ISG – Sup­ple­ment, Cri­ti­cal Infras­truc­tu­re Report­ing Obli­ga­ti­on: Mes­sa­ge and Draft (2.12.2022)

On Decem­ber 2, 2022, the Fede­ral Coun­cil appro­ved the Mes­sa­ge on the amend­ment of the Infor­ma­ti­on Secu­ri­ty Act (ISG) adopted (Media release). The Draft law con­cerns the report­ing obli­ga­ti­on for ope­ra­tors of cri­ti­cal infras­truc­tu­re to the Natio­nal Cyber Secu­ri­ty Cen­ter (NCSC). The NCSC thus replaces MELANI. – The ISG will then no lon­ger be cal­led the “Fede­ral Act on Infor­ma­ti­on Secu­ri­ty at the Con­fe­de­ra­ti­on”, but the “Fede­ral Act on Infor­ma­ti­on Secu­ri­ty” (becau­se it is no lon­ger just about the Con­fe­de­ra­ti­on). The Fede­ral Coun­cil will still issue a con­cre­tiz­ing ordinance.

Preli­mi­na­ry draft and consultation

This was pre­ce­ded by a Preli­mi­na­ry draft of Decem­ber 18, 2020 and a Con­sul­ta­ti­on, which lasted from Janu­ary 12 to April 14, 2022 (we have published on the ISG here, here, here and here repor­ted). In the con­sul­ta­ti­on pro­cess, 99 comm­ents were recei­ved from can­tons, ope­ra­tors of cri­ti­cal infras­truc­tures and from rese­arch and indu­stry. The reac­tions were posi­tively posi­ti­ve (Con­sul­ta­ti­on report). Howe­ver, the main con­cerns were that the report­ing obli­ga­ti­on should be as unbu­reau­cra­tic as pos­si­ble and should not invol­ve a gre­at deal of addi­tio­nal work. In addi­ti­on, the terms, the list of repor­ta­ble are­as and the excep­ti­ons to the report­ing obli­ga­ti­on should be spe­ci­fi­ed, as should the defi­ni­ti­on of the cyber­at­tacks to be repor­ted and the moda­li­ties for sub­mit­ting the report. The pen­al­ties for vio­la­ting the report­ing obli­ga­ti­on and the hand­ling of infor­ma­ti­on from reports were also the sub­ject of cri­ti­cism and sug­ge­sti­ons (inci­den­tal­ly, the FCO expli­ci­t­ly takes pre­ce­dence here, and the NCSC, like the FDPIC and unli­ke the SNB or FINMA, is not exempt from the FCO).

A Del­ta­view bet­ween the con­sul­ta­ti­on draft and the draft can be found here:

Report­ing obli­ga­ti­ons accor­ding to the draft

The List of repor­ta­ble are­as was essen­ti­al­ly adju­sted as follows:

  • the exemp­ti­on for ope­ra­tors of nuclear faci­li­ties was deleted;
  • instead of “hos­pi­tals”, the draft speaks of “health care faci­li­ties” (if they are on the hos­pi­tal list);
  • The obli­ga­ti­on to noti­fy manu­fac­tu­r­ers or dis­tri­bu­tors of medi­cal devices was deleted;
  • the lin­kage for trans­port com­pa­nies was adjusted;
  • air­port ope­ra­tors were new­ly included;
  • a rest­ric­tion has been inclu­ded in the uti­li­ties for dai­ly needs;
  • in the case of hard­ware and soft­ware manu­fac­tu­r­ers, the cri­te­ria for inclu­si­on have been nar­ro­wed (use for the ope­ra­ti­on of medi­cal devices or tele­com­mu­ni­ca­ti­ons equip­ment or IT secu­ri­ty or encryp­ti­on, etc. is no lon­ger suf­fi­ci­ent; secu­ri­ty and trust ser­vice pro­vi­ders have been inclu­ded instead).

