02.12.2022 - The Federal Council wants to introduce a reporting duty for cyberattacks on critical infrastructures. To this end, during its meeting on 2 December 2022, it adopted the dispatch on amending the Information Security Act and submitted it to Parliament. The proposal creates the legal basis for the reporting obligation for the operators of critical infrastructures and defines the tasks of the National Cybersecurity Centre (NCSC), which is intended to be the central reporting office for cyberattacks.
Federal Council submits dispatch on mandatory reporting of cyberattacks on critical infrastructures to Parliament
Successful cyberattacks can have far-reaching consequences for the availability and security of the Swiss economy. The general public, authorities and companies are exposed to the risk of cyberattacks on a daily basis. There is currently no overall picture of what attacks have taken place where, because reporting to the NCSC is voluntary. Mandatory reporting will provide the NCSC with a clearer picture of the cyberattacks that have occurred in Switzerland and the modus operandi of the attackers. This will allow the threat situation to be assessed more accurately, and the operators of critical infrastructures can be warned at an early stage. By introducing the reporting obligation, the Federal Council wants to ensure that all operators of critical infrastructures take part in the exchange of information and thereby contribute to early warning systems.
Consultation revealed broad support for a reporting obligation
During its meeting on 2 December 2022, the Federal Council took note of the results of the consultation procedure for the proposal. In total, 99 comments were received from cantons, operators of critical infrastructures and representatives from academia and the business community. The consultation revealed broad approval of the proposal. Introducing a reporting obligation and anchoring the NCSC as the national reporting office are seen as important steps to improve Switzerland's cybersecurity. A key concern raised during the consultation phase was also that the reporting obligation should be implemented as unbureaucratically as possible, and should not result in a large additional administrative burden.
NCSC support in the event of cyberattacks
In order to make reporting as simple as possible, the NCSC will provide an electronic reporting form. This form can easily completed and, where desired, forwarded directly to other recipients. Moreover, the proposal not only obliges companies to help protect against cyberattacks, it also requires the NCSC to offer subsidiary support in dealing with cyberattacks. In addition, the legislation defines how the NCSC supports businesses and the general public in protecting themselves against cyberthreats. In particular, it sets out the NCSC's functions as a contact point for questions on cyberthreats and a reporting office for vulnerabilities.
Documents
Dispatch (PDF, 727 kB, 02.12.2022)Available only in German, French and Italian
Act (PDF, 298 kB, 02.12.2022)Available only in German, French and Italian
Report on the results of the consultation procedure (PDF, 879 kB, 02.12.2022)Available only in German, French and Italian