Oversight activities

In the area of strategy and planning, the OA-IA examines issues relating to the short, medium or long-term strategic planning of the Swiss intelligence services and their objectives. During the year under review, the OA-IA carried out the following audits.

[24-1] Artificial intelligence (AI) at the FIS

[25-1] Prevention of violent left-wing extremism at the FIS

The OA-IA reviewed the activities of the FIS in relation to combatting violent left-wing extremism, having previously examined FIS measures to combat violent right-wing extremism in 2021.

It interviewed FIS senior officers and staff working in this field, as well as agents from two cantonal intelligence services and a senior officer from the Federal Office of Police (fedpol). It also carried out a random check of FIS information-gathering assignments issued to its sensors or partners and reviewed one operational clarification to gain an overview of the FIS’s activities in combatting violent left-wing extremism.

Particular attention was paid to the legislation regulating these activities and to ensuring that the fundamental rights of target persons were being respected in accordance with the Federal Act on the Intelligence Service (IntelSA). Gathering intelligence relating to violent extremism is subject to strict rules, which only allow the FIS to process information if there is some link with the use of violence. The aim is to safeguard people’s fundamental rights in Switzerland. This is also why the FIS is not permitted in this context to undertake information-gathering measures requiring authorisation.

The FIS monitors developments in the violent extreme left-wing scene and, provided that certain criteria are met, is authorised under current legislation to investigate groups belonging to this scene as part of its counterterrorism activities. The OA-IA noted that the FIS has developed lawful and appropriate practices in this area, which includes the option of requesting authorisation for information-gathering measures from the political and judicial authorities.

« Given the limited resources available to address the current threat from violent left-wing extremism, the FIS is unable to fulfil its mandate to the required extent. »

The OA-IA also examined whether the FIS was fulfilling its mandate to combat violent left-wing extremism. This includes gathering information to prevent violent left-wing extremists from acting on threats, as well as monitoring the situation. The OA-IA also examined the FIS’s role in relation to its national partners and found that cooperation had deteriorated. Although the FIS had recruited additional staff during the audit period, the OA-IA concluded that, given the limited resources available to address the current threat from violent left-wing extremism in Switzerland, the FIS was unable to fulfil its mandate to the required extent. Moreover, the FIS was not making full use of the means and resources available under the Federal Intelligence Act, with the result that it was not fulfilling its mandate adequately or effectively. The OA-IA therefore made a recommendation.

[25-2] IT project portfolio at the FIS

IT project portfolio management is used by organisations to record information on current or future IT projects in order to facilitate project management.

At the FIS, projects can involve new IT requirements relating to the procurement, processing, analysis or transmission of information derived from intelligence activities. This can entail a number of risks for the FIS, including an incomplete overview, a failure to pass on full information to senior management or a lack of coordination, which can lead to inadequate or inefficient project implementation.

The OA-IA therefore examined whether the FIS is maintaining an IT project portfolio and, if so, how it is managed. The audit looked at whether the FIS has an overview of all its IT projects, how senior decision-makers obtain key information and whether synergies and duplication are effectively identified through project coordination.

The FIS has recently developed an innovative project portfolio management strategy that includes IT projects and other strategically important projects. In addition, a special body has been established to evaluate and prioritise the implementation of the strategic requirements identified. Thanks to the processes that have been put in place, FIS leadership has access to key information from major IT projects and can therefore fulfil its responsibility in relation to projects. However, IT projects that do not have a strategic component are not included in the portfolio and consequently do not always come to the attention of the FIS management. Consequently, the FIS currently lacks a comprehensive overview of its IT project portfolio, which encompasses not only strategic but also operational IT projects. The OA-IA has therefore identified this as a shortcoming with respect to identifying synergies and duplication. However, the FIS has identified opportunities to improve its IT project portfolio management and is working to implement them. In light of this, the OA-IA did not make any recommendations.

