SR 120_73 · Ordinance<br/>on Protection against Cyber Risks <br/>in the Federal Administration<br/>(Cyber Risks Ordinance, CyRV) · CyRV · April 1, 2021

Gesetze Suche

einloggen

Angemeldet bleiben

Passwort vergessen?

Mit Facebook anmelden
Mit Google anmelden
Mit LinkedIn anmelden
Mit Twitter anmelden

Sind Sie ein neuer Benutzer? Registrieren Sie sich hier

Bei grossen Gesetzen wie OR und ZGB kann dies bis zu 30 Sekunden dauern

The Swiss Federal Council,

on the basis of Article 30 of the Federal Act of 21 March 1997¹ on Measures to Safeguard Internal Security
and on Articles 43 paragraphs 2 and 3, 47 paragraph 2 and 55 of the Government and Administration Organisation Act of 21 March 1997²,

ordains:

¹ SR 120

² SR 172.010

Art. 1 Subject matter

This Ordinance regulates the organisation of the Federal Administration for its protection against cyber risks as well as the tasks and responsibilities of the various offices in the cyber security domain.

Art. 2 Scope of application

This Ordinance applies to:

a.: the administrative units of the central Federal Administration in accordance with Article 7 the Government and Administration Ordinance of 25 November 1998³;
b.⁴: the offices that undertake in accordance with Article 2 paragraph 2 of the Ordinance of 25 November 2020⁵ on the Digital Transformation and ICT (DTIO) to comply therewith.

³ SR 172.010.1

⁴ Amended by Annex No 1 of the O of 25 Nov. 2020 on the Digital Transformation and ICT, in force since 1 Jan. 2021 (AS 2020 5871).

⁵ SR 172.010.58

Art. 3 Definitions

In this Ordinance:

a.: cyber security means the desired state in which data processing via information and communication infrastructures, in particular the exchange of data between persons and organisations, works as intended;
b.: cyber incident means an unintended or intended but unauthorised event that leads to the confidentiality, integrity, availability or comprehensibility of data being adversely affected or that may lead to malfunctions;
c.: cyber risk means the risk of a cyber incident, the extent of which is measured by the product of the probability of occurrence and the extent of the damage potentially caused;
d.: resilience means the ability of a system, organisation or society to withstand internal or external disruptions and to maintain proper functionality or restore it as quickly and completely as possible;
e.: information technology security means the aspect of cyber security that relates to technical systems;
f.: IT security directives means the security standards that apply to the organisational measures, processes, services and technology;
g.: critical infrastructures means processes, systems and facilities that are essential for the proper functioning of the economy or the well-being of the population;
h.⁶: protected IT systems is a generic term for applications, services, systems, networks, data collections, infrastructures and information technology products; protected IT systems can include a combination of several identical or related systems;

⁶ Inserted by No I of the O of 24 Feb. 2021, in force since 1 April 2021 (AS 2021 132).

Art. 4 Goals

¹ The Federal Administration shall ensure that its organs and systems are suitably resilient to cyber risks.

² It shall work with the cantons, the communes, the private sector, society, academia and international partners provided this serves to protect its own security interests, and shall encourage the exchange of information.

Art. 5 National strategy for the protection of Switzerland against cyber risks

The Federal Council shall set out in a national strategy for the protection of Switzerland against cyber risks (NCS) the strategic framework for improving the prevention and early detection of and the reaction and resilience to cyber risks.

Art. 6 Domains

The measures to protect against cyber risks are divided into the following three domains:

a.: cyber security domain: all measures that serve to prevent and manage incidents and to improve resilience against cyber risks and that strengthen international cooperation for this purpose;
b.: cyber defence domain: all intelligence and military measures designed to protect critical systems, defend against attacks in cyberspace, ensure the operational readiness of the Armed Forces in all situations, and build capacities and capabilities to provide subsidiary support to civilian authorities; they include active measures to recognise threats, to identify aggressors and to disrupt and stop attacks;
c.: cyber prosecution domain: all measures taken by the police and federal and cantonal prosecutors to combat cyber crime.