Thus the List now sim­pli­fi­ed – we lea­ve out details here, but they are important – the fol­lo­wing com­pa­nies and authorities:

  • Uni­ver­si­ties;
  • Fede­ral, can­to­nal and muni­ci­pal aut­ho­ri­ties as well as inter­can­to­nal, can­to­nal and inter­mu­ni­ci­pal organizations;
  • Orga­nizati­ons with public tasks in the are­as of Safe­ty and res­cue, drin­king water sup­p­ly, waste­wa­ter tre­at­ment and waste dis­po­sal (inso­far as they act in a sove­reign manner);
  • Ener­gy sup­plier and com­pa­nies acti­ve in ener­gy tra­ding, ener­gy meter­ing or ener­gy control;
  • Banks, pri­va­te insu­rance com­pa­nies and finan­cial mar­ket infras­truc­tures – to this the message:

    Com­pa­nies in the finan­cial sec­tor are hea­vi­ly affec­ted by cyber attacks, as they are an attrac­ti­ve tar­get for cri­mi­nals due to the con­sidera­ble finan­cial resour­ces they mana­ge. It is important for the relia­bi­li­ty of the Swiss finan­cial cen­ter that such attacks are repor­ted. The exi­sting report­ing obli­ga­ti­on for cyber attacks to the Finan­cial Mar­ket Super­vi­so­ry Aut­ho­ri­ty FINMA will remain in place in par­al­lel to the new report­ing obli­ga­ti­on to the NCSC. FINMA and the NCSC will coor­di­na­te the report­ing pro­cess to mini­mi­ze the bur­den on tho­se requi­red to report.

  • Heal­th­ca­re Faci­li­ties on the can­to­nal hos­pi­tal list (in addi­ti­on to hos­pi­tals, also mater­ni­ty hos­pi­tals and nur­sing homes);
  • medi­cal labo­ra­to­ries with a per­mit under the Epi­de­mics Act;
  • Com­pa­nies that Drugs manu­fac­tu­re, place on the mar­ket or import;
  • Social Secu­ri­ty; in addi­ti­on the message:

    Orga­nizati­ons that pro­vi­de bene­fits to cover the con­se­quen­ces of ill­ness, acci­dent, inca­pa­ci­ty to work and disa­bi­li­ty, old age, disa­bi­li­ty and hel­p­less­ness are also requi­red to regi­ster. The term “social insu­ran­ces” is not men­tio­ned in the text of the law, as it is not defi­ned by law.

    The obli­ga­ti­on to report is cir­cum­scri­bed on the basis of the bene­fits for risks cover­ed by the Gene­ral Pro­vi­si­ons of the Fede­ral Act of Octo­ber 6, 200047F48 on the Gene­ral Part of Social Insu­rance Law (ATSG) in order to cover as many bran­ches of social insu­rance as pos­si­ble. Howe­ver, the obli­ga­ti­on to report is not limi­t­ed to social insu­ran­ces that are sub­ject to the ATSG. It has been deci­ded not to enu­me­ra­te indi­vi­du­al laws (e.g. Fede­ral Law of 19 June 195948F49 on Disa­bi­li­ty Insu­rance, Fede­ral Law of 20 Decem­ber 194649F50 on Old Age and Sur­vi­vors’ Insu­rance) in order to cover not only sta­tu­to­ry bene­fits but also non-com­pul­so­ry bene­fits, such as occu­pa­tio­nal pen­si­ons or sup­ple­men­ta­ry insu­rance to com­pul­so­ry health insurance.

    In the case of occu­pa­tio­nal pen­si­on plans (in the sen­se of the 2nd pil­lar), all regi­stered and non-regi­stered pen­si­on plans (inclu­ding sup­ple­men­ta­ry insti­tu­ti­ons), vested pen­si­on plans and the secu­ri­ty fund are included.

    Vol­un­t­a­ry per­so­nal pen­si­on plans (pil­lars 3a and 3b) are gene­ral­ly offe­red by banks and insu­rance com­pa­nies, which in turn are sub­ject to the report­ing obligation.