In the area of organisation and tasking, the OA-IA examines the adequacy of the structure and processes of the intelligence services and considers whether they enable the intelligence services to fulfil their mandate in a lawful, expedient and effective manner. In 2025, the OA-IA carried out the following audits in this area:

[24-2] Intelligence activities conducted by the AFPPS

The aim of this audit is to examine the cooperation interfaces between the FIS and the AFPPS in order to identify intelligence activities. The OA-IA is therefore examining the legality, effectiveness and expediency of the cooperation between these two services.

[24-11] Security aspects under IntelSA

The FIS has a duty to protect its staff, facilities and data. The OA-IA therefore examined a number of FIS workstations to determine whether it was fulfilling this obligation and whether appropriate security measures were in place. The workstations in question were created as part of a project to demonstrate the need for such workplaces and an analysis of the strengths, weaknesses, opportunities and risks. The project had three objectives: to strengthen collaboration, to improve the agility and attractiveness of the FIS and to ensure business continuity management (BCM). Implementation was carried out in stages and was completed in January 2025.

The OA-IA attended the FIS internal staff training course and inspected the workstations. Based on the interviews conducted and the documentation examined, the OA-IA found that the security of staff and data had been a priority during the implementation phase and that the objectives had been achieved or were achievable. It also found that the resources used were appropriate. The FIS will continue to monitor the use of these workstations and improve security where necessary. It will also evaluate their impact in due course. The OA-IA found no grounds for criticism.

This audit was not included in the OA-IA’s 2024 audit plan. The urgent need to carry out the audit arose as a result of the commissioning of the workstations.

[25-3] Counterintelligence at the FIS

Given the increasingly tense geopolitical situation, the risk of espionage in Switzerland has increased. At the same time, FIS staff have become increasingly frustrated by the ongoing transformation process. The OA-IA believes that these concurrent factors pose a significant risk to intelligence operations. For example, foreign intelligence services could exploit employee frustration to obtain classified information or influence Switzerland’s security agencies. The OA-IA has issued several recommendations in the past to strengthen FIS security. These recommendations were taken into account in this audit, which focused on clarifying the legal framework for preventing insider espionage and assessing the adequacy of existing guidelines. At the time of the audit, the DDPS was in the process of updating its security regulations, particularly with regard to information security. As a DDPS agency, the FIS will soon have to apply these updated regulations and adapt its own guidelines if necessary. Until then, the OA-IA takes the view that internal FIS guidelines and the measures already implemented are in line with existing legislation. Having identified some gaps, the FIS is waiting for the Intelligence Service Act to be amended before developing certain measures as part of its security strategy. The OA-IA views this approach positively.

Addressing cases involving suspected espionage is often complex, as it involves a combination of individual behavioural aspects and security-related issues. In order to fully understand a case, coordination among different actors is required. The OA-IA found that, while there is now provision for communication between the various FIS services (security personnel, HR staff, direct supervisors, senior management), the FIS could be more vigilant when dealing with specific cases. For example, the FIS finds it difficult to follow a strict line, even when there are warning signs regarding certain employees. The OA-IA therefore made a recommendation in this respect.

During the recruitment process, the FIS and the Personnel Security Screening Division at the State Secretariat for Security Policy (SEPOS) conduct a thorough vetting process. As part of the audit, the OA-IA reviewed the results of the internal DDPS review of personnel screening and concluded that the FIS could further improve its current procedures. The OA-IA therefore made an appropriate recommendation.

During, or on termination of a person’s employment, only a few specific measures are taken to reduce the risk of espionage. Although significant efforts have already been made regarding security, the OA-IA expects the FIS to continue to identify gaps and strengthen its internal training and awareness programme. The OA-IA issued a recommendation concerning specific security risks.

The OA-IA analysed several security-related incidents at the FIS between 2023 and 2025, as well as the FIS’s handling of a case involving a DDPS employee abroad whose conduct could be construed as espionage. It did not identify any cases of espionage involving FIS employees. As regards the repeated leaking of information to the press before and during the audit, which, given the current geopolitical situation could be exploited to destabilise the institutions concerned, the OA-IA welcomes the fact that the FIS has referred such cases to the law enforcement authorities.

