least annually thereafter.

Access Control and Identity

  • Enforce least-privilege access. Grant system and data access only to the extent required for each role. Review access rights quarterly.
  • Deploy multi-factor authentication (MFA). Require MFA for all remote access, administrative accounts and access to systems processing classified or sensitive personal data.
  • Implement privileged-access management (PAM). Use dedicated PAM tools to monitor, log and control the use of administrative credentials.
  • Automate joiner-mover-leaver processes. Ensure that access rights are provisioned, adjusted and revoked promptly as personnel change roles or leave the organisation.

Network and Endpoint Security

  • Segment networks. Separate critical-infrastructure systems, corporate IT and guest/public networks using firewalls, VLANs and zero-trust architectures.
  • Deploy endpoint detection and response (EDR). All endpoints, including servers, workstations and mobile devices, should run EDR agents with centralised monitoring.
  • Maintain patch management. Apply critical security patches within documented timeframes (industry best practice recommends critical patches within 14 days of release).

Data Protection and Lifecycle Controls

  • Classify data by sensitivity. Maintain a data-classification scheme that maps to both ISA confidentiality levels and FADP data categories.
  • Encrypt at rest and in transit. Use current encryption standards (AES-256 for data at rest; TLS 1.2 or higher for data in transit). Key management must be documented and auditable.
  • Enforce data-retention and deletion policies. Retain data only as long as legally required or operationally necessary, then delete securely.

Resilience and Recovery

  • Maintain tested backups. Perform regular backups of all critical systems and data. Store at least one backup copy offline or in an immutable format. Test restoration procedures at least semi-annually.
  • Develop and test a disaster-recovery plan. Document recovery time objectives (RTOs) and recovery point objectives (RPOs) for each critical system.
  • Run tabletop exercises. Conduct scenario-based exercises at least annually to test the incident-response and disaster-recovery plans with all relevant stakeholders.

Monitoring, Logging and Detection

  • Implement centralised logging (SIEM). Aggregate security logs from all critical systems into a security-information and event-management platform.
  • Set log-retention periods. Retain security logs for a minimum of 12 months (longer where sector-specific regulations require it).
  • Ensure log integrity. Use write-once storage, hash chains or equivalent tamper-evident mechanisms to protect log integrity for forensic and regulatory purposes.
  • Establish 24/7 monitoring capability. Critical-infrastructure operators should maintain around-the-clock monitoring, either in-house or through a managed security-operations centre (SOC).

The following priority matrix helps organisations rank implementation urgency against effort:

TOM Domain Implementation Effort Risk-Reduction Impact Priority
MFA and access control Low–Medium High Immediate
Patch management Medium High Immediate
Backup and recovery testing Medium High 30 days
Network segmentation High High 90 days
SIEM / centralised logging High Medium–High 90 days
Data classification scheme Medium Medium 90 days
Tabletop exercises Low Medium 180 days (then annually)

Vendor and Cloud Due Diligence, Step-by-Step

Any organisation subject to the ISA or the FADP must ensure that its vendors and cloud providers maintain security standards at least equivalent to those the organisation applies internally. Vendor and cloud due diligence is not a one-time exercise, it must be embedded into procurement, contract renewal and ongoing monitoring cycles. The following framework provides a structured approach to assessing third-party risk under Swiss cybersecurity compliance requirements.

Top vendor due-diligence questions (select from this bank based on risk tier):

  • Does the vendor hold a current ISO 27001 or SOC 2 Type II certification?
  • Where is data stored, processed and backed up, and do any data flows cross Swiss borders?
  • What encryption standards are applied at rest and in transit?
  • Does the vendor use subprocessors, and if so, what controls govern subprocessor selection and oversight?
  • What is the vendor’s incident-detection and notification timeline?
  • Does the vendor provide contractual audit rights, and under what conditions?
  • How does the vendor manage access controls, privileged accounts and personnel vetting?
  • What is the vendor’s data-retention and secure-deletion process?
  • Is the vendor prepared to comply with NCSC reporting requirements if it processes data for a critical-infrastructure operator?
  • What business-continuity and disaster-recovery commitments does the vendor offer?