    At the ordi­nan­ce level, the Fede­ral Coun­cil may also impo­se rest­ric­tions on the group of per­sons sub­ject to the report­ing obli­ga­ti­on in the case of social insu­rance sche­mes and, for exam­p­le, rest­rict the group of addres­sees of the pen­si­on and vested bene­fits insti­tu­ti­ons sub­ject to the report­ing obli­ga­ti­on by means of sui­ta­ble cri­te­ria (cf. Art. 74c and the expl­ana­ti­ons under 4.3.3).

  • the SRG and News Agen­ci­es of natio­nal importance (curr­ent­ly only Keystone-SDA);
  • Postal Ser­vice Pro­vi­der;
  • Rail­road com­pa­ny and Cable car, trol­ley bus, bus and ship­ping com­pa­nies;
  • Com­pa­ny of the Civil Avia­ti­on and Natio­nal Air­ports accor­ding to the infras­truc­tu­re sec­to­ral plan;
  • Ship­ping com­pa­nies that trans­port goods on the Rhi­ne and com­pa­nies that ope­ra­te regi­stra­ti­on, loa­ding or unloa­ding in the Port of Basel;
  • Com­pa­nies that pro­vi­de the popu­la­ti­on with indis­pensable goods of the dai­ly need sup­p­ly and who­se fail­ure or impair­ment would lead to signi­fi­cant sup­p­ly bot­t­len­ecks – this is what the mes­sa­ge is about:

    A lar­ge num­ber of play­ers are invol­ved in sup­p­ly­ing the popu­la­ti­on with essen­ti­al goods for dai­ly use, espe­ci­al­ly food. In addi­ti­on to pro­du­cers and importers, pro­ces­sors, dis­tri­bu­ti­on cen­ters and retail­ers also play an important role. Not all of the­se play­ers are equal­ly important for the secu­ri­ty of sup­p­ly in Switz­er­land. For this rea­son, a rest­ric­tion has alre­a­dy been made at the legis­la­ti­ve level to com­pa­nies who­se fail­ure or impair­ment would lead to signi­fi­cant sup­p­ly bottlenecks.

    The obli­ga­ti­on to report cyber­at­tacks should thus app­ly only to tho­se actors who are important in this respect. The Fede­ral Coun­cil will the­r­e­fo­re rest­rict the report­ing obli­ga­ti­on in the area of the sup­p­ly of essen­ti­al goods of dai­ly use at ordi­nan­ce level in accordance with the cri­te­ria of Artic­le 74c.

  • regi­stered Tele­com­mu­ni­ca­ti­ons ser­vice pro­vi­ders;
  • Regi­strars;
  • Pro­vi­ders and ope­ra­tors of ser­vices and infras­truc­tures that ser­ve the Exer­cise of poli­ti­cal rights (e‑voting, systems for kee­ping voting regi­sters and for deter­mi­ning and trans­mit­ting the results of bal­lots, elec­tro­nic signa­tu­re coll­ec­tion, prin­ting of voting material);
  • Pro­vi­ders and ope­ra­tors of Cloud Com­pu­ting, Search engi­nes, digi­tal secu­ri­ty and trust ser­vices as well as Data cen­ters based in Switz­er­land; in addi­ti­on, the message:

    The noti­fi­ca­ti­on requi­re­ment applies to pro­vi­ders and ope­ra­tors of cloud com­pu­ting (e.g. soft­ware-as-a-ser­vice, SaaS), search engi­nes, digi­tal secu­ri­ty and trust ser­vices, and data cen­ters, pro­vi­ded they have a regi­stered office in Switzerland.

    By ana­lo­gy with EU law,62F 63 the term “trust ser­vice” covers ser­vices in the are­as of elec­tro­nic signa­tures, seals and time stamps, deli­very of elec­tro­nic regi­stered mail, cer­ti­fi­ca­tes for authen­ti­ca­ti­on, and (pre­ser­va­ti­on) ser­vices for elec­tro­nic signa­tures, seals and cer­ti­fi­ca­tes. The e‑ID, for exam­p­le, is thus also con­side­red a trust service.

