ISA and NIS2: Cybersecurity is Not an Option; It is a Strategic Imperative.

Companies in Switzerland and the European Union (EU) will have to comply with stricter and more comprehensive cybersecurity regulations this year. A new Federal Information Security Act (ISA) came into force In Switzerland at the beginning of the year, consolidating the legal basis for cybersecurity into a single piece of legislation. The EU's NIS2 Directive also imposes stricter security requirements on European companies - those that fail to comply could face fines of up to €10 million.

  #Cloud Governance   #Security Awareness   #Security Risk Assessment   #Security Strategy Architecture  
Marc Rudin
+41 58 510 18 07

The revised Data Protection Act (DPA) and its implementing provisions in the new Data Protection Ordinance (DPO) came into force in Switzerland last fall [i]. The revised Swiss Data Protection Act introduces additional regulations and compliance requirements for companies, such as keeping a register of data processing activities and conducting data protection impact assessments when processing risk data. All of this is closely aligned with the European General Data Protection Regulation (GDPR)[ii].

The new regulations tighten cybersecurity monitoring and reporting requirements for Swiss and European companies. In Switzerland, the National Cybersecurity Center (NCSC) has been transformed into the Federal Office for Cybersecurity (BACS). The BACS is the federal government's center of competence for cybersecurity and the first point of contact on cyber issues for business, administration, educational institutions and the general public.[iii] It is responsible for the coordinated implementation of the National Cyber Strategy (NCS), with a particular focus on critical infrastructure protection. 


Minimizing risks and ensuring continuity

The ISA strengthens the legal framework in the field of information security.[iv] It requires Swiss authorities, government and federal organizations, the federal courts, the Swiss National Bank and other entities and third parties working with them (including, under certain conditions, private companies) to minimize potential risks, continuously assess system stability and ensure business continuity. They are all required to implement and evaluate comprehensive and proactive security measures and take appropriate steps to protect data and digital assets from cyber incidents. The ISA also requires the establishment of an Information Security Management System (ISMS). It must ensure risk assessments, data classification and compliance with security standards. In addition, a reporting requirement for cyber-attacks on critical infrastructure[v] will be introduced. It is expected to come into force early next year[vi].


Stricter requirements for critical sectors and infrastructure in the EU

In the EU, the NIS2 Directive creates new cybersecurity obligations for many companies in critical sectors[vii]. Companies in 18 sectors with more than 50 employees and a turnover of €10 million must now implement a specific cybersecurity management system. The directive expands the scope and obligations and introduces strict incident reporting requirements and additional cyber risk management measures. Failure to comply with this NIS2 directive could result in significant fines imposed by national authorities of up to €10 million or 2 percent of annual global turnover for essential sectors and up to €7 million or 1.4 percent of turnover for key sectors. 

What are the main implications and actions for affected organizations? 
They need to take steps to prevent, detect, identify, contain, mitigate, and respond to IT incidents. Ensuring business continuity, crisis management, supply chain security, and network and information system security through vulnerability assessments and penetration testing are also important. In addition, sound security practices that comply with regulatory requirements must be implemented. The ISA requires immediate reporting of cyber incidents.


Proactive action is essential

The new cybersecurity landscape demands a proactive approach. Organizations must prioritize monitoring, detection, and reporting. Compliance checklists and expert guidance are invaluable resources. 

Cybersecurity is not an option; it is a strategic imperative. Only a balanced set of organizational and technical measures can effectively and holistically protect your business and ensure compliance with the latest regulations. New dimensions of security must be introduced to complement traditional prevention (network and perimeter protection)[viii]. This includes the ability to detect an attacker as early as possible. On the other hand, countermeasures must be initiated as quickly as possible. When it comes to proactive cybersecurity and compliance with changing regulatory requirements, UMB is the place to be. Contact us for more information.

[i]    What is the New Swiss Data Protection Act, and How Do You Achieve Compliance?  

[ii]   General data protection regulation (GDPR) | EUR-Lex (

[iii] Homepage NCSC (BACS)  

[iv] New information security law with implications for private companies working for the government 

[v]  Authorities and organizations to be notified  (No official English translation available)

[vi]  Mandatory reporting on critical infrastructure – timetable(No official English translation available)

[vii] Directive on measures for a high common level of cybersecurity across the Union (NIS2) 

[viii] UMB Cyber Security: A New Dimension in Security.