[25-5] Translation services at the FIS

The OA-IA is examining whether translation services are being used appropriately and effectively, whether information security is being ensured as part of the process and whether the FIS has implemented effective control and quality assurance measures.

The OA-IA examines cooperation between the intelligence services and national and international authorities. It also examines cooperation between the federal intelligence services and the cantonal intelligence services (CIS).

In 2025, the OA-IA carried out the following audits:

[24-4] Cooperation between the FIS and the State Secretariat for Migration (SEM)

In this audit, the OA-IA examined the cooperation between the FIS and SEM. Each service has its own tasks and legal powers with regard to Switzerland’s internal and external security. The tasks of the FIS are set out in the Federal Act on the Intelligence Service. The SEM is responsible for a wide range of migration topics, such as foreign nationals’ entry into and residence in Switzerland, asylum, naturalisation and visas. Almost all of these areas are governed by laws and ordinances. The competences of the two federal bodies may overlap, for example, if a person who is subject to immigration law is simultaneously a person of interest to the FIS, or vice versa. This might be the case if a person suspected of espionage (which falls within the remit of the FIS) applies for naturalisation (which falls within the remit of the SEM). As a result, the FIS and SEM cooperate in a number of areas, particularly on immigration and asylum law, as well as on visas and naturalisation.

The OA-IA examined whether the two services were coordinating their tasks sufficiently and whether any diverging or incompatible interests were preventing them from carrying out their respective tasks effectively and in an expedient manner. It also examined the legality, effectiveness and expediency of the cooperation between the two services and the risks involved in sharing data.

The two services do not have a common strategy as such. Their cooperation is mainly based on a confidential list of points laid down by the Federal Council. The list indicates which incidents SEM must report to the FIS and the information it must provide. Both authorities consider this list to be sufficient, a view shared by the OA-IA. The OA-IA made a recommendation on some strategic aspects of cooperation between the FIS and SEM and on the ongoing transformation process at the FIS.

« The OA-IA noted that the FIS knows and uses its margin of appreciation wisely. »

From an operational point of view, the OA-IA found that the two services work together in accordance with the law. In recent years, they have developed a mutual understanding of each other’s capabilities and limitations, in particular those provided for by law, and both services are familiar with the legal framework. The OA-IA noted that the FIS uses its margin of appreciation wisely. Its work involves looking for the proverbial needle in a haystack: fortunately, by its own admission there is more hay than there are needles. The FIS and SEM consider that cooperation works to the full satisfaction of both parties and that there is no divergence of interests. In their view, the information they exchange is useful and helps them to fulfil their mandate. Moreover, cooperation between them is adequate and efficient. The services share information for the purpose of improving technical aspects. The OA-IA noted that the relevant FIS unit had managed to stay on course despite the ongoing transformation process.

The OA-IA carried out three random data checks. The first focused on 40 cases registered in the FIS GEVER system in 2024. The OA-IA found that although there were some minor shortcomings in the documentation, which were corrected during the audit, the files had been processed in accordance with the law. The second check involved examining 133 FIS data consultation logs in the central migration database ZEMIS. The logs were found to comply with the law. Finally, the third check focused on the retention periods for Advance Passenger Information (API) data. The retention periods were also found to comply with the law.

[25-6] Cooperation between the FIS and the CIS

The FIS and cantonal intelligence services (CIS) play an important role in safeguarding Switzerland’s interests and the country’s internal and external security, while respecting the fundamental rights of citizens. Their task is to obtain, process and evaluate information from open and non-open sources and forward this intelligence in an appropriate form to federal and cantonal decision-makers.

