Skip to content
Post

Cloud risks in critical infrastructure: Swiss Railways as a model for modern cloud governance

IT law IT projects IT security

Cloud computing is now regarded as the backbone of the digital economy. However, as soon as critical infrastructure is involved, a key question arises: how can the benefits of the cloud be reconciled with the high standards required for security and business continuity?

In April 2025, the Federal Office of Transport (FOT) issued an industry circular on the use of cloud computing in railway applications, setting out specific expectations regarding risk analysis, governance and operational safety for the first time. One year after its publication, it is clear that the principles outlined therein do not apply solely to railway undertakings. Rather, they reflect a regulatory trend that is increasingly affecting all operators of critical infrastructure – from the energy sector and healthcare to financial institutions. This article analyses the legal background to the FOT circular, takes stock after one year and highlights the lessons that companies in other sectors can draw for their cloud strategy.

In recent years, cloud technologies have evolved from an experimental IT solution into a central infrastructure for modern businesses. Scalability, high computing power and flexible resource allocation enable organisations to implement digital business models more quickly and utilise IT resources more efficiently.

This development is increasingly affecting sectors that are particularly important for the functioning of the economy and society. Transport systems, energy supply, healthcare and telecommunications are now highly dependent on digital infrastructure. Failures of central IT systems can therefore have far-reaching consequences in these areas – not only economic damage, but also disruptions to public safety or essential services.

Such systems are referred to as critical infrastructures. This term covers facilities and organisations whose failure or disruption could have significant repercussions for public safety, economic stability or the provision of essential services to the population. As these sectors become increasingly digitalised, the question of how digital technologies – particularly cloud infrastructures – can be operated securely, in a controlled manner and with resilience is also gaining in importance.

The railway sector is a particularly clear example of this development. Modern railway systems are highly digitalised. Operations control systems, passenger information, ticketing, maintenance planning and vehicle diagnostics are increasingly based on complex IT systems. With this digitalisation, the need for high-performance IT infrastructure is also growing. Cloud technologies offer considerable advantages in this regard – but at the same time present companies with new challenges in the areas of security and governance.

The FOT’s sector letter as a regulatory impetus

Against this backdrop, the Federal Office of Transport (FOT) published a sector letter in April 2025 on the topic of ‘Cloud Computing for Railway Applications’. The letter takes a pragmatic approach: cloud technologies are not fundamentally restricted or prohibited. Instead, the BAV requires a systematic assessment of risks as well as clear organisational responsibilities. The regulatory focus is particularly on three key elements:

  • structured risk analysis
  • clear governance and decision-making processes
  • ensuring business continuity

It is worth noting that the letter does not constitute new regulation in the formal sense. Rather, it represents a regulatory clarification of existing safety requirements under railway law. Such documents are typical of modern infrastructure regulation. They serve to integrate technological developments into existing regulatory frameworks.

Legal basis: Safety requirements under railway law

The fundamental requirements for railway undertakings arise in particular from the Railway Ordinance (EBV) and the implementing provisions for the EBV (AB-EBV). These regulations oblige railway infrastructure operators to ensure safe and reliable operations at all times. Systems that influence railway operations must therefore meet particularly high standards of availability, integrity and operational safety.

However, cloud technologies are not explicitly mentioned in these regulations. This is precisely why the FOT’s industry guidance takes on particular significance. It applies existing safety requirements to modern cloud architectures.

Regulatory significance of ‘soft law’

The regulatory form of the industry guidance is also of legal interest. The document does not constitute a binding decree. Rather, it is a regulatory guidance document. Such instruments are often referred to as “soft law”. Although they are not formally binding, they have considerable practical significance for regulated companies. They highlight the expectations a supervisory authority has within the scope of its control and authorisation activities. Companies that ignore such guidelines therefore risk regulatory conflicts in practice.

Case study: SBB – the hybrid cloud as a strategic approach

Swiss Federal Railways (SBB) is one of the most technologically advanced railway companies in Europe. In recent years, the company has comprehensively modernised its IT landscape and is increasingly relying on cloud technologies. Cloud services are used in particular in the following areas:

  • Data analysis and forecasting systems
  • Passenger information and mobile applications
  • Digital platforms for maintenance and operations
  • Development and test environments

SBB is pursuing a hybrid cloud approach. Systems that are particularly critical to safety remain in the company’s own data centres, whilst less critical applications are operated in cloud environments. This approach largely corresponds to the basic principles of the FOT circular.

Case study: BLS – data-driven infrastructure

BLS AG (originally: Bern-Lötschberg-Simplon Railway) is also increasingly relying on data-based applications, particularly in the area of infrastructure monitoring and maintenance. Cloud technologies enable the company to efficiently analyse large volumes of data from vehicles and infrastructure. Such systems are used, for example, for:

  • predictive maintenance
  • analysis of operational disruptions
  • Optimisation of timetables
  • Improving customer information

The cloud is primarily used for data-intensive applications, whilst safety-critical control systems continue to be operated locally.