Sample Vendor Clauses for Swiss ISA Compliance

The following model clauses can be adapted for data-processing agreements and cloud service contracts. They are provided as starting points and should be reviewed by qualified Swiss counsel before adoption.

Clause 1, Security Standards: “The Processor shall implement and maintain technical and organisational measures that are at least equivalent to ISO 27001 controls and that satisfy the requirements of the Swiss Federal Act on Data Protection (FADP) and, where applicable, the Information Security Act (ISA). The Processor shall provide evidence of compliance upon request.”

Clause 2, Breach Notification Coordination: “The Processor shall notify the Controller of any security incident affecting Controller data without undue delay and in any event within [12/24] hours of detection. Where the incident triggers reporting obligations under the ISA (NCSC) or the FADP (EDÖB), the Processor shall cooperate with the Controller to fulfil those obligations within the applicable statutory timeframes.”

Clause 3, Audit Rights: “The Controller shall have the right, upon reasonable notice, to audit or commission an independent third-party audit of the Processor’s security controls, data-processing facilities and subprocessor arrangements. The Processor shall provide all reasonably requested documentation, including current SOC 2 Type II reports, penetration-test summaries and incident logs.”

Breach Reporting and Incident Response, Timelines, Obligations and Practical Steps

The ISA’s mandatory reporting obligation, in force since 1 April 2025, requires operators of critical infrastructure to notify the NCSC of cyberattacks within 24 hours of discovery. This is a tight window. The clock starts when the organisation becomes aware of the incident, not when the forensic investigation concludes. Parallel to this, the revised FADP requires controllers to notify the EDÖB as soon as possible of any data-security breach likely to result in a high risk to the personality or fundamental rights of data subjects.

Industry observers expect that demonstrating a robust, documented incident-response process will become a de facto defence against enforcement criticism, even where reporting timelines are technically missed by a narrow margin. The following incident playbook provides a practical timeline for compliance teams.

0–24 hours (discovery and initial notification):

  1. Activate the incident-response team and log the time of discovery.
  2. Contain the incident, isolate affected systems, preserve forensic evidence.
  3. Classify the incident: ISA-reportable (critical-infrastructure impact)? FADP-reportable (personal-data breach)? Both?
  4. If ISA-reportable: submit initial notification to the NCSC via the designated reporting channel (the NCSC Cyber Security Hub at ncsc.admin.ch).
  5. If FADP-reportable: prepare the notification to the EDÖB using the official notification form.

24–72 hours (investigation and supplementary reporting):

  1. Conduct preliminary forensic analysis, determine scope, affected systems, data categories compromised.
  2. Submit supplementary details to the NCSC and/or EDÖB as required.
  3. Assess whether data-subject notification is required under the FADP (notify if necessary to protect data subjects or if the EDÖB directs notification).
  4. Notify contractual counterparties (customers, vendors) where breach-notification clauses require it.

72 hours and beyond (remediation and lessons learned):

  1. Complete forensic investigation and document findings.
  2. Implement remediation measures and update TOMs to prevent recurrence.
  3. Submit final reports to the NCSC and EDÖB as appropriate.
  4. Conduct a post-incident review and update the incident-response plan.

Sample Incident Report Template, Fields to Include

  • Organisation name and contact details (reporting officer, CISO, legal counsel)
  • Date and time of discovery
  • Nature of incident (ransomware, data exfiltration, denial of service, other)
  • Systems and data affected (classification level, personal-data categories if any)
  • Estimated scope (number of records, number of data subjects, geographic scope)
  • Containment measures taken
  • Current status (ongoing, contained, resolved)
  • Regulatory notifications submitted (NCSC, EDÖB, other)
  • Preliminary root-cause assessment
  • Next steps and remediation timeline

SME ISA Compliance Checklist

Small and medium-sized enterprises may not operate critical infrastructure directly, but many serve as suppliers to federal bodies or critical-infrastructure operators, making ISA compliance a contractual and commercial requirement. Even where the ISA does not apply directly, the FADP’s TOM obligations are universal. This SME ISA checklist provides a prioritised, cost-conscious implementation roadmap in three phases.

