ISG revision: consequences & obligations for critical infrastructure operators [Part 2]

If you’ve read the first part of this blog article, you probably already know that both information security and cyber security will be strengthened at the legislative level in 2023. The Information Security Act (ISG) and its revision affect a wide range of players – especially operators of critical infrastructures. Are you also affected? We go into more detail in this second blog article in collaboration with MME

--- Update as of April 2024 ---

In the first blog post on the ISG and its revision, we noted that qualifying organisations and government authorities face a whole host of information security requirements. Among other things, these include the ISMS, risk management and also cooperation with third parties. Similarly, the revised ISG provides for example for voluntary reporting of cyber incidents and vulnerabilities and is intended to strengthen trust with the Federal Office for Cyber Security (Bundesamt für Cybersicherheit, BACS) - the former National Cyber Security Centre (NCSC). But what does that mean exactly and what else needs to be considered?

Revision of the ISG as a “safe harbour”?

Cyber incidents and cyber threats, in particular vulnerabilities, can be reported to the BACS not only by those affected, but also by third parties, and also anonymously if desired (Art. 73b revISG).

The above provision does not constitute a permissive rule as is the case for whistleblowing incidents. This means that contractual and statutory confidentiality obligations still have to be observed even when reports are made to the BACS. Also, the discovery of vulnerabilities through unauthorised intrusion into third-party IT resources (“hacking”) is still punishable by law. Hackers should not be able to evade criminal liability for their actions by reporting back to the BACS. 

Comprehensive requirements of the ISG – also for third parties and providers

The requirements resulting from the ISG include compliance with security practices and policies, strict control and monitoring of activities and regular review and updating of security systems. In addition, third parties and providers are usually contractually obliged to implement measures and ensure a secure operating environment if they cooperate with qualifying authorities and organisations. They must implement security measures to ensure the integrity, security and reliability of their services, as well as to protect their customers’ data and information and ensure that only authorised persons can access it.

Additionally, cloud and service providers as well as manufacturers of hardware and software whose products are used by critical infrastructures may be subject to the cyber attack notification requirement provided for in the revision of the ISG.

Cyber security assessment for proactive information security

The ISG requires qualifying authorities and organisations as well as operators of critical infrastructures to provide comprehensive and proactive information security. A summary external cyber security assessment can evaluate the implementation of these requirements and determine whether the company has taken appropriate measures to protect its information and IT assets – including from any cyber incidents. This assessment should also evaluate the company’s ability to respond to incidents and emergencies and to monitor and improve the effectiveness of the implemented protective mechanisms.

It is important that the assessment also considers compliance with industry and regulatory requirements (such as the ISG). A regular review of the assessment is also central to ensuring that the company remains at the forefront of technology. This is a prerequisite for being able to ensure the best possible protection against threats. Last but not least, employees should be trained in information security, with a particular focus on cyber security (keyword: security awareness). Employees need to understand how they can do their part to protect the company.

Information Security Act (ISG): the next steps

Let’s summarise: The ISG and its revision place high demands on information security, with operators of critical infrastructures in particular being held accountable in the area of cyber security. These requirements must be met to ensure the security of critical information and systems for the public as well as the business community. The ISG and its revision ensure that qualifying authorities and organisations as well as critical infrastructure operators fulfil their responsibilities and thereby minimise both potential risks and threats.

Most of us will appreciate the need for this long-overdue measure, although its implementation can present companies with various, highly individual challenges. We at InfoGuard and MME have many years of experience and expertise in the area of information security and the corresponding legislation. Thus, we are the ideal partners to provide expert support across the different phases – from planning and design to continuous development and optimisation to critical infrastructure protection. For more information on InfoGuard’s security services, click here:

Do you need assistance with legal issues, especially in the event of an incident? MME Legal Tax Compliance provides expert support.


This blog article was created in friendly cooperation with MME. Many thanks to Dr. Martin Eckert (Legal Partner) and Noëlle Glaus (Legal Associate) for their professional contribution. On MME’s blog you can also find an article on the new Information Security Act. 

<< >>

Data Governance

Markus Limacher
About the author / Markus Limacher

InfoGuard AG - Markus Limacher, Head of Security Consultant, Mitglied des Kaders

More articles from Markus Limacher

Related articles
ISG revision: consequences & obligations for critical infrastructure operators [Part 1]
ISG revision: consequences & obligations for critical infrastructure operators [Part 1]

Both information security and cyber security will be strengthened at the legislative level in 2023. [...]
ISO 27001:2022 – what has changed and what you need to get done
ISO 27001:2022 – what has changed and what you need to get done

In October 2022, the International Accreditation Forum (IAF) published the new ISO/IEC 27001:2022 standard [...]
Focus on data protection: The new Swiss data protection law and its consequences
Focus on data protection: The new Swiss data protection law and its consequences

In recent months, there has been a great deal written about the new Swiss Data Protection Act (DSG) – its [...]

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media