Created using OpenAI’s DALL·E (2025)

In a Nutshell:

Important Deadlines (elapsed & upcoming):

• Information Classification Catalogue by December 31st 2024 (elapsed)
• Mandatory Reporting Process for Cyber Attacks as of April 1st 2025 (elapsed)
• Risk Analysis and IT System Classification/Protection Requirements by December 31^st 2025 (upcoming)
• Information Security Management System (ISMS) by December 31st 2026 (upcoming)

who (does the FAISC apply to)?

• Federal Authorities and Organisations (e.g., Federal Office of Information Technology Systems and Telecommunication)

• Cantonal Authorities who access federal data must also comply with the FAISC’s security requirements (e.g., Cantonal Police)

• Operators of Critical Infrastructure
  • Energy Sector: providers of electricity-, gas- and water networks (e.g., Axpo Group, Swissgas, Veolia)
  • Transport and Traffic Sector: providers of road-, rail-, air- and marine transport systems (e.g., FEDRO, SBB, Skyguide, SGV)
  • Information and Communication Technology Sector: providers of telecommunications networks and IT systems (e.g., Swisscom)
  • Healthcare Sector: Hospitals, medical care- and emergency services-providers (e.g., University Hospital Zürich)
  • Financial Services Sector: Banks, stock exchanges and payment system providers (e.g., UBS, SIX)
  • Food Sector: Organisations involved in the production, processing, and distribution of food products (e.g., Emmi, Nestlé, Migros)
  • Public Administration: Government- and administrative service providers at federal, cantonal and municipal level (e.g., Federal Office for Civil Protection, Finance Directorate Kanton Bern, Bevölkerungsamt Zürich)
  • Private companies who work with federal authorities: IT service providers for cloud services or data processors like Microsoft, Oracle, and IBM
  • International Partners: any other international contractors who work with federal agencies.

what (is the FAISC)?

• Information Security Ordinance (ISV): Sets out the duties, responsibilities, competences and procedures to which the federal administration and armed forces must adhere in the context of securing their information and IT systems.

• • Example: IT resources with high or very high protection requirements must have their security measures checked for effectiveness 1) before being operationalised, 2) in the event of significant changes to the risk landscape, and 3) at least every five years.

• Ordinance on Personal Security Checks (VPSP): Provides clear, streamlined, risk-based procedures for when and how to conduct personal security checks for individuals in security-sensitive roles within the federal administration, armed forces, or, under certain circumstances, cantonal employees and external contractors.
  • Example: Under the new law, personal security checks are only mandated in cases where individuals handle sensitive federal information in roles that could realistically cause harm.

• Ordinance on Operational Security Procedures (VBSV): Regulates companies or contractors who are awarded security-sensitive federal contracts. Governs the vetting and monitoring of any companies that perform security-sensitive work for the federal government including background checks, spot checks, audits and measures for preventing access to critical federal IT and information by foreign intelligence services.

• • Example: The Operational Security Office collects all security-relevant data (e.g., ownership structures, executive board members, solvency) necessary to assess a potential contractor’s suitability.

• Ordinance on Identity Management Systems and Directory Services of the Federal Government (IAMV): Establishes standards for identity management (IAM), directory services, and security measures for federal IT systems. Applies to both internal and external service providers managing federal identity systems.
  • Example: Internal and external operators of components of an IAM system or directory service must have written guidelines for handling information security and risks.

• Cybersecurity Ordinance (CSV): Mandates reporting obligations with respect to cyber attacks that threaten the functionality of critical infrastructures.
  • Example: Attacks must be reported within 24 hours of discovery via the Federal Office for Cyber Security’s reporting system including details as to the nature of the attack, its effects, and any countermeasures that have been undertaken.

when (are the relevant deadlines and transitional periods for implementation of the FAISC)?

Elapsed Deadlines (are YOU up to date?)

• Information Classification Catalogue – by December 31st 2024: Affected entities (such as federal authorities, cantonal administrations, private companies that operate critical infrastructures and public institutions) must implement and maintain robust…
  • …Classification levels for information and data setting out their respective protection requirements.
  • …Protective measures: corresponding to the respective classification levels.
  • …Documentation describing the aforementioned classification and protection measures in detail.
  • …Training for employees to ensure that they understand and know how to apply any new rules, procedures and/or best practices.

• Mandatory reporting process for cyber attacks – as of April 1^st 2025: Critical infrastructure providers (as described above) must define and implement a structured process for the reporting of incidents i.e. attacks or data breaches.

Upcoming Deadlines (are YOU prepared?)

• Risk Analysis, Classification of IT Systems, and Definition of Protection Requirements by December 31st 2025: Risk analyses must be completed, IT Systems must be classified according to the FAISC and its ordinances, and their respective protection requirements must be defined and documented.

• Information Security Management System (ISMS) by December 31st 2026: Affected organisations (e.g., federal authorities, cantonal administrations, private companies, public institutions and organisations that operate critical infrastructures) must have set up and operationalised a compliant ISMS.

• Technical Security Compliance by December 31st 2029: All IT resources in the affected organisations (e.g., federal authorities, cantonal administrations, private companies, public institutions and organisations that operate critical infrastructures) must comply with the technical security regulations set out in the FAISC.

why (does the FAISC matter)?

find out more:

• Federal Council brings the Information Security Act into force: The FAISC and its four associated ordinances (ISV, VPSP, VBSV, IAMV) came into force on January 1, 2024.
• The Federal Information Security Act at a glance: The FAISC includes provisions on information security management systems (ISMS), reporting obligations and general regulations on cyber security. It is supplemented by four implementing ordinances.
• Update on the new Information Security Act: A revision of the FAISC, which introduces a reporting obligation for cyber attacks on critical infrastructures, has been adopted and has been in force since January 1, 2025.

Interested in what the FAISC and the associated deadlines mean for your company?

Joshua Bucheli (cyberunity AG) and John Corona (Osmond GmbH) look forward to hearing from you!

stay tuned for more – look out for our next Cyberbyte on NIS2