Comparing the Swiss ISA (ISG) and EU NIS-2

ISA

• Applies to federal
  authorities andorganizations (Art. 2)
• Critical Infrastructure (KRITIS)
  (Art. 74b

NIS-2 

• Applies to the public admin and Critical Infrastructure (KRITIS)
• Covers operators of essential services in sectors such as energy, transport, health, and finance

ISA

Exceptions may be granted if disruptions caused by cyberattacks have minimal impact on the economy or public well-being (Art. 74c).

NIS-2 

>50 employees or
>Annual revenue over 10 million euros

ISA

• Applicable to KRITIS from January 2025
• Applicable to federal authorities from January 1, 2024

NIS-2 

Must be transposed into national legislation by October 2024

ISA

• Supports operators of critical
  infrastructures (Art. 74)
• Ensures secure information
  exchange between stakeholders
  (Art. 74)
• Issues operational security
  declarations (Art. 61)
• Conducts personnel security
  checks (Chapter 3)
• Performs periodic cantonal
  reviews of the implementation
  and effectiveness of information
  security measures (Art. 86)

NIS-2 

• Defines central authorities and their responsibilities in each member state
• Develops guidelines and
  recommendations for the implementation of the directive
• Monitors the enforcement and compliance of the regulation
• Establishes and operates Mobile Incident Response Teams
• Receives and handles notifications of cyber incidents

ISA

• Leadership responsibility
• Implementation of an ISMS (Information Security Management System)
• Risk management
  • Security policies and practices
  • Information classification
  • Collaboration with third parties
  • Incident management
  • Personnel security
  • Identity management
  • Data protection
  • Data retention, archiving, & destruction
  • Reporting obligations
  • Information exchange on threats
  • Reporting of security incidents

NIS-2 

• Risk management
• Detecting & reporting incidents
• Business continuity and backups
• Supply chain security
• Secure system development and
  acquisition
• Assessing the effectiveness of
  security measures
• Cyber hygiene practices and
  training
• Encryption
• HR security
• Asset management
• Access control & multi-factor
  authentication (MFA)

ISA

• Report to the Federal Cybersecurity
  Authority (BACS)

• Report cyberattacks with potential damage within 24 hours

NIS-2 

• Different authorities are responsible depending on
  the country
• Reporting of “significant
  security incidents”
  <= 24 hours – early warning
  <= 72 hours – incident
  notification
  <= 1 month – final report

ISA

• Personal fines of up to CHF
  100,000 for intentional
  non-compliance
• Fines of up to CHF 20,000
  for businesses
• Administrative penalties
  may also apply (Art. 74h)

NIS-2 

• Fines of up to €10 million or
  2% of global annual turnover
  for critical entities

• Fines of up to €7 million or
  1.4% of global annual
  turnover for important
  entities

• Corporate executives and
  management are personally
  liable with their private
  assets