    By secu­ri­ty ser­vice is meant, in par­ti­cu­lar, solu­ti­ons for the encryp­ti­on of infor­ma­ti­on or ser­ve the IT means of pro­tec­tion against cyber attacks (spam fil­ters, anti­vi­rus pro­grams, firewalls).

  • Manu­fac­tu­rer from Hard­ware or soft­ware, who­se pro­ducts are used by cri­ti­cal infras­truc­tures and have remo­te access or are used to con­trol and moni­tor ope­ra­tio­nal systems and pro­ce­s­ses or to ensu­re public safe­ty. In addi­ti­on, the message:

    Cyber attacks on cri­ti­cal infras­truc­tures via their sup­p­ly chains have beco­me a rele­vant thre­at. In par­ti­cu­lar, the sup­pliers of hard­ware and soft­ware are in the focus. The attackers mani­pu­la­te the IT resour­ces befo­re they are deli­ver­ed to the end cus­to­mers so that they can later gain access to the systems. Cyber attacks on the manu­fac­tu­r­ers of hard­ware and soft­ware for cri­ti­cal infras­truc­tures are the­r­e­fo­re of gre­at importance for cyber security.

    Cyber attacks on manu­fac­tu­r­ers are par­ti­cu­lar­ly rele­vant if they have remo­te main­ten­an­ce access to the systems. Remo­te main­ten­an­ce access allo­ws manu­fac­tu­r­ers who have the appro­pria­te aut­ho­rizati­on to access IT and OT com­pon­ents in the local net­work from out­side – i.e., usual­ly via the Inter­net – for the pur­po­se of main­ten­an­ce or trou­ble­shoo­ting. Attackers can attempt to pene­tra­te cri­ti­cal infras­truc­tu­re systems direct­ly via such legi­ti­ma­te access points.

    In addi­ti­on to the cri­ter­ion of remo­te main­ten­an­ce access, manu­fac­tu­r­ers of hard­ware and soft­ware are also requi­red to report if their pro­ducts are used in par­ti­cu­lar­ly sen­si­ti­ve are­as. This applies to hard­ware and soft­ware for con­trol­ling and moni­to­ring phy­si­cal devices, pro­ce­s­ses and events (so-cal­led ope­ra­tio­nal tech­no­lo­gy). In par­ti­cu­lar, this inclu­des indu­stri­al con­trol systems and auto­ma­ti­on solu­ti­ons that per­form con­trol and regu­la­ti­on func­tions of all kinds. Other examp­les are labo­ra­to­ry equip­ment, e.g. auto­ma­ted micro­sco­pes or ana­ly­sis tools, logi­stics systems, such as bar­code scan­ners with small com­pu­ters, or buil­ding manage­ment systems (item 1).

    The focus is also on hard­ware and soft­ware used to ensu­re public safe­ty (item 2). This inclu­des, in par­ti­cu­lar, the com­mu­ni­ca­ti­ons of emer­gen­cy orga­nizati­ons or systems for poli­ce investigations.

    Howe­ver, no obli­ga­ti­on to report ari­ses sim­ply becau­se a cyber attack affects the IT resour­ces of the com­pa­nies’ cus­to­mers. Inter­net ser­vice pro­vi­ders are the­r­e­fo­re gene­ral­ly not respon­si­ble for report­ing inci­dents invol­ving their cus­to­mers, accor­ding to the message.

With the Excep­ti­ons from the report­ing requi­re­ment will be regu­la­ted by the Fede­ral Coun­cil, inclu­ding through thres­holds; howe­ver, the sub­ject of the excep­ti­ons in the law has been cla­ri­fi­ed (it con­cerns cases whe­re cyber­at­tacks have only a minor impact).

Sin­ce some ambi­gui­ties remain, even with a spe­ci­fi­ca­ti­on at the ordi­nan­ce level, the NCSC is to pro­vi­de infor­ma­ti­on (e.g., through FAQ) as to whe­ther bor­der­line cases are cover­ed. If this clas­si­fi­ca­ti­on is dis­pu­ted or doub­ted, the NCSC must, accor­ding to the mes­sa­ge, issue an appealable order. This is likely to invol­ve not only sub­or­di­na­ti­on orders, but also non-sub­or­di­na­ti­on orders.

