Federal Act on Information Security in the Confederation 

Swiss Confederation

Federal authorities, offices and organisations in Switzerland must comply with the new Federal Act on Information Security in the Confederation (FAISC) as part of their data processing activities. Beyond these bodies, the FAISC also affect the information security practices of cantonal authorities, operators of critical infrastructure, any third-party contractors, service providers or business partners that process federal data or interact with federal IT resources, and international partners that collaborate with Swiss federal bodies.

The FAISC and its ordinances came into effect on January 1, 2024. The following transition deadlines have been announced for the implementation of its provisions:

• Classification Catalogue: Entities in scope need to establish a robust information classification in line with the new regulations by December 31, 2024.

• Risk Analysis and IT Classification: Risk analyses must be conducted, and IT systems classified according to the FAISC and its ordinances by December 31, 2025.

• Information Security Management Systems (ISMS): Entities in scope will be required to set up an ISMS by December 31, 2026.

• Technical Security Compliance: All IT resources must comply with the FAISC’s new technical security regulations by December 31, 2029.
  

Circular Operational risks and resilience - banks

Swiss Financial Market Supervisory Authority FINMA

This revised circular addresses operational risks in the banking sector, taking into account technological advancements and incorporating principles from the Basel Committee on operational resilience.

• FINMA has made the circular binding as of 1 January 2024.
• Transitional provisions ensure that operational resilience can be phased in by
  1 January 2026. 
  

Digital Operational Resilience Act (DORA)

European Union

The primary goal of DORA is to enhance the IT security of financial entities such as banks, insurance companies, and investment firms. DORA ensures that the European financial sector remains resilient in the face of severe operational disruptions. Key aspects covered by DORA include ICT risk management, third-party risk management, digital operational resilience testing, and reporting of major ICT-related incidents to competent authorities.

Swiss companies operating in the financial sector are indirectly affected by DORA, especially if they have business relationships with EU partners or subsidiaries and group companies in the EU. 

• This EU regulation, effective January 16, 2023, is mandatory since January 17, 2025.
  

Stay Compliant, Stay Ahead.

Osmond offers gap analysis, maturity assessments, pre-audit readiness, policy development, and operational implementation support for new legislation. Our comprehensive approach ensures compliance and enables organisations to effectively manage the risks associated with their digital infrastructure, maintaining a robust business continuity.

We’re here to help!