Skip to content
Contribution

Cloud risks in critical infrastructures: the Swiss railway as a role model for modern cloud governance

IT law IT projects IT security

Cloud computing is now regarded as the backbone of the digital economy. However, as soon as critical infrastructures are affected, a key question arises: how can the advantages of the cloud be reconciled with the high demands on security and business continuity?

With an industry letter on the use of cloud computing in railway applications, the Federal Office of Transport (FOT) formulated specific expectations for risk analysis, governance and operational safety for the first time in April 2025. One year after publication, it is clear that the principles formulated therein do not only affect railway companies. Rather, they reflect a regulatory development that is increasingly affecting all operators of critical infrastructure – from the energy sector to healthcare and financial institutions. This article analyses the legal background to the FOT letter, takes stock after one year and shows what lessons companies in other sectors can learn for their cloud strategy.

In recent years, cloud technologies have developed from an experimental IT solution into a central infrastructure for modern companies. Scalability, high computing power and flexible resource allocation enable organisations to implement digital business models faster and use IT resources more efficiently.

This development is also increasingly affecting sectors that are particularly important for the functioning of the economy and society. Transport systems, energy supply, healthcare and telecommunications are now highly dependent on digital infrastructures. Failures of central IT systems can therefore have far-reaching consequences in these areas – not only economic damage, but also impairments to public safety or basic services.

Such systems are referred to as critical infrastructures. This refers to facilities and organisations whose failure or impairment can have a significant impact on public safety, economic stability or the provision of services to the population. With the increasing digitalisation of these areas, the question of how digital technologies – especially cloud infrastructures – can be operated in a secure, controlled and resilient manner is also becoming increasingly important.

The railway sector is a particularly vivid example of this development. Modern rail systems are highly digitalised. Operations control systems, passenger information, ticketing, maintenance planning and vehicle diagnostics are increasingly based on complex IT systems. This digitalisation is also increasing the need for high-performance IT infrastructure. Cloud technologies offer considerable advantages for this – but at the same time present companies with new challenges in terms of security and governance.

The FOT’s industry letter as regulatory impetus

Against this backdrop, the Federal Office of Transport (FOT) published an industry letter on “Cloud computing for railway applications” in April 2025. The letter takes a pragmatic approach: cloud technologies are not fundamentally restricted or prohibited. Instead, the FOT requires a systematic assessment of the risks and clear organisational responsibilities. The regulatory focus is on three central elements in particular:

  • structured risk analysis
  • Clear governance and decision-making processes
  • Ensuring operational continuity

It is worth noting that the letter does not represent a new regulation in the formal sense. Rather, it is a regulatory concretisation of existing safety requirements in railway law. Such documents are typical of modern infrastructure regulation. They serve to integrate technological developments into existing regulatory frameworks.

Legal basis: Safety requirements in railway law

The basic requirements for railway companies arise in particular from the Railway Ordinance (EBV) and the Implementing Provisions to the EBV (AB-EBV). These regulations oblige railway infrastructure operators to ensure safe and reliable operation at all times. Systems with an impact on railway operations must therefore fulfil particularly high requirements in terms of availability, integrity and operational safety.

However, cloud technologies are not explicitly mentioned in these regulations. This is precisely why the FOT’s industry letter is of particular importance. It transfers existing security requirements to modern cloud architectures.

Regulatory significance of “soft law”

The regulatory form of the industry letter is also of legal interest. The document is not a binding decree. Rather, it is a regulatory guidance document. Such instruments are often referred to as “soft law”. Although they are not formally binding, they have considerable practical significance for regulated companies. They indicate the expectations of a supervisory authority in the context of its control and authorisation activities. Companies that ignore such requirements therefore risk de facto regulatory conflicts.

Practical example SBB: Hybrid cloud as a strategic approach

Swiss Federal Railways (SBB) is one of the most technologically advanced railway companies in Europe. In recent years, the company has comprehensively modernised its IT landscape and is increasingly relying on cloud technologies. Cloud services are used in the following areas in particular:

  • Data analysis and forecasting systems
  • Passenger information and mobile applications
  • Digital platforms for maintenance and operation
  • Development and test environments

SBB is pursuing a hybrid cloud approach. Particularly safety-critical systems remain in the company’s own data centres, while less critical applications are operated in cloud environments. This approach largely corresponds to the basic principles of the FOT letter.

BLS practical example: data-driven infrastructure

BLS AG (originally: Bern-Lötschberg-Simplon Railway) is also increasingly relying on data-based applications, particularly in the area of infrastructure monitoring and maintenance. Cloud technologies enable the company to efficiently analyse large volumes of data from vehicles and infrastructure. Such systems are used for example for

  • predictive maintenance
  • Analysing operational disruptions
  • Optimisation of timetables
  • Improving customer information

The cloud is primarily used for data-intensive applications, while safety-critical control systems continue to be operated locally.