Between 2024 and 2025, the OA-IA conducted inspections of all the CIS and cantonal supervisory bodies to review cooperation between the FIS and the CIS. This audit subsequently focused on how the FIS fulfils its legal obligations towards the CIS. These obligations relate particularly to checking data storage by CIS, as well as providing technical resources and training staff.

Shortcomings, such as a lack of cooperation, poor communication, unrealistic expectations or an inappropriate division of tasks, can hinder or prevent the effective implementation of the Intelligence Service Act, thereby endangering internal and external security. The OA-IA therefore examined whether such risks exist.

« The OA-IA found that the FIS had implemented an ongoing and extensive range of measures and arrangements to improve cooperation with the cantons. »

The OA-IA found that the FIS had implemented an ongoing and extensive range of measures and arrangements to improve cooperation with the cantons, particularly with regard to communication, training and operational activities.

Communication
The FIS communicates with the CIS using a variety of formats. Some of these are new, some have been revived and some are extensions of existing ones. The FIS is evaluating all of these formats to ensure that there is no excessive duplication. The FIS and nine CIS also meet in a joint committee to review various operational cases and discuss solutions, illustrating that their cooperation is shifting from a bilateral to a multilateral approach. In addition, the FIS issued two fundamental circulars to the cantons in 2025 on the interpretation of the legal framework applicable to specific issues.

During its inspection visits to the CIS, the OA-IA noted several comments concerning a lack of information. However, this information was posted on the CIS’ intranet and was therefore available to the cantons. This led the OA-IA to conclude that some CIS are not regularly checking their intranet.

Training
Since 2025, the CIS have been participating in the FIS’s basic training programme for new employees. This promotes mutual understanding of knowledge and terminology, as well as networking. The basic training courses address the CIS’ specific needs, including the simultaneous translation of training modules and the translation of documents.

Operational cooperation
Although the FIS has the legal authority to order the CIS to cooperate at operational level, it prefers a collaborative approach. The FIS and the CIS must still jointly assess the opportunities and risks associated with this approach. The FIS must introduce measures to address shortcomings in recent operational cooperation. The OA-IA refrained from making a recommendation, as the FIS is already aware of the shortcomings and is working to resolve them.

Quality assurance
As in previous audits (18-10 and 21-5), the OA-IA reviewed the FIS’s quality assurance controls, which are carried out by three divisions of the FIS according to a proven methodology. The CIS undergo an inspection every six to seven years. For this reason, the annual inspections by the cantonal supervisory authorities are important.

The OA-IA did not make any recommendations in this regard.

Information-gathering is a core task of the intelligence services. Various means can be used for this purpose. The OA-IA pays special attention to those that most deeply encroach on the privacy of the people affected. Every year, the OA-IA examines operations (OP) and intelligence-gathering through human sources (HUMINT) due to the risks associated with these activities. In 2025, the OA-IA carried the following audits in this area:

[23-13] Use of undercover virtual agents (VirtA) in the FIS

According to the FIS, the global threat landscape has evolved in recent years, with communication between individuals and groups, particularly in the areas of terrorism and violent extremism, shifting away from publicly accessible platforms. In order to be able to continue obtaining intelligence, the FIS has had to intensify and adapt its internet monitoring activities, for example by deploying undercover virtual agents (VirtA).

The legal framework for the deployment of VirtA must be clear, as such methods can violate fundamental rights (the right to personal freedom or the right to privacy, including within telecommunications). Moreover, certain information gathered by VirtA could be classified as an investigative measure requiring authorisation, depending on its subject matter. For this reason, the OA-IA examined whether the legal framework for the deployment of undercover VirtA is clear and understood by the FIS employees involved.

Articles 17 (Cover story) and 18 (Alias identity) of the Federal Act on the Intelligence Service (IntelSA) provide the FIS with the legal basis for deploying VirtA. The OA-IA therefore takes the view that their deployment is lawful. However, the FIS has not yet clearly defined what these agents are permitted to do.