Art. 7 Federal Council

The Federal Council shall carry out the following tasks:

a.: It monitors the implementation of the NCS on the basis of the strategic controlling and decides on measures as required.
b.: It shall within the scope of its responsibilities specify the areas in which directives on protection against cyber risks are required or must be revised.
c.: It shall issue directives on protecting the Federal Administration against cyber risks.
d.: It shall authorise derogations from its directives.

Art. 8 Cyber Core Group

¹ The Cyber Core Group (CyCG) shall comprise:

a.: the Federal Cyber Security Delegate (Art. 6a of the Federal Department of Finance Organisation Ordinance of 17 Feb. 2010⁷) as the representative of the Federal Department of Finance (FDF);
b.: a representative of the Federal Department of Defence, Civil Protection and Sport (DDPS);
c.: a representative of the Federal Department of Justice and Police (FDJP);
d.: a representative of the cantons appointed by the Conference of Cantonal Governments.

² The Federal Cyber Security Delegate chairs the Group.

³ The CyCG shall inform representatives of other federal administrative units that are active in connection with cyber risks about its agenda and may invite them to attend individual meetings. Where matters have a foreign policy dimension, it may involve the Federal Department of Foreign Affairs (FDFA). In addition it may involve experts from the private sector and the universities.

⁴ The CyCG has the following tasks in particular:

a.: It assesses current cyber risks and their potential development on the basis of information from the domains of cyber security, cyber defence and cyber prosecution.
b.: It continuously evaluates the existing systems in the domains of cyber security, cyber defence and cyber prosecution and checks whether these are adapted to the threat situation.
c.: It provides support, if necessary with other offices, for interdepartmental incident management.
d.: It informs the Federal Security Core Group (SCG) about cyber incidents and developments that are relevant to foreign and security-policy.

⁵ The three departments represented in the CyCG shall make information available for the joint assessment of a situation.

⁶ The Federal Intelligence Service is responsible for presenting the overall cyber threat situation to the CyCG.

⁷ SR 172.215.1

Art. 9 Steering Committee for the National Strategy for the Protection of Switzerland against Cyber Risks

¹ The Federal Council shall appoint a Steering Committee for the National Strategy for the Protection of Switzerland against Cyber Risks (NCS StC).

² The NCS StC shall comprise the Federal Cyber Security Delegate, representatives from the cantons appointed by the Conference of Cantonal Governments, representatives of business and the universities and representatives of the administrative units that are responsible for implementing any NCS measures in accordance with the NCS implementation plan. Each department and the Federal Chancellery shall appoint at least one representative to the NCS StC.

³ The Federal Cyber Security Delegate chairs the Steering Committee.

⁴ The NCS StC has the following tasks:

a.: It ensures the strategic coherence of the implementation of NCS measures and checks their progress continuously by a process of strategic controlling.
b.: It draws up proposals for special measures in the event of the delayed or incomplete implementation of NCS measures.
c.: It ensures the ongoing further development of the NCS; to do so it monitors the development of the threat situation in consultation with the CyCG and devises proposals for the adjustment of the NCS as required.
d.: It prepares a report each year on the implementation of the NCS for the Federal Council and the public.
e.: It ensures all the offices concerned from the Confederation, cantons, business and universities take a coordinated approach to implementing the NCS measures.
f.: It ensures that in implementing the NCS measures account is taken of the risk policy of the Confederation, the national strategy to protect critical infrastructures and the Federal Council strategies in relation to information technology.

Art. 10 IT Security Committee

¹ The IT Security Committee (ITSC) comprises a representative of the National Cyber Security Centre (NCSC⁸), the departmental and the Federal Chancellery IT security officers and the IT security officers for standard information and communication technology services (ICT).

² Additional persons may be included in an advisory capacity on a case-by-case basis.

³ The NCSC representative chairs the committee.

⁴ The ITSC acts as a consultative body for the NCSC on IT security issues in the Federal Administration.