One year after the FOT letter: Initial developments

One year after the publication of the industry letter, it is clear that the document has taken on an important orientation function for the industry. The companies concerned have reviewed their cloud strategies and formalised them more strongly. In particular, processes for cloud risk assessment have been established or expanded. Companies are increasingly keeping cloud inventories, analysing dependencies on cloud providers and integrating cloud risks more closely into existing information security and business continuity processes.

At the same time, strategic dependencies on individual cloud providers are becoming more of a focus. In practice, there is increasing discussion about how the risks of vendor lock-in can be reduced. These include multi-cloud strategies, the use of standardised interfaces and contractual regulations on data portability. Geopolitical developments can also become relevant in this context, for example when cloud infrastructures are operated by providers that are subject to different legal systems.

Link to the Information Security Act (ISG)

The principles formulated in the FOT letter are closely linked to regulatory developments in the area of cyber security. With the Information Security Act (Federal Act on Information Security, ISG, SR 128), Switzerland has created a comprehensive framework for the protection of state information infrastructures. In particular, the Act obliges affected organisations to introduce systematic information security management.

The basic logic of the FOT letter corresponds to this approach. Both sets of regulations emphasise this:

  • risk-based security decisions
  • clear responsibilities
  • documentation requirements
  • continuous review of safety measures

Lessons for other industries

However, the significance of the FOT letter is not limited to the railway sector. Many of the principles formulated there can be transferred to other sectors, in particular to operators of critical infrastructure such as:

  • Energy companies
  • Traffic and transport service providers
  • Hospitals and healthcare networks
  • financial institutions
  • Telecommunications providers

Similar challenges arise in all of these sectors: Cloud technologies enable new digital applications, but at the same time new dependencies and security risks arise.

Cloud governance as a strategic management task

The increasing use of cloud technologies is not only changing the technical architecture of companies, but also their organisational and regulatory governance. Decisions on the use of cloud services no longer exclusively concern the IT department. They have a direct impact on corporate strategy, risk management and regulatory compliance.

While traditional IT infrastructures were usually completely under the control of the respective company, cloud computing is leading to a new form of shared responsibility between companies and cloud providers. Whilst companies retain responsibility for their business processes and data, they are also dependent on external infrastructures to a considerable extent. This dependency may not only relate to technical risks, but also to legal and geopolitical factors – such as regulatory intervention, export restrictions or political tensions.

Against this backdrop, structured cloud governance is becoming increasingly important. This refers to an organisational framework that ensures that decisions about cloud technologies are made systematically, transparently and taking into account the relevant risk perspectives. In practice, this means that cloud projects should not be initiated in isolation within IT departments. Rather, the use of cloud technologies requires close collaboration between various corporate functions, in particular

  • IT and information security
  • risk management
  • Compliance and legal
  • Corporate management

In regulated industries in particular, companies are therefore increasingly expected to establish clear governance structures for cloud decisions. This includes, for example, defined decision-making processes for the introduction of new cloud applications, clear responsibilities for the management of cloud risks and regular reviews of existing cloud architectures.

The topic is also becoming increasingly important from a corporate management perspective. Cloud technologies can create considerable strategic dependencies on individual technology providers. Questions of provider diversification, exit strategies and data portability are therefore becoming central elements of responsible corporate management.

Against this backdrop, cloud governance should increasingly be seen as a component of company-wide risk management. Companies should systematically identify and assess cloud risks and integrate them into their existing governance and control systems. This relates in particular to issues of business continuity, information security and regulatory compliance.

For CISOs, legal counsel and risk managers in particular, this creates a new interface between technology, regulation and corporate strategy. Cloud projects must be integrated into governance processes at an early stage to ensure that technical innovation and regulatory requirements are harmonised. In larger organisations, the topic is also increasingly being discussed at management or board level. Cloud strategies not only concern operational IT issues, but can also have long-term effects on business models, regulatory risks and technological dependencies. Accordingly, many regulators now expect issues relating to digital resilience and the use of external IT infrastructures to be addressed appropriately at the highest management level.

Recommendations for action for companies

Companies that use cloud technologies should consider the following measures in particular:

  • Complete cloud inventory
  • Structured cloud risk assessments
  • Integration into business continuity management
  • Clear governance structures for cloud decisions
  • Careful contract design with cloud providers

Conclusion

The Federal Office of Transport’s industry letter on cloud use in the rail sector is an example of how regulation is responding to the increasing digitalisation of critical infrastructures. The principles formulated there – systematic risk analysis, clear governance structures and robust business continuity concepts – are not only relevant for railway companies. Rather, they outline a model of modern cloud governance that is also important for numerous other industries. Companies that use cloud technologies should therefore follow these developments closely and develop their security and governance structures accordingly.

It is also foreseeable that cloud governance issues will also become a greater focus of supervision in other regulated industries in the future. Developments at European level – for example in the area of cyber resilience and the regulation of digital infrastructures – indicate that the use of external cloud services will increasingly be assessed in terms of operational resilience. The FOT’s industry letter could therefore also be seen as an early indication of a broader regulatory development.

Sources