Obligation to report cyberattacks on critical infrastructure comes into force on 1 April

31.03.2025 – The obligation to report cyberattacks on critical infrastructure comes into force on 1 April. From tomorrow, operators of critical infrastructure are required to report cyberattacks to the National Cyber Security Centre (NCSC) within 24 hours of discovery.

Due to the increasing threat posed by cyberincidents and in order to obtain a better overview of the cyberthreat situation, the Federal Council took the decision on 7 March to introduce a reporting obligation for cyberattacks on critical infrastructure as of 1 April. Operators of critical infrastructure are therefore obliged to report cyberattacks to the NCSC within 24 hours of discovery. The reporting obligation aims to strengthen cybersecurity in Switzerland. It enables the NCSC to support those affected in coping with cyberattacks and to warn other operators of critical infrastructure in a timely manner.

The reporting obligation applies to authorities and organisations such as energy or drinking water suppliers, transport companies and cantonal and communal administrations. A cyberattack must be reported if it jeopardises the functionality of critical infrastructure, has reulted in the manipulation or leakage of information or involves blackmail, threats or coercion.

The NCSC provides a reporting form on its information exchange platform. Alternatively, organisations that do not have access to the platform can submit their reports via an email form available on the NCSC website. An initial report is required within 24 hours of discovery. If not all information is immediately available, a complete report can be submitted within 14 days. For the first six months, until 1 October, there will be no sanctions for failure to report. After this transitional period, fines will come into force.

The NCSC has produced two explanatory videos that explain the reporting requirements in detail. The first video Mandatory reporting of cyberattacks on critical infrastructure explains the background and objectives of the reporting obligation, while the second video How to report a cyberattack on critical infrastructure provides a step-by-step guide to reporting.

Further information