ICT security and data protection

The Zurich Airport Group works continuously to strengthen the resilience of its IT and communication systems. These efforts ensure that data and information are available and confidential while maintaining their integrity.

Relevance

In order for air traffic and all other processes at the airport to be handled securely, the IT and communication systems (collectively referred to as ICT) must function reliably. In Zurich and at the sites in Brazil and India, the situation for the Zurich Airport Group is similar: Zurich Airport Ltd. and its majority interests operate comprehensive ICT systems, including data centers, which are essential for the operation of the entire airport. In Chile, on the other hand, the ICT systems of the majority-owned subsidiary and its sites are largely confined to the commercial and personnel-related administration of the company itself, as the aviation systems in particular are operated by the authorities.

In addition to physical risks such as natural disasters, cyberattacks pose a major threat to ICT systems. The Zurich Airport Group is required to continuously develop its security strategies. The ICT systems and associated data and information must be protected from unauthorised access while maintaining availability, confidentiality and integrity at all times.

Zurich Airport is integrated into the national strategy for the protection of critical infrastructure. It must take measures to increase its resilience. At the same time, the National Aviation Security Programme (NASP) run by the Federal Office of Civil Aviation (FOCA) stipulates certain ICT security requirements that are binding for Zurich Airport.

The security of personal data in Zurich encompasses areas such as passenger handling, video surveillance, access, vehicle parking and other services. This data is subject to Swiss and/or European data protection legislation.

Approach

ICT security

To guarantee the availability, confidentiality and integrity of its ICT systems, Zurich Airport Ltd. set up an information security management system (ISMS) for the Zurich site in 2022, which was recertified in accordance with ISO 27001 during the year under review. The system was expanded in the reporting year and now meets additional requirements stipulated by the authorities or according to voluntary standards. The scope of the ISMS was simultaneously expanded from the basic ICT infrastructure to also cover systems relevant to aviation safety. Moreover, the Cyber Defence Center was further expanded and additional staff hired. The management system will continue to be developed in the future and adapted to the changing challenges. Zurich Airport thus complies with the requirements of the NASP.

ISO 27001
certified

The cybersecurity strategy, which was last revised in 2023, forms the basis for the further development of measures to increase ICT security at the Zurich site. The strategy is based on internationally recognised regulations. Once a year, the Audit & Finance Committee of the Board of Directors is informed about the current state of play.

Thanks to the close integration with the national strategy to protect critical infrastructures and strong alignment with industry standards, the company is able at all times to detect external cyberattacks and other data breaches at an early stage and to minimise their impact. Redundancy is provided for system-critical infrastructures, also to limit the damage to ICT systems caused by other incidents such as earthquakes for example.

The conduct of employees is another important pillar of the cybersecurity strategy. Regular information campaigns and training events are held to raise awareness among all ICT users and enable them to quickly spot potential threats.

Three of the sites in Brazil are certified in accordance with ISO 27001. Only in Natal, which has been part of the portfolio since early 2024, is certification still pending.

Protection of personal data

For the Zurich site, the framework for handling personal data is primarily provided by the Swiss Data Protection Act and the European General Data Protection Regulation.

Zurich Airport Ltd. treats the data and sensitive information of its business customers, service partners, consumers and other stakeholders with the utmost care. The company consistently observes the applicable duties of confidentiality obligations and complies with data protection laws. The data protection officer of Zurich Airport Ltd. is responsible for ensuring compliance as regards the protection of personal data. She advises line managers on the correct handling of personal data, maintains a list of all the company’s data repositories, and provides information to affected individuals, external bodies and public authorities. The principles for handling personal and company data are set out in the Data Ethics Policy of Zurich Airport Ltd.

The management of operational and personal data at the company’s airports abroad is based on the respective local regulations in force.