⁸ Footnote not relevant to English text

Art. 11 The Cyber Security Delegate

¹ The Federal Cyber Security Delegate has the following tasks:


a.: He or she chairs the NCSC.
b.: He or she ensures the best possible coordination of cross-departmental work in the domains of cyber security, cyber defence and cyber prosecution.
c.: He or she ensures the visibility of the activities of the Confederation related to cyber risks, contributes to achieving the best possible conditions for an innovative cyber security economy, is the relevant federal contact person for cyber risks and represents the Confederation in the relevant committees and working groups; he or she ensures the best possible coordination of the work of the cantons and of the Confederation to protect Switzerland against cyber risks.
d.: He or she represents the NCSC in the federal crisis units.
e.: He or she shall issue IT security directives.
f.⁹: He or she decides on derogations from the directives that he or she issues; if the derogations also affect directives issued by the Federal Chancellery on the digital transformation und ICT steering, he or she shall consult the Federal Chancellery beforehand.

² He or she shall regularly inform the FDF on behalf of the Federal Council about the status of information technology security in the departments and the Federal Chancellery.

³ He or she may participate in the preparation of Federal Administration IT directives that relate to cyber security and in security-relevant IT projects. In particular he or she may request information, comment thereon and request changes.

⁴ He or she may, after consulting the Swiss Federal Audit Office, request audits of information technology security.

⁹ Amended by Annex No 1 of the O of 25 Nov. 2020 on the Digital Transformation and ICT, in force since 1 Jan. 2021 (AS 2020 5871).

Art. 12 National Cyber Security Centre

¹ The NCSC is the centre of excellence of the Confederation for cyber risks and coordinates the work of the Confederation in the cyber security domain. It has the following tasks:

a.: It runs the National Contact Point for Cyber Risks; this receives reports from the Federal Administration, the private sector, the cantons and the public, analyses them and may issue recommendations thereon.
b.: It ensures with its cooperation partners in the Federal Administration that subsidiary support is given to operators of critical infrastructures and encourages these operators to exchange information on cyber risks.
c.: It runs the Computer Emergency Response Team (GovCERT); this is the national specialist service responsible for technical aspects of incident management, analysing technical questions, assessing the threat situation from a technical viewpoint and providing technical support to the National Contact Point.
d.: It runs a specialist service for the federal information technology security; this shall draw up IT security directives, advise the administrative units on their implementation and monitor the status of information technology security in the departments and the Federal Chancellery.
e.: It provides the federal IT security officers (FITSOs).
f.: It coordinates the implementation of the NCS, conducts strategic controls and prepares the meetings of the CyCG and of the NCS StC.
g.: It has a pool of experts from which experts are provided to support the individual offices in implementing NCS measures and in developing, implementing and checking standards and regulations in relation to cyber security.
h.: It contributes with specific information to raising awareness of cyber risks in the Federal Administration and among the general public, provides information on the current situation and gives instructions on preventive and reactive measures.
i.: It runs a resilient analysis and communications infrastructure that must function independently of the other federal IT systems.
j.: It informs the CyCG and, on matters of importance to foreign and security policy, the SCG about relevant cyber incidents.

² It may, provided this directly or indirectly serves to protect the Federal Administration against cyber risks, process data on cyber incidents and associated communication flows. It may disclose such data to government and private security teams, provided:

a.: the data provider agrees; and
b.: no statutory duties of confidentiality are infringed.

³ A disclosure of personal data abroad is only permitted if the related requirements of the federal legislation on data protection are complied with.

⁴ Sensitive personal data may only be processed if there is a statutory basis for processing such data with the means available within the federal IT systems.

⁵ After consulting with the offices concerned, the NCSC shall assume overall responsibility within the Federal Administration for managing a cyber incident if the incident poses a risk to the proper functioning of the Federal Administration. In doing so, it has the following tasks and powers:

a.: It may require the service providers and recipients concerned to provide it with all necessary information.
b.: It may order immediate measures.
c.: It shall update the management of the administrative units concerned on the current situation.

⁶ If, following a cyber incident, the risk to the confidentiality or the efficiency of the Federal Administration is sufficiently reduced by the measures taken and if the required follow-up work and its funding have been defined, the NCSC shall reassign responsibility for the further processing to the offices concerned.

Art. 13 Departments and Federal Chancellery

¹ The departments and the Federal Chancellery shall report to the NCSC at the end of the year on the status of information technology security.

