Swiss Federal Audit Office: federal cyber-governance split leaves strategic oversight without a complete incident picture

Switzerland's Federal Audit Office (Eidgenössische Finanzkontrolle, EFK) published an audit on 2026-06-19 of the federal cybersecurity structure reorganised two years ago, finding that the strategic-oversight body — FS BIS, within SEPOS — does not have a complete view of security-relevant events in federal systems (SwissCybersecurity.net, 2026-06-19; EFK report 25152, 2026-06-19). The audit names three concrete gaps: the contracted requirements-management ("Vorgabenmanagement") support that BACS owes FS BIS is not being delivered at the agreed scope under the existing service-level agreement; BACS has no legal authority to forward incident reports to SEPOS/FS BIS on its own, so reporting depends on each affected agency opting in to sharing via the Cyber Security Hub platform; and incident-response coordination between the two bodies was inconsistent across cases, with stakeholders sometimes unaware of measures the peer body had already taken (Netzwoche, 2026-06-19). The EFK explicitly rejected a further reorganisation (folding the function into BACS) and instead recommends that BACS and FS BIS leadership resolve their differences and clarify roles at management level.