Answer ... (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
There are certain sector and industry-specific security requirements, as follows:
-
Swiss Financial Market Supervisory Authority (FINMA) Directive 2008/21 on Operational Risks explicitly mentions in “Principle 4: Technology Infrastructure” the implementation of appropriate IT security measures.
- Article 96, paragraph 2 of the Ordinance to the Federal Act on Telecommunications grants the regulator the right to issue technical and administrative regulations concerning the handling of the security of information and so on.
- Critical infrastructure and national security are subject to the Ordinance on the Protection of Federal Information, Ordinance on IT and Telecommunications in the Federal Administration, and the National Strategy on Critical Infrastructure Protection 2018-2022 (see question 4.1).
In its National Strategy for the Protection of Switzerland against Cyber Risks 2018–2022, issued on April 2018, the Federal Council mentioned “standardisation and regulation” as one of the measures to be taken. Based on its assessments, the Federal Council has identified the following objectives and needs for action:
The growing importance of ICT standardisation and regulation must be taken into account. Binding and verifiable minimum ICT standards are relevant for security and confidence in the digital economy and society, and they must be evaluated in cooperation with the private sector and introduced where appropriate. It should also be examined whether and how an obligation to report cyber incidents should be introduced. The measures take account of the international context, which has a significant influence on them, which is why developments must continue to be monitored. Switzerland therefore contributes its interests and values to the most important processes.
(b) Certain types of information (personal data, health information, financial information, classified information)?
The FDPA and the cantonal data protection laws specifically deal with personal data.
These also apply to health information, as such information relates in many cases to identifiable individuals. It is then qualified as sensitive personal data and is thus subject to enhanced security requirements, as well as a stricter data protection regime. Regarding health information, there are also certain specific statutes – such as the Federal Statute on Research with Human Beings and the regulations regarding clinical trials – which contain provisions on the processing and disclosure of health-related data. Finally, the Federal Statute on the Electronic Patient File and the ordinances thereto also set forth data security requirements.
Financial information often qualifies as personal data. However, financial information is not qualified as sensitive personal data and therefore is not subject to enhanced security requirements. An exemption must be made for financial information collected, processed and stored by financial institutions that are subject to the supervision of FINMA. FINMA has issued guidelines containing specific cybersecurity requirements for financial institutions (see question 1.3(a)).
The Ordinance on the Protection of Federal Information deals with classified information collected, processed and stored by federal agencies (see question 1.2). Classified information of cantonal agencies is dealt with in cantonal laws.