Man­da­to­ry report­ing of cyber attacks

At the Obli­ga­ti­on to report in a spe­ci­fic case the requi­re­ments have been stream­lined. Cyber­at­tacks on the infor­ma­ti­on tech­no­lo­gy assets of cover­ed enti­ties must be repor­ted. “Cyber­at­tacks” are to be repor­ted if they are.

  • jeo­par­di­zes the func­tion­a­li­ty of the affec­ted cri­ti­cal infrastructure;
  • led to tam­pe­ring (e.g., data encryp­ti­on in a ran­som­wa­re attack) or infor­ma­ti­on leakage;
  • remain­ed unde­tec­ted for an exten­ded peri­od of time, espe­ci­al­ly if the­re are indi­ca­ti­ons that it was car­ri­ed out in pre­pa­ra­ti­on for fur­ther cyber­at­tacks; or
  • is con­nec­ted with extor­ti­on, thre­ats or coer­ci­on, i.e. in the case of accom­pany­ing cir­cum­stances rele­vant under cri­mi­nal law. Howe­ver, accor­ding to the mes­sa­ge, this pre­sup­po­ses that the extor­ti­on, thre­at or coer­ci­on has a con­nec­tion to the com­pa­ny sub­ject to the report­ing requi­re­ment and can have a nega­ti­ve impact on its busi­ness activities.

Con­tent infor­ma­ti­on on the report­ing aut­ho­ri­ty or orga­nizati­on, the type and exe­cu­ti­on of the cyber attack (e.g. IP addres­ses or DNS records of known attack infras­truc­tures such as bot­nets or com­mand and con­trol ser­vers, URL to sus­pi­cious pages, hash values of mal­wa­re, virus signa­tures, anoma­lies in net­work traf­fic or sus­pi­cious beha­vi­or of soft­ware, accor­ding to the mes­sa­ge), its effects, mea­su­res taken and, if known, the plan­ned fur­ther action. Howe­ver, an obli­ga­ti­on to report infor­ma­ti­on that would lead to the report­ing par­ty being cri­mi­nal­ly char­ged is express­ly exclu­ded. This will be men­tio­ned in the report­ing form.

Also spe­ci­fi­ed was the Report­ing dead­line: The noti­fi­ca­ti­on must no lon­ger be made as soon as pos­si­ble, but – as is the case, for exam­p­le, after the FINMA super­vi­so­ry noti­ce on cyber­at­tacks or the new cir­cular Ope­ra­tio­nal Risks and Resi­li­ence – within 24 hours of the dis­co­very of the cyber attack. Within this peri­od, howe­ver, only the infor­ma­ti­on known up to that point must be repor­ted; the report can be sup­ple­men­ted later.

The NCSC Accor­ding to the Fede­ral Coun­cil, it wants to intro­du­ce an elec­tro­nic Regi­stra­ti­on form with which mes­sa­ges can be recor­ded and, if desi­red, trans­mit­ted to other offices. This will also descri­be what is meant by the indi­vi­du­al pie­ces of infor­ma­ti­on. The message:

The NCSC alre­a­dy uses an elec­tro­nic report­ing form to recei­ve vol­un­t­a­ry reports. The elec­tro­nic report­ing system of the NCSC can also be used for the rece­ipt of reports in ful­fill­ment of the report­ing obli­ga­ti­on. The neces­sa­ry coor­di­na­ti­on with other bodies that also accept reports (e.g. FDPIC, Swiss Finan­cial Mar­ket Super­vi­so­ry Aut­ho­ri­ty [FINMA], Swiss Fede­ral Nuclear Safe­ty Inspec­to­ra­te [ENSI]) and the con­fi­gu­ra­ti­on of the report­ing form will requi­re an initi­al out­lay that can, howe­ver, be absor­bed by the exi­sting resour­ces of the NCSC. Howe­ver, in order to imple­ment the tem­p­la­te, the NCSC must be able to ensu­re that reports recei­ved in ful­fill­ment of the report­ing requi­re­ment are cor­rect­ly recor­ded, ack­now­led­ged, and docu­men­ted, and that the resul­ting cyber thre­at infor­ma­ti­on is for­ward­ed to the pro­per par­ties for ear­ly war­ning pur­po­ses. This addi­tio­nal effort must be con­side­red as the NCSC con­ti­nues to expand.

