07.03.2025 - At its meeting on 7 March, the Federal Council introduced a reporting obligation for cyberattacks on critical infrastructure, which will come into force on 1 April. Operators of critical infrastructure will be required to report cyberattacks to the National Cyber Security Centre (NCSC) within 24 hours of discovery. These reports will enable the NCSC to assist victims of cyberattacks and alert operators of critical infrastructure.
In view of the increasing threat of cyber incidents, Switzerland is introducing a reporting obligation for cyberattacks on critical infrastructure. Operators of critical infrastructure will be required to report attacks to the National Cyber Security Centre (NCSC).
The Federal Council has decided that the amendment to the Information Security Act (ISA) of 29 September 2023 will enter into force on 1 April. The ISA stipulates that authorities and organisations subject to the reporting obligation, such as energy and drinking water suppliers, transport companies and cantonal and communal administrations, must report cyberattacks to the NCSC within 24 hours of discovery.
Examples of when a cyberattack must be reported include when it threatens the functioning of critical infrastructure, has resulted in the manipulation or leakage of information, or involves blackmail, threats or coercion. Critical infrastructure operators who fail to report a cyberattack may be fined.
The Federal Council has decided to implement the relevant legislation for fines on 1 October in order to give those concerned sufficient time to prepare for the new reporting obligation. This means that the reporting obligation will apply for six months before failure to report becomes sanctionable.
Reporting form on NCSC platform
To make the reporting process as simple as possible, the reporting form will be available on the NCSC's Cyber Security Hub, which it already uses to exchange information with critical infrastructure operators. Organisations not registered on the platform can submit reports by email using a form available on the NCSC website. After submitting the initial report within 24 hours of discovering the incident, they have 14 days to complete their report.
Cybersecurity Ordinance provides for exemptions
The Federal Council has also approved the Cybersecurity Ordinance, which will also enter into force on 1 April. The Cybersecurity Ordinance contains the implementing provisions for the reporting obligation and, in particular, regulates the exceptions under Art. 74c ISA. It also contains provisions on Switzerland's cyber strategy, the tasks of the NCSC and the exchange of information between the NCSC and authorities and organisations.
The consultation on the Cybersecurity Ordinance took place between 22 May and 13 September 2020, and showed broad support for strengthening cybersecurity in Switzerland. The main concern of those affected was that the reporting obligation should be as easy as possible to fulfil and harmonised with other reporting obligations (e.g. data protection reporting obligations). These concerns have been taken into account. The NCSC's reporting form makes it possible to collect the necessary information quickly and, if required, to forward it to other authorities to which there is also a reporting obligation, such as the Swiss Financial Market Supervisory Authority (FINMA) or the Federal Data Protection and Information Commissioner.
The Federal Council has issued a further ordinance with effect from 1 April concerning the official change of name of the National Cyber Security Centre in the four national languages in connection with its transformation into a federal office within the DDPS.
Milestone for cybersecurity in Switzerland
The introduction of a reporting requirement that includes multiple sectors is a milestone for cybersecurity in Switzerland. Improving the exchange of information is crucial in order to be able to respond to rapidly evolving cyberthreats with appropriate measures. The introduction of this reporting requirement is in line with international standards. Since 2018, all EU member states have been required to report cyber incidents in accordance with the NIS Directive.
Reporting form
Further Information
Press Release
Last modification 07.03.2025
