You are here


Survey Answer:

Currently, there are no specific dedicated laws or (legally binding) administrative measures governing IT-Security regarding critical infrastructures. However, based on the NCS (see above, Question 1.1), the Federal Office for National Economic Supply (FONES) published the 'Minimum ICT Standard' in August 2018. This document is based on the internationally rec-ognized National Institute of Standards and Technology (NIST) Cybersecurity Framework Core (and other standards such as ISO 2700x, COBIT, and the ENISA Good Practice Guide on Na-tional Cyber Security) and contains 106 measures (of organizational and technical nature) to improve ICT resilience against cyber risks (including a full inventory of all hardware and soft-ware, training of employees, data protection measures, early warning systems, etc). Inspired by the NIST Cybersecurity Framework Core, the Minimum ICT Standard follows a risk-based approach and consists of the following five elements: Identify, Protect, Detect, Respond and Recover. The Minimum ICT Standard is primarily addressed to operators of critical infrastruc-tures (including the following sectors: energy, financial and insurance services, information and communication services, public administration, public health, public safety, transporta-tion, food and water supply, waste disposal) for whom it is recommended to implement the measures outlined in the standard (or, alternatively, similar frameworks such as ISO 2700x or COBIT). Other industries are encouraged to use the standard as a reference. The legal basis for setting a minimum ICT standard is the National Economic Supply Act (NESA).

For the time being, the Minimum ICT Standard serves as a recommendation to operators of critical infrastructures. Accordingly, the standard does not impose mandatory obligations. There is currently a political debate whether minimum ICS standards shall be rendered legal-ly binding for operators of critical infrastructures, and whether notification duties shall be imposed. Albeit not legally binding, minimum ICT standards serve as benchmarks for audi-tors.

With regard to financial institutions/banks, see below Question 3.1.

Provided By:
Roland Mathys, Schellenberg Wittmer and Clara-Ann Gordon, Niederer Kraft Frey