The Swiss Regulatory Context: Understanding the ISL and the FADP
Switzerland has a solid regulatory framework for the protection of information and personal data, mainly governed by two key laws:
- The ISL (Information Security Law), which aims to secure the critical infrastructures and information systems of federal authorities, their suppliers, as well as organisations considered essential for the country.
- The FADP (Federal Act on Data Protection), which protects the fundamental rights of individuals and strengthens transparency around the use of their personal data.
In the digital age and in the face of growing cyber threats, understanding and applying these laws is no longer optional. Companies must ensure compliance not only to avoid sanctions, but also to strengthen the trust of their customers and partners. This responsibility now extends to the individual level: people involved in data processing can also be held accountable in the event of non-compliance.
Impact of the ISL (Information Security Law) on Businesses
The ISL requires the relevant stakeholders to implement security measures proportionate to the sensitivity of the information being processed. This includes:
- Protecting IT systems against cyberattacks.
- Securing critical infrastructures.
- Developing internal policies and procedures for incident and risk management.
For companies directly affected or partnering with critical organisations, compliance with the ISL is a factor of credibility and resilience, helping to limit the financial, operational and reputational risks associated with security breaches.
This applies in particular to energy players such as Alpiq or the Nant de Drance power plant, to transport operators such as SBB Cargo, to gas infrastructures like Transitgas, or to strategic data centres such as Green.ch.
A key element of the ISL is the obligation for critical infrastructure operators to report any cyberattack.
- The report must be submitted to the competent authority within 24 hours of the detection of the incident (article 74e).
- This measure aims to strengthen the responsiveness of the authorities, limit the spread of attacks, and improve national coordination in the field of cybersecurity.
The FADP (Federal Act on Data Protection): What’s New and What’s Required
The FADP, which entered into force in its revised version in September 2023, introduces several important changes:
- Explicit consent: companies must obtain clear and informed agreement before collecting or processing personal data.
- Transparency: obligation to inform the individuals concerned about the use, purpose and retention period of their data.
- Rights of individuals: right of access, rectification, deletion and portability of personal data.
- Data security: implementation of organisational and technical measures to prevent any leak, loss or misuse.
For Swiss companies, compliance with the FADP is not only a legal requirement: it is also an opportunity to strengthen trust, transparency and competitiveness.
Assess Your Readiness for Cybersecurity Compliance
Before implementing the requirements of the ISL and the FADP, it is essential to assess your level of readiness:
- Are your sensitive data properly identified and classified?
- Are your systems and infrastructures protected against current and future threats?
- Are your employees trained in cybersecurity and data protection best practices?
- Do you have documented processes in place to respond to requests for access, rectification or deletion of personal data?
An internal or external audit can help you measure your compliance and identify key areas for improvement.
The Steps to Achieve and Maintain Compliance
To achieve and maintain compliance with the ISL and the FADP, companies must follow a structured approach:
- Map data and risks: identify sensitive data and assess associated risks.
- Implement policies and procedures: define clear rules for the collection, processing and protection of data.
- Train and raise awareness among employees: compliance relies on the vigilance and involvement of everyone.
- Implement technical and organisational measures: securing systems, backups, encryption, access controls, incident management.
- Monitor and continuously improve: regular audits, incident tracking and adjustments to remain compliant.
SPIE: Your Partner for ISL and FADP Compliance in Switzerland
SPIE offers strong expertise in cybersecurity, covering the protection of systems, the implementation of appropriate safeguards and the maintenance of robust processes, in line with international standards (notably ISO 27001). With this approach, SPIE can play a key role in your journey towards compliance with Swiss regulatory requirements such as the ISL and the FADP.
Do not leave ISL and FADP compliance to chance. Anticipate today to ensure the security of your information and uphold the rights of your customers in Switzerland.