Our Expert in Switzerland
No results available
The Information Security Act Switzerland (Informationssicherheitsgesetz, ISG) has moved from a legislative framework on paper to an actively enforced compliance regime, with mandatory cyberattack reporting obligations now in force for operators of critical infrastructure. Businesses operating in or serving the Swiss market face a dual compliance landscape: the ISA governs the security of federal information and the protection of critical infrastructure, while the revised Federal Act on Data Protection (FADP) imposes parallel obligations on the handling of personal data. For in-house counsel, DPOs and CISOs, the practical challenge in 2026 is no longer understanding what the law says but implementing the concrete technical and organisational measures, vendor controls and incident-response protocols that these statutes demand.
This guide delivers exactly that, actionable checklists, sample contract clauses and step-by-step playbooks mapped to current ISA and FADP requirements.
TL;DR: If your organisation operates critical infrastructure, processes federal data, or handles personal data under Swiss law, you must implement documented technical and organisational measures (TOMs), establish a 24-hour incident-reporting capability and review every vendor and cloud contract for ISA-aligned security clauses, now.
The ISA creates binding cybersecurity compliance obligations for Switzerland that go well beyond traditional data-protection law. Whether you are a federal contractor, a utility operator or a private company caught within the critical-infrastructure perimeter, the following immediate actions should be on your board agenda:
The Information Security Act (ISA/ISG) is a federal statute that establishes uniform standards for the security of information and information-processing systems across the Swiss Confederation. Originally adopted by the Federal Assembly, the ISA underwent significant amendment to introduce mandatory reporting obligations for cyberattacks on critical infrastructure, a provision that entered into force on 1 April 2025, as confirmed by the Swiss Federal Council.
The ISA’s scope extends across three principal categories. First, it applies directly to federal authorities, the Federal Council, federal departments, the Federal Chancellery and entities performing tasks on behalf of the Confederation. Second, it covers cantonal authorities insofar as they access federal information systems or classified information. Third, and most significant for the private sector, it applies to operators of critical infrastructure in sectors such as energy, transport, water supply, healthcare, finance, telecommunications and digital infrastructure.
Private businesses that do not operate critical infrastructure are not directly subject to the ISA’s reporting obligations. However, they remain subject to the revised FADP’s security requirements and may be drawn into ISA compliance indirectly through their contracts with federal bodies or critical-infrastructure operators.
Switzerland’s information-security and data-protection frameworks are distinct statutes with different regulators, different reporting channels and different enforcement mechanisms. Yet they share a critical common element: the requirement to implement appropriate technical and organisational measures to protect the data and systems under each organisation’s control. In practice, this means compliance teams must build a single, integrated TOM framework that satisfies both regimes simultaneously.
The ISA is primarily concerned with protecting federal information, classified data and the systems of critical-infrastructure operators from cyberattacks. The revised FADP, which entered into force on 1 September 2023, focuses on the protection of personal data, including breach notification to the Federal Data Protection and Information Commissioner (EDÖB) and, in certain cases, to affected data subjects. The FADP interaction with the ISA is most visible in three areas: the scope of TOMs, the breach-reporting triggers and the treatment of cross-border data transfers.
Not every ISA-reportable cyberattack involves personal data, and not every FADP data breach qualifies as an ISA incident. The distinction matters because each triggers different reporting channels and timelines:
The EDÖB guidance on cross-border data transfers, including the Swiss-US Data Privacy Framework, must be factored into any ISA compliance programme that involves cloud services hosted outside Switzerland. Where a critical-infrastructure operator transfers personal data to a US-based cloud provider, both the FADP’s adequacy requirements and the ISA’s security-assurance obligations apply. Industry observers expect EDÖB enforcement activity in this area to intensify throughout 2026, making proactive vendor assessments essential.
The Information Security Act Switzerland framework, read together with the revised FADP and EDÖB guidance, requires organisations to implement technical and organisational measures that are proportionate to the sensitivity of the data processed, the severity of potential threats and the state of the art. Below is a structured, implementation-ready TOM framework organised by control domain.
The following priority matrix helps organisations rank implementation urgency against effort:
| TOM Domain | Implementation Effort | Risk-Reduction Impact | Priority |
|---|---|---|---|
| MFA and access control | Low–Medium | High | Immediate |
| Patch management | Medium | High | Immediate |
| Backup and recovery testing | Medium | High | 30 days |
| Network segmentation | High | High | 90 days |
| SIEM / centralised logging | High | Medium–High | 90 days |
| Data classification scheme | Medium | Medium | 90 days |
| Tabletop exercises | Low | Medium | 180 days (then annually) |
Any organisation subject to the ISA or the FADP must ensure that its vendors and cloud providers maintain security standards at least equivalent to those the organisation applies internally. Vendor and cloud due diligence is not a one-time exercise, it must be embedded into procurement, contract renewal and ongoing monitoring cycles. The following framework provides a structured approach to assessing third-party risk under Swiss cybersecurity compliance requirements.
Top vendor due-diligence questions (select from this bank based on risk tier):
The following model clauses can be adapted for data-processing agreements and cloud service contracts. They are provided as starting points and should be reviewed by qualified Swiss counsel before adoption.