« There is no evidence that the FIS has deployed virtual agents unlawfully. »

Various audits by the OA-IA have shown that since the incidents involving unlawful information-gathering by the Cyber Division (see report 22-18), the FIS has become more aware of the risks and is trying to avoid making the same errors when deploying VirtA. Although this audit identified some unresolved questions regarding the regulations and guidelines for their deployment, there is no evidence that the FIS has deployed virtual agents unlawfully. Some of the unresolved questions have been around for several years, and the FIS has long been unclear as to how deployment should occur. Fundamental legal questions need to be clarified internally in order to definitively understand what falls within the scope of permissible intelligence-gathering in cyberspace. To this end, specific questions need to be addressed by the FIS legal department. The OA-IA therefore recommends that the FIS strengthen its expertise in this area of intelligence, which will become increasingly relevant in the future.

If the FIS does not deploy its own VirtA, it will remain dependent on its foreign counterparts. This carries the risk that the FIS may fail to notice, or fail to notice in time, red flags in virtual space indicating an imminent threat. For this reason, the OA-IA examined whether the building of FIS’ own VirtA unit was appropriate.

Our examination showed that the FIS first began to consider the deployment of VirtAs for operational information-gathering in cyberspace in 2016. From 2019 onwards, efforts became more concrete and, in 2021, the FIS finally decided to create its own VirtA unit based on a decision by the management board. However, responsibility for implementing this decision changed several times, and the efforts of the FIS to create a VirtA unit were inefficient and inappropriate. With each transfer of responsibility to a new person or organisational unit, the same fundamental questions were discussed once again and described in different concepts. The repeated transfer of responsibility has thus not been conducive to establishing a VirtA unit promptly and efficiently.

The OA-IA found the exchange of experience between the FIS and its foreign counterparts to be useful and beneficial. The positive experiences of its partner services were included in its conceptual considerations, and the final organisational structure of the unit is largely based on that of the partner services consulted. The planned cooperation with the partner services in the area of training should ensure that the FIS’ VirtA unit benefits from their foreign colleagues’ many years of operational experience. The OA-IA considers the FIS’s intention to reduce its dependency on partner services by developing its own training in the future to be appropriate.

The OA-IA also examined whether the FIS has the technical and organisational framework to deploy VirtAs effectively and to correctly assess from the outset the chances of obtaining intelligence successfully. Our audit showed that the FIS does not yet have specific criteria for measuring the effectiveness of VirtA operations. It was clear from our discussions with FIS employees that the threshold for deploying VirtAs are high: an isolated tip-off from a partner service, for example, is not enough. Instead, the FIS must have its own reliable information from monitoring the internet in order to have any chance of obtaining authorisation. The OA-IA recommended that the FIS redouble its efforts to define the criteria for measuring the effectiveness of VirtA operations.

[24-5] FIS operations, operational clarifications and intelligence-gathering measures requiring authorisation

The planning and execution of intelligence operations and operational clarifications are more complex than day-to-day tasks. Moreover, according to internal FIS regulations, information-gathering activities requiring authorisation – which always involve a risk to fundamental rights due to the invasion of privacy of the target – may only be carried out as part of an operation. For this reason, the OA-IA regularly reviews the legality, effectiveness and expediency of such activities.

In this audit, the OA-IA examined the impact of the FIS transformation process on operations and operational clarifications. The work carried out in connection with this transformation had not yet been completed at the time of the audit. Under the transformation, established FIS processes have been replaced by new ones, and these changes have had a fundamental impact on operations, operational clarifications and information-gathering activities requiring authorisation. While these changes can create new risks, they can also give rise to new opportunities.

In its audit, the OA-IA identified areas for improvement with regard to establishing procedures for information-gathering and ensuring that documentation requirements are met. It therefore made recommendations.

In addition, the OA-IA examined three operations in detail and formally reviewed all the information-gathering activities requiring authorisation that had been requested in the context of these operations. The OA-IA found the operations, which had been selected randomly for auditing, to be legal, effective and expedient. The OA-IA also examined whether four authorised and approved information-gathering activities (carried out in two operations) had been conducted in accordance with the relevant rulings of the Federal Administrative Court. It found no areas for improvement and therefore made no recommendations.