For coor­di­na­ti­on pur­po­ses, the report­ing system is desi­gned in such a way that reports can be trans­mit­ted in who­le or in part to other aut­ho­ri­ties, and addi­tio­nal infor­ma­ti­on can also be recor­ded for such fur­ther reports. In this case, the noti­fy­ing par­ties alo­ne deci­de on such fur­ther notifications.

Penal pro­vi­si­ons

In con­trast, the con­tents of the Penal pro­vi­si­ons. As befo­re, only a vio­la­ti­on of an order of the NCSC (i.e., after an initi­al less for­mal cont­act by the NCSC) is punis­ha­ble, not the fail­ure to report, and con­ti­nues to be punis­ha­ble by a fine of up to CHF 100,000. In ana­lo­gy to the nDSG, the per­son who “should have ensu­red within the cri­ti­cal infras­truc­tu­re that the order of the NCSC was com­plied with” would be punis­ha­ble. The thres­hold for a sub­si­dia­ry bur­den on the com­pa­ny in the case of dis­pro­por­tio­na­te inve­sti­ga­ti­on efforts remains at CHF 20,000 (i.e., as with the nDSG, at 20% of the fine limit). To ensu­re that the reports are nevert­hel­ess made, the law crea­tes an incen­ti­ve: tho­se obli­ged to report are entit­led to the sup­port of the NCSC fol­lo­wing a report that com­plies with the law.

Amend­ments to other enact­ments (incl. nDSG)

Adjust­ments are also to be made to the Public Pro­cu­re­ment Act, at the Nuclear Ener­gy Act, at the Elec­tri­ci­ty Sup­p­ly Act and at the Finan­cial Mar­ket Super­vi­si­on Actbut also with the nDSG would be inser­ted in Art. 24 (noti­fi­ca­ti­on of data secu­ri­ty brea­ches) a new para­graph 5bis, which would essen­ti­al­ly replace Art. 41 of the FDPO corresponds:

1 The con­trol­ler shall noti­fy the FDPIC as soon as pos­si­ble of a data breach that is likely to result in a high risk to the per­so­na­li­ty or fun­da­men­tal rights of the data subject.
2 The noti­fi­ca­ti­on shall at least spe­ci­fy the natu­re of the data breach, its con­se­quen­ces and the mea­su­res taken or envisaged.
3 The Order Pro­ces­sor shall report a data breach to the Respon­si­ble Par­ty as soon as possible.
4 The data con­trol­ler shall inform the data sub­ject if it is neces­sa­ry for his or her pro­tec­tion or if the FDPIC so requests.
5 It may limit, post­po­ne or wai­ve the infor­ma­ti­on to the data sub­ject if:
a. the­re is a rea­son pur­su­ant to Artic­le 26(1)(b) or (2)(b) or a sta­tu­to­ry duty of con­fi­den­tia­li­ty pro­hi­bits this;
b. the infor­ma­ti­on is impos­si­ble or requi­res a dis­pro­por­tio­na­te effort; or
c. the infor­ma­ti­on of the data sub­ject is ensu­red by a public announce­ment in a com­pa­ra­ble manner.
5bis The FDPIC may, with the con­sent of the respon­si­ble par­ty, for­ward the noti­fi­ca­ti­on to the Natio­nal Cyber Secu­ri­ty Cen­ter for ana­ly­sis of the inci­dent. The noti­fi­ca­ti­on may con­tain per­so­nal data, inclu­ding par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data about admi­ni­stra­ti­ve and cri­mi­nal pro­se­cu­ti­ons or sanc­tions con­cer­ning the respon­si­ble party.
6 A report made pur­su­ant to this artic­le may be used in cri­mi­nal pro­ce­e­dings against the per­son requi­red to make the report only with that person’s consent.

