ISG — Swiss Information Security Act

A hospital discovers in the morning that the radiology information system has been encrypted and that emergency operations have to start. The ISG reporting duty kicks in within 24 hours — the initial report to the BACS has to be made in parallel with patient care, the internal crisis and the report to the police. An operator without a prepared reporting chain at this moment loses the first critical hours to phone trees and unclear responsibilities.

The Information Security Act (ISG) governs information security at the federal level and introduces a cyber reporting duty for operators of critical infrastructure. It is the Swiss response to rising cyberattacks against utilities, hospitals and authorities — and gives the Federal Office for Cybersecurity (BACS, formerly NCSC) the legal basis for situational awareness, report analysis and cooperation.

Who is affected?

The ISG has two main target groups:

Federal authorities and organisations — departments, federal offices, federal courts, Federal Assembly, contracted third parties. They must run an information security management system, implement information classification and carry out personnel security screening for security-sensitive functions.
Operators of critical infrastructure — defined in Art. 74b ISG and the Ordinance on the Reporting Obligation for Cyberattacks (VMCK). Sectors include energy supply, water supply, transport, health, telecommunications, banking, financial market infrastructure and cantonal or communal authorities with a critical function.

The cyber reporting duty sits with the operator directly — even where the attack occurs at an IT service provider, the reporting duty remains with the operator.

What does the law require?

For federal authorities the ISG sets out the foundations of information security:

Risk analysis and protection concepts — federal authorities run an ISMS and align protective measures with risk.
Classification of information — four levels (public, internal, confidential, secret) with defined handling rules.
Personnel security screening — for functions with access to classified information or critical systems.
Security procedures in procurement and awarding — supplier requirements for security-sensitive contracts.

For operators of critical infrastructure the cyber reporting duty applies:

Initial report within 24 hours (Art. 74d ISG) — after detection of a reportable cyberattack to the BACS, with the available information on the incident.
Follow-up report within 14 days — full description of the incident, impact and measures taken.
Reporting from the materiality threshold upwards — defined in the VMCK; in particular when the availability, integrity or confidentiality of the critical infrastructure is materially impaired or a ransom has been demanded.
Reports are submitted via the BACS reporting portal — structured input with mandatory fields.

The BACS supports the reporter, coordinates with law enforcement and can publish anonymised situation reports.

In practice

Actively clarify applicability. The VMCK thresholds are partly sector-specific and change with the actual supply structures. Hospitals, transport operators or energy providers without a BACS registration should actively seek clarification — a missed report due to a lack of self-assessment does not protect you.

Prepare the 24-hour deadline as a process. The initial report has to be in place within one working day — weekends and public holidays included. This requires clear on-call duty, defined deputies and a standard set of reporting content prepared independently of the specific incident: operator, asset, sector, contact point.

Think through the relationship with the DSG report. When a cyberattack is at the same time a data protection breach, the ISG report to the BACS and the DSG report to the FDPIC apply in parallel. The reports differ in content, deadline and addressee. A common master template set substantially reduces the double workload.

Mapping to ISO 27001

The ISG requirements, especially for federal information security, correspond closely with ISO 27001. For operators of critical infrastructure, incident response is the central touch point.

Directly relevant controls:

A.5.7 — Threat intelligence: evaluation of BACS situation reports and sector-specific warnings.
A.5.24 — Information security incident management planning and preparation: prerequisite for the 24-hour reporting duty.
A.5.25 — Assessment and decision on information security events: classification of the materiality threshold under the VMCK.
A.5.26 — Response to information security incidents: structured containment with clear roles.
A.5.27 — Learning from information security incidents: lessons learned feeding into the follow-up report.
A.5.29 — Information security during disruption: maintaining critical functions during a cyberattack.
A.5.30 — ICT readiness for business continuity: recovery concepts for critical infrastructure.
A.5.36 — Compliance with policies, rules and standards for information security: compliance check against the VMCK.
A.6.3 — Information security awareness, education and training: awareness of cyber risks among staff in critical infrastructure.
A.8.7 — Protection against malware: technical measure against ransomware and the like.
A.8.8 — Management of technical vulnerabilities: patch management and CVE watch.
A.8.16 — Monitoring activities: detection as a prerequisite for timely reporting.

Typical audit findings

Self-assessment of ISG applicability missing — the organisation is subject to reporting under the VMCK but has never registered with the BACS.
24-hour reporting chain not rehearsed — nobody has tested the reporting path at the weekend; the on-call staff does not know the BACS portal.
Follow-up report late or incomplete — the 14-day deadline is missed because forensics are still ongoing and nobody has the deadline in the calendar.
Confusion between ISG and DSG reporting — a report is sent only to the FDPIC, the BACS stays uninformed; or vice versa.
Federal personnel security screening not updated — staff with access to classified information have not been re-screened in years.
Classification rules on paper, not in the tools — confidential information is processed in unclassified tools because the tools do not enforce classification.

Sources

ISG full text (Fedlex) — official version from the Federal Chancellery
Ordinance on the Reporting Obligation for Cyberattacks (VMCK) — details the thresholds and reporting channels
BACS — Federal Office for Cybersecurity — reporting portal, situation reports, sector-specific notes
Federal Department of Defence, Civil Protection and Sport (DDPS) — overarching responsibility for national cybersecurity

ISO 27001 Controls Covered

A.5.7 Threat intelligence A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents A.5.27 Learning from information security incidents A.5.29 Information security during disruption A.5.30 ICT readiness for business continuity A.5.36 Compliance with policies, rules and standards for information security A.6.3 Information security awareness, education and training A.8.7 Protection against malware A.8.8 Management of technical vulnerabilities A.8.16 Monitoring activities

Frequently asked questions

Am I subject to the reporting duty as an operator of critical infrastructure under the ISG?

The cyber reporting duty has been in force since 1 April 2025 and applies to operators of critical infrastructure in the defined sectors -- energy, water, transport, health, telecommunications, banking, financial market infrastructure, public administration. The Ordinance on the Reporting Obligation for Cyberattacks (VMCK) details the thresholds. Operators not yet on the NCSC list should actively seek a review.

Where do I report a cyberattack?

To the Federal Office for Cybersecurity (BACS), the successor to the NCSC. Reports are submitted via the official reporting portal within 24 hours of detection, complemented by a detailed follow-up report within 14 days. The duty rests with the operators of critical infrastructure, not with individual employees.

How does the ISG relate to the DSG reporting duty and to NIS2 in the EU?

The ISG reporting regime runs in parallel with the DSG report to the FDPIC -- both duties may apply simultaneously in one incident. There is no direct takeover relationship with NIS2; Switzerland has chosen its own regime that achieves a similar effect in the core duties. Organisations active in both areas should document the thresholds and deadlines per regime separately.