[24-6] Human intelligence in the FIS

Human intelligence (HUMINT) is one of the FIS’s most sensitive areas of activity. A high level of security and protection is required for personnel, including the use of aliases and/or cover stories to conceal their connection with the FIS. Other measures include providing cover stories about workplaces and making covert payments to sources, as well as protecting these sources. The risks in the field of HUMINT are diverse and constantly changing, which is why regular audits by the OA-IA are necessary.

The aim of audit 24-6 was to provide a follow-up to audit 23-12 (Cooperation between the FIS and private actors) as well as to other ongoing HUMINT projects. The OA-IA’s findings were generally positive, with the projects examined progressing in the right direction. A recommendation was issued concerning risk analysis. It appears that the area of HUMINT has now achieved the right balance between its numerous projects, its limited resources and maintaining its core business of source management.

The OA-IA also examined source management files as well as the infrastructure put in place to protect sources. No irregularities were found during the audit.

[25-7] FIS operations, operational clarifications and intelligence-gathering measures requiring authorisation

The planning and execution of intelligence operations and operational inquiries are more complex than day-to-day tasks. It is therefore appropriate to review the legality, expediency and effectiveness of these activities at regular intervals.

Moreover, according to internal FIS regulations, information-gathering activities requiring authorisation
– which always pose a risk to fundamental rights due to the encroachment on the privacy of the target
– may only be carried out as part of an operation. For this reason, the OA-IA considered these points to constitute sufficient grounds for reviewing the risks associated with intelligence operations, operational clarifications and information-gathering measures requiring FIS authorisation.

As a result of the FIS transformation process, the organisational structure of operations and operational clarifications was redefined. The new organisational structure has been in place since March 2024. Established processes have been replaced by new ones, and these changes have had a fundamental impact on operations, operational clarifications and information-gathering activities requiring authorisation. While these changes can create new risks, they can also give rise to new opportunities. The work carried out in connection with this transformation had not yet been completed at the time of this audit.

In 2025, the OA-IA audited two counter-terrorism operations. It found the operations, which were selected at random, to be legal, effective and expedient. The OA-IA issued a recommendation on ensuring the operational readiness of technical material.

With regard to formal compliance with documentation requirements, it examined in detail all operational clarifications launched in 2024 as well as a sample of those conducted in the areas of counter-proliferation, counter-terrorism and combatting violent extremism. The OA-IA found that the most important documentation requirements had been met. Nonetheless, to facilitate statistical analysis and thus improve the management of operational clarifications, the OA-IA made a recommendation regarding compliance with the other documentation requirements already established internally by the FIS.

« Based on the sampling, the OA-IA concluded that information-gathering measures had been implemented in accordance with the relevant rulings of the Federal Administrative Court. »

The OA-IA audited 11 authorised and approved information-gathering measures (carried out in two operations) to determine whether they had been implemented in accordance with the relevant rulings of the Federal Administrative Court. Based on the sampling, the OA-IA concluded that they had been.

[25-8] Human intelligence in the FIS

The OA-IA is currently reviewing a number of cases to determine whether sources are being managed lawfully, expediently and effectively.

[25-9] Cyber intelligence in the MIS

The OA-IA is currently examining whether the MIS is using lawful, appropriate and effective means for cyber intelligence.

In the area of resources, the OA-IA examines whether the intelligence services are using their resources wisely and whether intelligence activities are being carried out effectively. In 2025, the OA-IA carried out the following resource audits.

[24-7] Information and communication technology (ICT) inventory in the FIS

In the field of information and communication technology (ICT), organisations must have an overview of their hardware for various reasons. Not only does it help manage hardware components over the course of their respective lifecycles, but it also prevents unauthorised individuals within the organisation from procuring and using hardware unlawfully for intelligence purposes. This last point, in particular, poses a risk to the reputation of the FIS as well as a risk of unlawful data processing due to a lack of control mechanisms.