In addi­ti­on, the message:

In order for the FDPIC to be able to invol­ve the tech­ni­cal spe­cia­lists of the NCSC in the ana­ly­sis of a data breach which has occur­red and which has been repor­ted to him by the data con­trol­ler on the basis of Artic­le 24 nDSG and Artic­le 19 FADP, Artic­le 24 para­graph 5bis nDSG pro­vi­des, That the FDPIC may for­ward a data breach noti­fi­ca­ti­on to the NCSC..

The for­war­ding may con­tain any infor­ma­ti­on pur­su­ant to Artic­le 19(1) DPA, but at the same time must refer to the infor­ma­ti­on neces­sa­ry for the NCSC to ana­ly­ze the inci­dent. Limit neces­sa­ry data. In this con­text, the com­mu­ni­ca­ti­on of the FDPIC to the NCSC may also con­tain per­so­nal data, inclu­ding par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data on admi­ni­stra­ti­ve and cri­mi­nal pro­se­cu­ti­ons or sanc­tions of the respon­si­ble par­ty sub­ject to the report­ing obli­ga­ti­on. The infor­ma­ti­on neces­sa­ry for the ana­ly­sis of an inci­dent is sel­ec­ted on a case-by-case basis, Howe­ver, under cer­tain cir­cum­stances, this may also indi­rect­ly pro­vi­de infor­ma­ti­on to the NCSC about an ongo­ing pro­ce­e­ding. The­r­e­fo­re, a legal basis for the dis­clo­sure of per­so­nal data requi­ring spe­cial pro­tec­tion must be created.

The pre­re­qui­si­te is that the per­son respon­si­ble, who is obli­ged to report to the FDPIC, has given his or her pri­or con­sent to the for­war­ding of the infor­ma­ti­on. Fur­ther­mo­re, the for­war­ding must not lead to the cir­cum­ven­ti­on of Artic­le 24 (6) nDSG, accor­ding to which the report may only be used in the con­text of cri­mi­nal pro­ce­e­dings with the con­sent of the per­son requi­red to report. This means that a per­son respon­si­ble will be able to invo­ke the pro­hi­bi­ti­on of explo­ita­ti­on under data pro­tec­tion law even in the event that its report is for­ward­ed to the NCSC. The new para­graph 5bis in Artic­le 24 nDSG does not allow the FDPIC to syste­ma­ti­cal­ly for­ward reports to the NCSC. Rather, the FDPIC may only make use of this pos­si­bi­li­ty in indi­vi­du­al cases whe­re the tech­ni­cal exper­ti­se of the NCSC is neces­sa­ry for the cla­ri­fi­ca­ti­on of an incident.

This right to for­ward infor­ma­ti­on from the FDPIC to the NCSC is limi­t­ed to a one-way exch­an­ge of infor­ma­ti­on. For its part, the NCSC does not pro­vi­de the FDPIC with infor­ma­ti­on from noti­fi­ca­ti­ons, even if they invol­ve data brea­ches. Howe­ver, the NCSC pro­vi­des an elec­tro­nic system that allo­ws repor­ters to for­ward the report or parts of it. The report­ing per­son is thus given the oppor­tu­ni­ty to use the cyber­at­tack noti­fi­ca­ti­on form also to report a data breach to the FDPIC.

The revi­sed Data Pro­tec­tion Act is expec­ted to enter into force in Sep­tem­ber 2023, i.e. short­ly after the ISG enters into force (wit­hout this bill). From that date until the ent­ry into force of the revi­sed Chap­ter 5 ISG (this bill) at the end of 2023 at the ear­liest, the rule pro­vi­ded for in Artic­le 24(5bis) will alre­a­dy app­ly at the ordi­nan­ce level (cf. Art. 41 para. 1 of the Data Pro­tec­tion Ordi­nan­ce of 31 August 2022). Upon ent­ry into force of this bill, the Fede­ral Coun­cil will repeal that pro­vi­si­on of the ordinance.




Rela­ted articles