At its meeting on 8 November 2023, the Swiss Federal Council decided that the new Information Security Act (ISA) and its four implementing ordinances will enter into force on 1 January 2024. According to its press release, the Federal Council’s aim is to strengthen the protection of information and the cyber security of the Confederation.

In a single law, the ISA consolidates the most important legal foundations for the protection of federal information and IT resources. The ISA and its four implementing ordinances shall establish uniform minimum information security requirements for all federal authorities and organisations, in accordance with international standards.

Cybersecurity should not be limited to the Confederation’s own IT infrastructure. Thus, international partners, cantons, and third parties must also safeguard federal information and data. Therefore, the purpose of the ISA and its four implementing ordinances is to establish current and efficient regulations in this context.

In this regard, the new Operational Security Procedure Ordinance (OSPO) will apply in this area from 1 January 2023: It replaces the previous Ordinance on the Protection of Secrets, which was limited to military-classified contracts, and regulates the specifics of the ISA’s newly implemented operational security procedure. When federal authorities award security-sensitive contracts to companies, this procedure is executed. The evaluation of these companies’ credibility is conducted in conjunction with the Federal Intelligence Service. The primary objective is to impede the access of foreign intelligence service-controlled entities to critical federal IT systems and highly classified information. To verify the implementation of information security, the responsible specialised unit may conduct inspections of the organisation at any time and without prior notice while carrying out the mandate. Additionally, it can conduct audits.