The OA-IA therefore examined whether the FIS had an inventory of the hardware used for intelligence and, if so, whether it was being managed effectively and efficiently in order to prevent unlawful procurement and use.

The OA-IA audit found that the FIS had well-established procurement and inventory processes. In addition, these two processes were supported by robust software solutions. Although they are not automatically linked and switching between them requires manual intervention, random checks revealed no significant discrepancies between these two processes.

Similarly, the OA-IA found that the inventory process was effective and appropriate for managing other functionalities, such as the lifecycle of an ICT object or determining the location of an ICT component at the FIS, based on its location data.

The OA-IA concluded that integrating the inventory process more closely into the procurement and IT support processes could improve it. However, random checks, interviews with relevant personnel and the strict approval processes did not indicate that the FIS was at high risk due to ineffective or inappropriate inventory management.

Therefore, the OA-IA made only one recommendation: to revise an internal directive that no longer reflects the current organisational structure in order to prevent incorrect or incomplete entries in the inventory process.

[25-10] Armed personnel at the FIS

The FIS’s policy on armed personnel is based on the Intelligence Service Act. Under the Act, service weapons may only be issued to FIS employees if they are exposed to special danger in the course of their duties. In this audit, the OA-IA examined how the FIS handles the issue, return and storage of service weapons and whether the arrangements comply with the law. It also examined whether equipment and training meet employees’ practical security needs. To this end, it conducted a number of interviews and carried out inspections at various sites.

A new FIS directive recently came into effect that provides clarity in this area. It tightens up the requirements applicable to the issue of service weapons and improves the return procedure. While the OA-IA concluded that further improvements could be made in relation to equipment, it did not issue any recommendations. Instead, it encouraged the FIS to continue its ongoing efforts.

In the area of data processing and archiving, the OA-IA verifies the legality of information processing. This is because the information processed by intelligence services is highly sensitive and the legal requirements are both extensive and complex. In 2025, the OA-IA conducted the following audits in this area.

[22-18] Information gathering by the FIS CYBER division

[24-9] Spot check of the Information and Analysis System All-Source Integral Control Centre (IASA-ICC)

The FIS uses the Information and Analysis System All-Source Integral Control Centre (IASA-ICC) application to analyse and evaluate original documents from the IASA-GEX FIS and IASA FIS information systems. The application enables data to be replicated in the INDEX FIS system, to which authorised security partners (e.g. cantonal enforcement authorities) have access. The data recorded in IASA-ICC constitutes the structured knowledge of the FIS. The application is based on a raw data directory, where incoming reports are stored as original documents in accordance with the retention periods defined in the IntelSA.

In the course of other audits, the OA-IA identified a recording backlog in IASA-ICC, particularly with regard to reports from the cantonal enforcement authorities, which need to be entered into the system. As a result of this backlog, information that is relevant to Switzerland’s internal and external security may be transmitted to FIS security partners after a delay, posing a security risk.

In late 2024, the FIS established a task force to address the issue of delayed data entry logging and to optimise processes to prevent future delays. The OA-IA has taken this work into account in its audit and has noted initial improvements.

As part of the audit, the OA-IA conducted three random checks to verify whether the data processing in the IASA-ICC system complied with the legal requirements. Two of these random checks revealed no irregularities. However, one check revealed that the FIS was not complying with all of the data processing restrictions relating to the exercise of political rights, particularly with regard to coronavirus-related extremism. The OA-IA therefore recommended that the FIS make the necessary changes immediately and carry out further checks in connection with single-issue extremism to ensure the protection of fundamental rights.

The current amended version of the Intelligence Service Act involves changing the FIS’ approach to data processing by moving away from an information-system approach towards a data type-oriented approach (intelligence data or administrative data). At the same time, the FIS is carrying out various projects to update its IT infrastructure. As part of this complex project, the IASA-ICC application will either be updated or withdrawn.