² The internal service providers in accordance with Article 9 DTIO¹⁰ shall submit regular reports to the NCSC on weaknesses and cyber incidents that have been detected and on measures planned and taken for their rectification.¹¹

³ The departments and the Federal Chancellery shall each appoint a departmental IT security officer (ITSOD), who shall act on the direct instructions of the head of department.¹²

⁴ The ITSODs are in particular responsible for:

a.: coordinating IT security aspects within the department or the Federal Chancellery and with the offices responsible for cross-departmental coordination and cooperation.
b.: drawing up the required principles for implementing the IT security directives and for organisation at the level of the department or the Federal Chancellery.¹³

⁵ The departments and the Federal Chancellery shall regulate the relationship between the ITSODs and the IT security officers for the administrative units (ITSOOs), in particular technical leadership on security issues.¹⁴

¹⁰ SR 172.010.58

¹¹ Amended by Annex No 1 of the O of 25 Nov. 2020 on the Digital Transformation and ICT, in force since 1 Jan. 2021 (AS 2020 5871).

¹² Amended by No I of the O of 24 Feb. 2021, in force since 1 April 2021 (AS 2021 132).

¹³ Inserted by No I of the O of 24 Feb. 2021, in force since 1 April 2021 (AS 2021 132).

¹⁴ Inserted by No I of the O of 24 Feb. 2021, in force since 1 April 2021 (AS 2021 132).

Art. 14 Administrative units and their service providers ¹⁵

¹ The administrative units shall each appoint an IT security officer (ITSOO) who shall act on the direct instructions of the head of the administrative unit. The Digital Transformation and ICT Steering Sector at the Federal Chancellery (DTI Sector of the FCh) shall also appoint an IT security officer for standard services.

² The ITSOOs and the IT security officer for standard services shall carry out the following tasks:

a.: They shall ensure the rapid implementation of the IT security directives andthe use of the security procedures in the administrative units (Chapter 3a).
b.: They shall ensure that employees are made aware of and receive training on IT security issues on taking up employment and periodically thereafter and are familiar with the responsibilities and procedures for information technology security in their working environment relevant to their level and function.
c.: They shall report to the head of their administrative unit at least every six months on the current status of information technology security in their administrative unit.

³ The administrative units are responsible for the security of their protected IT systems. They shall carry out the following tasks:

a.: They shall conduct an inventory of their protected IT systems and take the required security measures; they shall in particular ensure that these measures are documented for the individual protected systems in the current manner.
b.: They are responsible for compliance with and the implementation of the IT security directives and the decisions of the Federal Council, the NCSC and the departments or the Federal Chancellery within the scope of their responsibilities.
c.: They are responsible, subject to Article 12 paragraph 5, for managing cyber incidents that affect their protected IT systems.
d.: When obtaining services from an external service provider, they shall ensure that the IT security directives form part of the contractual relationship with that provider.
e.: They shall verify in an appropriate manner whether external service providers are complying with the IT directives.
f.: They shall ensure that the responsibilities for information technology security at an operational level are set out in the project and performance agreements between service providers and service procurers.
g.: They shall ensure that persons to whom this Ordinance does not apply are only allowed access to federal IT infrastructure if they undertake to comply with the IT security directives.

⁴ The service providers shall perform the following functions:

a.: They shall provide their service procurers on request with all the information required to protect their protected IT systems in an appropriate form.
b.: They shall ensure that they have the capacities required to conduct a technical analysis and manage cyber incidents that affect them directly or affect their service procurers.
c.: They shall report to their service procurers without delay any weaknesses and security incidents that they detect that relate to their protected IT systems.
d.: They shall work with the service providers to define a process for managing cyber incidents. The process shall in particular regulate decision-making powers in relation to immediate measures.

⁵ If it is not possible to manage a cyber incident in accordance with the defined process, the parties concerned shall inform the NCSC so that it can decide on what further action to take.

⁶ The administrative units shall consult the NCSC in connection with security-relevant IT directives as well as projects.

