Federal Council Clarifies Information Security Act: Revision for Practical Implementation and Federal Coordination

Summary

On 6 May 2026, the Federal Council tasked the Department of Defence, Civil Protection and Sport (DDPS) with preparing a consultation draft for a revision of the Information Security Act (ISA). The ISA has regulated the protection of federal information and cybersecurity since 1 January 2024. The revision is intended to remedy practical implementation difficulties and take new requirements into account. Planned changes affect classification systems, function lists for personnel security checks, and expansion to municipalities and cantonal organizations. The consultation is scheduled for mid-2027.

Persons

• Federal Council (collegial body; decision-maker)

Topics

• Information security
• Cybersecurity
• Federalism
• Legislation

Clarus Lead

The revision addresses a central governance gap: the ISA, which is only two years old, is already showing considerable implementation hurdles in practice that justify rapid adjustment. Particularly relevant is the planned expansion to municipalities and cantonal authorities – a federal coordination problem that has so far only been explicitly regulated for cantons. Harmonizing the classification system with international partners could also reduce additional costs and facilitate cooperation, but also signals pressure from stricter standards of foreign services.

Detailed Summary

The ISA created in 2024 a uniform set of rules for information protection and cybersecurity for all federal authorities for the first time. In practice, however, gaps emerged: provisions for data processing in personnel security checks proved impractical, and the classification categories (INTERNAL, CONFIDENTIAL, SECRET) no longer conform to international standards. Foreign partners more frequently use the SECRET level, which results in increased security requirements and cost implications for Switzerland.

The revision plans three core measures: First, function lists for security checks should in future be created in a more decentralized manner – at the level of departments or federal offices rather than the entire Federal Council – to enable faster adjustments in the event of organizational changes. Second, the classification system will be reviewed to improve international compatibility and create uniform standards throughout the federal administration. Third, the scope of the regulation should be clarified: the law should explicitly also apply to municipalities and organizations under cantonal law when they access federal data – for example in resident controls or in law enforcement. In parallel, it is being examined whether criminal law provisions for the protection of classified information need to be harmonized with the ISA in order to avoid gaps in criminal liability.

Key Statements

• The Federal Council is initiating a revision of the Information Security Act, which came into force in 2024, to remedy practical implementation difficulties.
• Planned decentralization of function lists is intended to enable faster organizational adjustments.
• Classification system is to be adapted to international standards to reduce costs and facilitate cooperation.
• Expansion to municipalities and cantonal organizations clarifies federal responsibilities in federal data access.

Critical Questions

1. Evidence: What specific cases or statistics document the alleged "implementation difficulties" of the ISA since January 2024? Were these systematically documented?

2. Conflicts of Interest: To what extent do cost savings through alignment with international classification standards influence security requirements – could security standards be lowered to simplify compliance?

3. Causality: Is it proven that decentralized administration of function lists (rather than centrally by the Federal Council) leads to faster and simultaneously more secure adjustments, or is there a risk of fragmented standards?

4. Feasibility: How will municipalities and cantonal organizations be supported in implementing new requirements, and who bears the implementation costs?

5. Causality/Alternatives: Why is a legislative revision necessary instead of making faster adjustments through ordinances or guidelines?

6. Side Effects: Could the expansion to municipalities and cantonal organizations lead to conflicts between federal security requirements and local data protection practices?

Sources

Primary Source: Federal Council Statement – Information Security Act to be Further Developed – https://www.news.admin.ch/de/newnsb/Dbs9cff6yxPdv-8jlLzpz

Verification Status: ✓ 06.05.2026

This text was created with the support of an AI model. Editorial responsibility: clarus.news | Fact-checking: 06.05.2026