The OA-IA also found that the outdated IASA-ICC application was preventing the FIS from making the best use of structured data, as the application does not allow for situation monitoring and data input is very time-consuming. The OA-IA therefore recommended that the FIS define its needs in order to address the ongoing legislative amendments and changes to IT infrastructure, bearing in mind its duty to monitor and assess threat situations. These should enable the FIS to clarify as soon as possible whether the IASA-ICC application should be withdrawn or replaced by an alternative that is beneficial to the fulfilment of its mandate.

[24-10] FIS searches in third-party information systems

To fulfil its tasks, the FIS depends on access to third-party information systems. These systems are the applications and databases of external operators in Switzerland and abroad, which FIS staff can access to gather information.

In principle, the third party operating the system determines who is authorised to access it as well as the level of authorisation, based on the legal provisions applicable to the respective system and the information provided by the requesting party. Although the third party ultimately decides on access authorisation, the FIS is responsible for submitting requests for access to these external systems on the basis of justified need. The FIS is also responsible for promptly deleting obsolete requests. To this end, it requires adequate access management. Without this, staff may have access to sensitive data to which they are not legally entitled or lack access to data that would be useful for fulfilling their tasks effectively.

The OA-IA audit revealed that the FIS lacks a comprehensive and up-to-date overview of staff access rights to third-party information systems, and that specific processes and systematic internal controls are absent. In addition, the OA-IA considers the automated search interface of two of the audited third-party systems to be unacceptable. While the FIS is not responsible for the interfaces or the information systems, it does bear joint responsibility for searches in these systems. The OA-IA therefore instructed the FIS to find a legally compliant solution so that it always acts in accordance with the legislative framework, failing which the access rights in question must be revoked. Access rights management for third-party systems must also be improved in a number of other areas.

In addition, the OA-IA performed random checks of various third-party information systems to verify whether FIS staff are conducting lawful and expedient searches. A lack of – or unclear – guidelines on the use of the databases, as well as a lack of knowledge about how to carry out database searches increases the risk that staff could use the databases in excess of their lawful authorisation or misuse them for personal reasons. This could lead to violations of fundamental rights or damage of the reputation of the FIS. For this reason, the OA-IA randomly checked various third-party information systems used by randomly chosen FIS staff members.

The audit did not identify any evidence of unlawful or inappropriate database searches by FIS staff in the third-party information systems audited.

[25-11] Triage and storage of cable intelligence data by the CEA

Alongside radio intelligence, cable intelligence is now one of the most efficient technical sensors in signal intelligence (SIGINT). However, it involves collecting and storing large amounts of data. This creates a risk of storing data that is irrelevant for the task at hand or without any legal basis for storage. The Cyber and Electromagnetic Activities Service (CEA), which carries out cable intelligence on behalf of the FIS, must therefore take appropriate steps to address this risk.

To determine whether measures have been in place to reduce this risk, the OA-IA decided in its 2025 audit plan to examine the effectiveness, expediency and legality of data triage and storage by the CEA.

« The OA-IA concluded that the manner in which the CEA filters the data is effective and expedient. »

The audit found that the CEA had taken a series of measures to address the risk, from the collection of signals to final data storage. At each step, it applies exclusion criteria (blacklists) or positive filters (whitelists) when triaging the data. This continually reduces the volume of raw data at each stage of the process, so that only legally permissible data remains for analysis. The OA-IA concluded that the manner in which the CEA filters the data is effective and expedient. Furthermore, the OA-IA found no evidence that the CEA was systematically collecting data via cable intelligence that is unlawful or not relevant to the work of the FIS.

However, the data collected and processed by the CEA is subject not only to the Intelligence Service Act, but also to the new 2023 Data Protection Act. While the CEA applies the principles of data protection, the OA-IA has recommended examining whether additional measures are required due to updated data protection regulations.