One year after the FOT letter: Initial developments

One year after the publication of the industry letter, it is clear that the document has taken on an important guiding role for the sector. The companies concerned have reviewed and formalised their cloud strategies. In particular, processes for cloud risk assessment have been established or expanded. Companies are increasingly maintaining cloud inventories, analysing dependencies on cloud providers and integrating cloud risks more closely into existing information security and business continuity processes.

At the same time, strategic dependencies on individual cloud providers are coming under greater scrutiny. In practice, there is increasing discussion on how to reduce the risks of so-called ‘vendor lock-in’. This includes, for example, multi-cloud strategies, the use of standardised interfaces, or contractual provisions on data portability. Geopolitical developments may also become relevant in this context, for example where cloud infrastructures are operated by providers subject to different legal systems.

Link to the Information Security Act (ISG)

The principles set out in the FOPH letter are closely linked to regulatory developments in the field of cybersecurity. With the Information Security Act (Federal Act on Information Security, ISG, SR 128), Switzerland has established a comprehensive framework for the protection of state information infrastructures. The Act obliges affected organisations, in particular, to introduce a systematic information security management system.

The underlying logic of the FOPI letter is consistent with this approach. Both sets of regulations emphasise:

  • risk-based security decisions
  • clear responsibilities
  • documentation requirements
  • continuous review of security measures

Lessons for other sectors

However, the significance of the FOT letter is not limited to the railway sector. Many of the principles set out therein can be applied to other sectors, in particular to operators of critical infrastructure such as:

  • Energy companies
  • Transport and logistics service providers
  • Hospitals and healthcare networks
  • Financial institutions
  • Telecommunications providers

Similar challenges arise in all these sectors: cloud technologies enable new digital applications, but at the same time create new dependencies and security risks.

Cloud governance as a strategic management task

The increasing use of cloud technologies is changing not only the technical architecture of organisations, but also their organisational and regulatory control. Decisions regarding the use of cloud services no longer concern solely the IT department. They have a direct impact on corporate strategy, risk management and regulatory compliance.

Whilst traditional IT infrastructures were generally under the complete control of the respective company, cloud computing leads to a new form of shared responsibility between companies and cloud providers. Although companies retain responsibility for their business processes and data, they are simultaneously heavily dependent on external infrastructures. This dependency can involve not only technical risks, but also legal and geopolitical factors – such as regulatory intervention, export restrictions or political tensions.

Against this backdrop, structured cloud governance is becoming increasingly important. This refers to an organisational framework that ensures decisions regarding cloud technologies are made systematically, transparently and with due consideration of the relevant risk perspectives. In practice, this means that cloud projects should not be initiated in isolation within IT departments. Rather, the use of cloud technologies requires close collaboration between various corporate functions, in particular:

  • IT and information security
  • Risk management
  • Compliance and Legal
  • Senior management

Particularly in regulated sectors, companies are therefore increasingly expected to establish clear governance structures for cloud decisions. These include, for example, defined decision-making processes for the introduction of new cloud applications, clear responsibilities for the management of cloud risks, and regular reviews of existing cloud architectures.

The topic is also gaining importance from a corporate management perspective. Cloud technologies can create significant strategic dependencies on individual technology providers. Issues such as provider diversification, exit strategies and data portability are thus becoming central elements of responsible corporate governance.

Against this backdrop, cloud governance is increasingly to be understood as an integral part of enterprise-wide risk management. Organisations should systematically identify and assess cloud risks and integrate them into their existing governance and control systems. This applies in particular to issues of business continuity, information security and regulatory compliance.
For CISOs, legal counsel and risk managers in particular, this creates a new interface between technology, regulation and corporate strategy. Cloud projects must be integrated into governance processes at an early stage to ensure that technical innovation and regulatory requirements are aligned. In larger organisations, the topic is increasingly being discussed at executive management or board level. Cloud strategies do not merely concern operational IT issues, but can have long-term implications for business models, regulatory risks and technological dependencies. Accordingly, many regulators now expect issues of digital resilience and the use of external IT infrastructures to be adequately addressed at the highest levels of management.

Recommendations for action for companies

Companies using cloud technologies should, in particular, consider the following measures:

  • Comprehensive cloud inventory
  • structured cloud risk assessments
  • Integration into business continuity management
  • clear governance structures for cloud decisions
  • careful drafting of contracts with cloud providers

Conclusion

The sector-specific guidance from the Federal Office of Transport on cloud usage in the railway sector serves as a prime example of how regulation is responding to the increasing digitalisation of critical infrastructure. The principles set out therein – systematic risk analysis, clear governance structures and robust business continuity concepts – are not only relevant to railway companies. Rather, they outline a model of modern cloud governance that is also significant for numerous other sectors. Companies using cloud technologies should therefore closely monitor these developments and further develop their security and governance structures accordingly.

It is also foreseeable that issues of cloud governance will come under greater regulatory scrutiny in other regulated sectors in the future. Developments at European level – for example in the areas of cyber resilience and the regulation of digital infrastructure – suggest that the use of external cloud services is increasingly being assessed from the perspective of operational resilience. The FOT’s sector letter could therefore well be understood as an early indication of a broader regulatory trend.

Sources