⁷ They are responsible for developing, implementing and checking standards and regulations in relation to cyber security in their sectors. The NCSC shall wherever possible provide them with experts from the pool mentioned in Article 12 paragraph 1 letter g.

¹⁵ Amended by No I of the O of 24 Feb. 2021, in force since 1 April 2021 (AS 2021 132).

Art. 14a Employees ¹⁶

Employees of the Federal Administration who use IT Resources are responsible for using them in accordance with the regulations.

¹⁶ Inserted by No I of the O of 24 Feb. 2021, in force since 1 April 2021 (AS 2021 132).

Art. 14b Protection needs analysis

¹ The administrative units shall ensure that an up-to-date protection needs analysis is available for all protected IT systems. In the case of IT projects, they must conduct the protection needs analysis before the project release.

² In the protection needs analysis, they shall assess the aspects of confidentiality, availability, integrity, comprehensibility and vulnerability to espionage.

Art. 14c Basic protection

The administrative units shall implement the directives on basic protection for all protected IT systems and document the implementation.

Art. 14d Increased protection

¹ If the protection needs analysis discloses an increased need for protection, the administrative units, in addition to implementing the security directives on basic protection and based on a risk analysis, shall devise further security measures and document and implement the same.

² The administrative units shall identify risks that cannot be reduced or can only be insufficiently reduced (residual risks), and document the same. The project client or the business process owner and the head of the administrative unit shall take note of the residual risks and confirm the same in writing.

³ The head of the administrative unit concerned shall decide whether known residual risks are accepted.

Art. 14e Periodicity

¹ The security procedures must be carried out at least every five years.

² In the event of security-relevant modifications being made to the protected IT system or to the threat situation, the procedures must be carried out immediately.

Art. 14f

¹ The costs of information technology security incurred decentrally are part of the project and the operating costs.

² Sufficient account must be taken of such costs in the planning.

Art. 15 Amendment of other legislation

The amendment of other legislation is regulated in the Annex.

Art. 16 Transitional provision to Article 2 letter b

¹ Authorities and offices that have undertaken by agreement with the Federal IT Steering Unit (FITSU) to comply with the provisions of the Federal Administration Information Technology Ordinance of 9 December 2011¹⁹ (FAITO) before this Ordinance comes into force shall be subject until 31 December 2021 to the obligations in accordance with this Ordinance to the extent under the current law.²⁰

² They shall be subject to this Ordinance from 1 January 2022, unless the agreement is terminated on or before 31 December 2021.

¹⁹,, 2016 17833445,,

²⁰ Amended by Annex No 1 of the O of 25 Nov. 2020 on the Digital Transformation and ICT, in force since 1 Jan. 2021 (AS 2020 5871).

Art. 17 Transitional provision to Article 11 paragraph 1 letter e

¹ ICT security directives and permitted exceptions issued by the FITSU before this Ordinance comes into force shall continue to apply.

² The NCSC shall decide on amendments to the directives and authorised exceptions.

Art. 18 Commencement

This Ordinance comes into force on 1 July 2020.

(Art. 15)

The ordinances below are amended as follows:

...²¹

²¹ The amendments may be consulted under AS 2020 2107.

You're using the Lawbrary personal features. Great!

Ordinance
on Protection against Cyber Risks
in the Federal Administration
(Cyber Risks Ordinance, CyRV)

English is not an official language of the Swiss Confederation. This translation is provided for information purposes only, has no legal force and may not be relied on in legal proceedings.
of 27 May 2020 (Status as of 1 April 2021)

Chapter 1 General Provisions

Chapter 2 Principles governing Protection against Cyber Risks

Chapter 3 Organisation and Responsibilities

Section 1 Cross-Departmental Cooperation

Section 2 Units in the Cyber Security Domain

Chapter 3a Security Procedures¹⁷
¹⁷ Inserted by No I of the O of 24 Feb. 2021, in force since 1 April 2021 (AS 2021 132).

Chapter 3b Costs Incurred Decentrally¹⁸
¹⁸ Inserted by No I of the O of 24 Feb. 2021, in force since 1 April 2021 (AS 2021 132).

Chapter 4 Final Provisions

Annex

Amendment of other legislation