Phase Timeframe Actions
Phase 1, Foundation 0–30 days Complete an asset and data inventory; assign a security owner; enable MFA on all accounts; deploy automated patching; draft an information-security policy
Phase 2, Controls 30–90 days Conduct a formal risk assessment; review and update all vendor/cloud contracts; implement encryption at rest and in transit; establish a basic incident-response plan
Phase 3, Maturity 90–180 days Deploy centralised logging; run a tabletop incident exercise; test backup restoration; document TOM compliance evidence; schedule annual review cycle

Completing these three phases positions an SME to demonstrate baseline compliance with both ISA-derived contractual obligations and the FADP’s data-security requirements. The total cost for most SMEs is modest, the largest investments are typically time, management attention and a disciplined documentation habit rather than expensive technology.

Contract Law and DPA Updates for ISA Compliance

Existing data-processing agreements and vendor contracts drafted before the ISA’s reporting obligations entered into force are likely to contain gaps. At minimum, organisations should review and update the following provisions:

  • Security-responsibility clauses. Specify which party is responsible for each TOM domain (encryption, access control, monitoring) rather than relying on generic “appropriate measures” language.
  • Breach-notification coordination. Replace vague “without undue delay” wording with explicit hours-based timelines (e.g., processor notifies controller within 12 hours; controller notifies NCSC within 24 hours).
  • Audit rights. Ensure the controller retains the right to audit or request third-party audit evidence (SOC 2 Type II, penetration-test reports) at least annually and following any reportable incident.
  • Liability caps and indemnities. Where a processor’s security failure triggers regulatory action or damages, the contract should allocate liability clearly, including cost-sharing for forensic investigations and regulatory notifications.
  • Subprocessor controls. Require prior written consent for new subprocessors and impose flow-down obligations equivalent to the main contract’s security and reporting terms.

Comparison Table, Reporting Obligations by Entity Type

The following table summarises the breach reporting obligations under the ISA and FADP frameworks, mapped by entity category. This comparison reflects the regulatory landscape as of 2026 and should be reviewed as further implementing ordinances or EDÖB guidance are published.

Entity Type Triggering Incident Reporting Timeframe and Channel
Federal authorities / federal IT systems Cyberattack affecting federal information-processing systems Report through internal federal channels and to the NCSC as required by ISA and implementing ordinances
Operators of critical infrastructure Cyberattack affecting the availability, integrity or confidentiality of critical systems Notify NCSC within 24 hours of discovery via the NCSC reporting platform
Private businesses (non-critical infrastructure) processing personal data Data-security breach likely to result in a high risk to data subjects’ rights Notify EDÖB as soon as possible under the FADP; notify data subjects if required to protect their rights
Vendors / processors serving critical-infrastructure operators Security incident affecting controller data or systems Notify the controller within the contractually agreed timeframe (recommended: 12–24 hours); support controller’s ISA/FADP notification obligations

Conclusion and Next Steps for Information Security Act Switzerland Compliance

The Information Security Act Switzerland framework, operating alongside the revised FADP, creates a layered compliance obligation that demands documented action rather than policy statements alone. For businesses in 2026, four immediate next steps will determine whether they are positioned for compliance or exposure:

  1. Determine your ISA scope. Classify your organisation’s status (federal authority, critical-infrastructure operator, supplier or private business) and map every applicable obligation.
  2. Implement and document TOMs. Use the checklist and priority matrix in this guide to build a proportionate, evidence-based control framework.
  3. Audit every vendor and cloud contract. Update DPAs with ISA-aligned security clauses, breach-notification timelines and audit rights using the sample clauses provided.
  4. Test your incident-response capability. Run a tabletop exercise against a dual-trigger scenario (ISA + FADP) and validate that your team can meet the 24-hour NCSC reporting window and the EDÖB notification threshold simultaneously.