Clause 1, Security Standards: “The Processor shall implement and maintain technical and organisational measures that are at least equivalent to ISO 27001 controls and that satisfy the requirements of the Swiss Federal Act on Data Protection (FADP) and, where applicable, the Information Security Act (ISA). The Processor shall provide evidence of compliance upon request.”
Clause 2, Breach Notification Coordination: “The Processor shall notify the Controller of any security incident affecting Controller data without undue delay and in any event within [12/24] hours of detection. Where the incident triggers reporting obligations under the ISA (NCSC) or the FADP (EDÖB), the Processor shall cooperate with the Controller to fulfil those obligations within the applicable statutory timeframes.”
Clause 3, Audit Rights: “The Controller shall have the right, upon reasonable notice, to audit or commission an independent third-party audit of the Processor’s security controls, data-processing facilities and subprocessor arrangements. The Processor shall provide all reasonably requested documentation, including current SOC 2 Type II reports, penetration-test summaries and incident logs.”
The ISA’s mandatory reporting obligation, in force since 1 April 2025, requires operators of critical infrastructure to notify the NCSC of cyberattacks within 24 hours of discovery. This is a tight window. The clock starts when the organisation becomes aware of the incident, not when the forensic investigation concludes. Parallel to this, the revised FADP requires controllers to notify the EDÖB as soon as possible of any data-security breach likely to result in a high risk to the personality or fundamental rights of data subjects.
Industry observers expect that demonstrating a robust, documented incident-response process will become a de facto defence against enforcement criticism, even where reporting timelines are technically missed by a narrow margin. The following incident playbook provides a practical timeline for compliance teams.
0–24 hours (discovery and initial notification):
24–72 hours (investigation and supplementary reporting):
72 hours and beyond (remediation and lessons learned):
Small and medium-sized enterprises may not operate critical infrastructure directly, but many serve as suppliers to federal bodies or critical-infrastructure operators, making ISA compliance a contractual and commercial requirement. Even where the ISA does not apply directly, the FADP’s TOM obligations are universal. This SME ISA checklist provides a prioritised, cost-conscious implementation roadmap in three phases.
| Phase | Timeframe | Actions |
|---|---|---|
| Phase 1, Foundation | 0–30 days | Complete an asset and data inventory; assign a security owner; enable MFA on all accounts; deploy automated patching; draft an information-security policy |
| Phase 2, Controls | 30–90 days | Conduct a formal risk assessment; review and update all vendor/cloud contracts; implement encryption at rest and in transit; establish a basic incident-response plan |
| Phase 3, Maturity | 90–180 days | Deploy centralised logging; run a tabletop incident exercise; test backup restoration; document TOM compliance evidence; schedule annual review cycle |
Completing these three phases positions an SME to demonstrate baseline compliance with both ISA-derived contractual obligations and the FADP’s data-security requirements. The total cost for most SMEs is modest, the largest investments are typically time, management attention and a disciplined documentation habit rather than expensive technology.
Existing data-processing agreements and vendor contracts drafted before the ISA’s reporting obligations entered into force are likely to contain gaps. At minimum, organisations should review and update the following provisions:
The following table summarises the breach reporting obligations under the ISA and FADP frameworks, mapped by entity category. This comparison reflects the regulatory landscape as of 2026 and should be reviewed as further implementing ordinances or EDÖB guidance are published.
| Entity Type | Triggering Incident | Reporting Timeframe and Channel |
|---|---|---|
| Federal authorities / federal IT systems | Cyberattack affecting federal information-processing systems | Report through internal federal channels and to the NCSC as required by ISA and implementing ordinances |
| Operators of critical infrastructure | Cyberattack affecting the availability, integrity or confidentiality of critical systems | Notify NCSC within 24 hours of discovery via the NCSC reporting platform |
| Private businesses (non-critical infrastructure) processing personal data | Data-security breach likely to result in a high risk to data subjects’ rights | Notify EDÖB as soon as possible under the FADP; notify data subjects if required to protect their rights |
| Vendors / processors serving critical-infrastructure operators | Security incident affecting controller data or systems | Notify the controller within the contractually agreed timeframe (recommended: 12–24 hours); support controller’s ISA/FADP notification obligations |
The Information Security Act Switzerland framework, operating alongside the revised FADP, creates a layered compliance obligation that demands documented action rather than policy statements alone. For businesses in 2026, four immediate next steps will determine whether they are positioned for compliance or exposure:
Early indications suggest that Swiss regulators are prioritising demonstrated, documented compliance over perfection, organisations that can show a structured programme, regular testing and continuous improvement will be in a materially stronger position than those still relying on generic security policies drafted before the ISA’s reporting obligations took effect.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Alexandros Manousakis at Privintelligent Solutions, a member of the Global Law Experts network.
posted 12 minutes ago
posted 4 hours ago
posted 5 hours ago
posted 5 hours ago
posted 5 hours ago
posted 5 hours ago
posted 5 hours ago
posted 7 hours ago
posted 7 hours ago
posted 8 hours ago
posted 8 hours ago
posted 8 hours ago
No results available
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message