ETH's new directive landscape
On 1 January 2025, the new directive landscape for information security came into force at ETH Zurich. Why is this set of rules important and how can we all contribute to the implementation of the various directives?
We all live in a digital age in which information is one of the most valuable commodities. Research results, personal data and internal organisational information form the basis for innovation and success. This high value makes data and information a preferred target for attacks and misuse.
Why is information security so important?
1. Increase in cyber threats
Cyber attacks are becoming more frequent and more sophisticated. Attackers use security vulnerabilities to steal or manipulate data or to paralyse organisations. Research institutions such as ETH Zurich can also be the target of such attacks, as our work is innovative and very often of global relevance.
2. Confidentiality and protection of personal data
The protection of personal data is of central importance – not only because of legal requirements, but also for ethical reasons. Everyone has the right to have their personal information treated securely and respectfully.
3. Integrity of research and learning outcomes
The credibility and integrity of scientific work are irreplaceable. Loss or manipulation of research data can not only cause immense damage to researchers, but also to society, which relies on these results.
4. Resilience and continuous operation
Without appropriate information security measures, attacks could severely disrupt operations. Strong information security ensures that education, research and administration at ETH can function smoothly.
Why does it affect us all?
Information security is not just a technical matter. It requires the participation of everyone – from the Executive Board to the users. With the new directives, we have laid a solid foundation that can only be effective through cooperation and a sense of responsibility.
Why was a revision necessary?
Complexity due to historically grown structures
The previous directives – including the terms of use for information and communication technology (BOT), the IT guidelines and basic protection requirements, as well as the information security directive – had grown over the years and become intertwined. This made it difficult to access the relevant information and reduced its practical applicability.
New legal and technological framework conditions
With the new Swiss Data Protection Act and increasing digitalisation, the requirements for data protection and IT security have increased. Topics such as cloud technologies, the use of private devices (Bring your own device – BYOD) or the protection of sensitive research data required an up-to-date adaptation of the regulations.
The new directive landscape
The revision of the directives was carried out in a broad-based and participatory process. The project team, consisting of the General Secretariat, the IT Services and experts from the departments, ensured that legal, technical and practical aspects were given equal consideration. A sounding board with over twenty representatives from the departments and central administrative units ensured that the perspectives of all relevant groups were incorporated. This ensured that the new directives were checked for readability and feasibility to make them as user-friendly as possible.
The revised regulations are clearly oriented towards user groups and subject areas:
Directive on Information Security, RSETHZ 203.25
- This directive defines the governance of information security at ETH and is primarily aimed at managers. (Link to directive, only available in German.)
Acceptable Use Policy for Information Technology (BOT), RSETHZ 203.21
- This directive is aimed at all users (ETH members including guests) and describes how to use IT resources securely, adapted to today's challenges. (Link to directive, only available in German.)
IT Guidelines and IT Baseline Protection Rules, RSETHZ 203.23
- This directive regulates the baseline security for handling IT resources and the tasks, competencies and responsibilities of central roles in IT operations. (Link to directive, only available in German.)
Directive on Inventory and Classification of information, RSETHZ 203.28
- The directive summarises the contents of various existing directives and regulates the inventory and classification of information into classes according to confidentiality, integrity and availability. (Link to directive, only available in German.)
Directive on Logging, Evaluation and Monitoring, RSETHZ 203.29
- The directive regulates the logging, evaluation and monitoring of system activities of IT resources at ETH. (Link to directive, only available in German.)
With the revised directives, we are creating a clear and flexible basis for sustainably strengthening information security at ETH. We invite you to familiarise yourself with the new regulations and actively integrate them into your daily work. Together we can position ETH as a role model for information security.
All relevant documents and further information can be found in the Legal Collection (in German) and on the Information Security website (in German). If you have any questions or require any support, please do not hesitate to contact Johannes Hadodo (CISO and Head Cyber and Information Security - ) and Domenico Salvati (Head Information Security Governance - ).
Note on the translation
This text has been translated for your convenience using a machine translation tool. Although reasonable efforts have been made to provide an accurate translation, it may not be perfect. If in doubt, please refer to the German version.
Should you come upon significant translation mistakes, please send a short message to so that we can correct them. Thank you very much.
Always up to date
Would you like to always receive the most important internal information and news from ETH Zurich? Then subscribe to the "internal news" newsletter and visit Staffnet, the information portal for ETH employees.