01.04.2021 - In order to simplify the structure and the content of the specifications regarding IT security and cyber-risks in the Federal Administration, the existing Federal Council directives on ICT security in the Federal Administration are being transferred to the Cyber-Risks Ordinance (CyRO). Due to this revision, the directives on ICT security issued by the Federal Cybersecurity Delegate have had to be adjusted accordingly. The revised CyRO and the directives will enter into force on 1 April 2021.
With the Ordinance on Protection against Cyber-Risks in the Federal Administration (Cyber-Risks Ordinance, CyRO), the Federal Council issued an ordinance specifically geared towards cyber-risks and IT security in the Federal Administration on 27 May 2020.
However, the security procedure specifications were still issued in a separate Federal Council directive. This is neither practical nor expedient. For this reason, the contents of the Federal Council directives on ICT security in the Federal Administration have now been integrated into the CyRO and the directives will be abolished.
The transfer of the directives to the CyRO serves to simplify not only the structure, but also the content. In the future, the Federal Cybersecurity Delegate will issue specifications on the process and the corresponding documentation within the framework of the IT security requirements. This will allow for a more flexible adjustment of the requirements and strengthen the Cybersecurity Delegate's role.
The most important topics that have been transferred from the directives to the CyRO are as follows:
- The tasks of the IT security officers of the departments (ITSODs).
- The designation of the IT security officers of the organisational unit (ITSOOs) in the administrative units, as well as their tasks
- Federal Administration employees' responsibilities when using IT resources
- The security procedure specifications at federal level, which form the basis for the secure handling of all business processes which are supported by IT. Specifically, these include, for example, the performance of protection needs analyses, the implementation of basic protection requirements, the procedure in the case of an increased need for protection, etc.
The revised CyRO will enter into force on 1 April 2021 and the directives will be abolished on the same date.
