22.05.2024 - At its meeting on 22 May the Federal Council launched a consultation on the Cybersecurity Ordinance. The Ordinance sets out how the obligation to report cyberattacks on critical infrastructure is to be implemented, regulates how implementation of the National Cyberstrategy is to be organised and specifies the tasks of the new National Cyber Security Centre (NCSC). The Ordinance also specifies which authorities and companies are exempt from the reporting obligation. The consultation will run until 13 September 2024.

On 29 September 2023, Parliament adopted amendments to the Information Security Act (ISA) to introduce a reporting obligation for cyberattacks on critical infrastructures. The ISA sets out which authorities and organisations will be required to report cyber-related incidents in future. The law also establishes the National Cyber Security Centre (NCSC) as a reporting office.
In the Cybersecurity Ordinance, the Federal Council sets out how the reporting obligation is to be implemented and which entities will be exempt from it. The Ordinance regulates the scope of the reporting obligation for authorities and organisations and defines the types of cyberattack and content that must be reported. It also prescribes the procedures for fulfilling the reporting obligation, and the deadlines involved.
Exemptions from reporting obligation
Provisions on exemptions from the reporting obligation are a key element of the new Cybersecurity Ordinance. Exemptions apply to authorities and companies suffering a cyberattack which has no direct impact on the functioning of the economy or the well-being of the population. In some sectors, such as energy supply, transport and public authorities, specific thresholds have been set to define these exemptions. All authorities or organisations that fall below these thresholds are not required to report an attack. In addition, a general exemption applies to companies with fewer than 50 employees, an annual turnover or annual balance sheet total of less than CHF 10 million and authorities that are responsible for fewer than 1,000 inhabitants.
Boosting Switzerland's cybersecurity
The Ordinance also regulates the strategic management of cybersecurity in Switzerland and determines the tasks, mandate and composition of the National Cyberstrategy steering committee. It also sets out the NCSC's tasks and regulates the exchange of information between the operators of critical infrastructures. By introducing an obligation to report cyberattacks, Switzerland is boosting its cybersecurity and making itself better equipped against cyberthreats.
The consultation will run until 13 September 2024.
Media release and consultation documents
Last modification 22.05.2024