Early indications suggest that Swiss regulators are prioritising demonstrated, documented compliance over perfection, organisations that can show a structured programme, regular testing and continuous improvement will be in a materially stronger position than those still relying on generic security policies drafted before the ISA’s reporting obligations took effect.

Need Legal Advice?

This article was produced by Global Law Experts. For specialist advice on this topic, contact Alexandros Manousakis at Privintelligent Solutions, a member of the Global Law Experts network.

Sources

  1. Swiss Federal Council (admin.ch), ISA amendment press releases and legislative milestones
  2. National Cyber Security Centre (NCSC), Reporting obligations guidance
  3. Federal Data Protection and Information Commissioner (EDÖB), FADP guidance
  4. Federal Act on Data Protection (FADP), official text (Fedlex)
  5. Information Security Act (ISA/ISG), official legislative text (Fedlex)
  6. European Union Agency for Cybersecurity (ENISA), cybersecurity best practices and TOM frameworks

FAQs

What is the Switzerland Information Security Act (ISA) and who does it apply to?
The ISA (ISG) is a federal statute establishing uniform information-security standards across the Swiss Confederation. It applies directly to federal authorities, cantonal bodies accessing federal systems and operators of critical infrastructure. Private businesses may be drawn into scope through contracts with these entities.
The ISA covers information security for federal systems and critical infrastructure; the FADP covers personal-data protection. Cyberattacks on critical infrastructure go to the NCSC (within 24 hours). Personal-data breaches go to the EDÖB (as soon as possible). Dual-trigger events, a cyberattack that also compromises personal data, require parallel notifications to both authorities.
Best-practice TOMs include multi-factor authentication, network segmentation, encryption at rest and in transit, endpoint detection and response, centralised logging, documented risk assessments, regular tabletop exercises and tested backup-and-recovery procedures. Controls should be proportionate to the sensitivity of data and the criticality of systems, consistent with EDÖB guidance and standards such as ISO 27001.
Operators of critical infrastructure must notify the NCSC within 24 hours of discovering a cyberattack that threatens the functioning of their critical systems. Federal authorities report through designated internal channels. Private companies not operating critical infrastructure are not subject to ISA reporting but remain subject to FADP breach-notification obligations.
Review your cloud DPA to include explicit ISA-aligned provisions: security-standard commitments (ISO 27001 or equivalent), hours-based breach-notification timelines, audit rights covering SOC 2 Type II reports, subprocessor approval requirements and clear liability allocation for regulatory costs following a security incident.
The ISA’s mandatory reporting obligation applies to operators of critical infrastructure regardless of size. An SME operating in a designated critical-infrastructure sector is subject to the full reporting obligation. Other SMEs may be indirectly affected through their contracts with federal bodies or critical-infrastructure clients, which typically flow down ISA-level security requirements contractually.
The ISA empowers the NCSC to require operators of critical infrastructure to rectify deficiencies and to provide information about cyber incidents. The practical enforcement consequences include regulatory orders, reputational exposure and potential contractual liability. Under the FADP, the EDÖB may order the cessation of data processing, and intentional violations of certain FADP provisions can attract criminal penalties of up to CHF 250,000 against responsible individuals.
crypto licence germany
By Jonathon Richards

posted 12 minutes ago

Find the right Legal Expert for your business

The premier guide to leading legal professionals throughout the world

Specialism
Country
Practice Area
LAWYERS RECOGNIZED
0
EVALUATIONS OF LAWYERS BY THEIR PEERS
0 m+
PRACTICE AREAS
0
COUNTRIES AROUND THE WORLD
0
Join
who are already getting the benefits
0

Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.

Naturally you can unsubscribe at any time.

About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Global Law Experts App

Now Available on the App & Google Play Stores.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Contact Us

Stay Informed

Join Mailing List
About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Global Law Experts App

Now Available on the App & Google Play Stores.

Contact Us

Stay Informed

GLE

Lawyer Profile Page - Lead Capture
GLE-Logo-White
Lawyer Profile Page - Lead Capture

Switzerland's Information Security Act (ISA) Compliance 2026, Practical Guide for Businesses

Send welcome message

Custom Message