Reporting obligation for cyberattacks

Parliament has decided to introduce a reporting obligation for cyberattacks on critical infrastructure. This reporting obligation will enable the NCSC to gain a better overview of cyberattacks that have occurred in Switzerland and shed light on the methods used by the perpetrators. Implementation of the reporting obligation is set out in the proposed Cybersecurity Ordinance (CSO). The consultation phase for the corresponding draft will continue until 13 September 2024.

Successful cyberattacks can have a far-reaching impact on the availability and security of the Swiss economy. The population, authorities and companies are constantly exposed to the risk of cyber attacks. Since reports to the NCSC are only made on a voluntary basis, it currently has no means of accurately assessing which attacks have taken place and where. A reporting obligation, however, would enable the NCSC to gain a better overview of cyberattacks that have occurred in Switzerland and shed light on the methods used by the perpetrators. This would lead to a better assessment of the threat situation and enable operators of critical infrastructure to be warned at an early stage.

Reporting obligation anchored in ISA

Already with the publication of the ‘The National strategy for the protection of Switzerland against cyber risks (NCS) for 2018 to 2022’ there were calls for the feasibility of a reporting obligation to be examined. In 2021, the Federal Council decided to establish the legal basis for introduction of a reporting obligation and to implement this as an amendment to the Information Security Act (ISA). On 12 January 2022, it submitted the proposed draft of the revised ISA for consultation. The results showed general support for a reporting obligation from the private sector, research communities and the cantons. On 2 December 2022, the Federal Council adopted the dispatch on amendment of the ISA to introduce a reporting obligation for cyberattacks on critical infrastructures. The amendments to the ISA were then adopted by Parliament on 29 September 2023.

Consultation on Cybersecurity Ordinance

With the Cybersecurity Ordinance (CSO), the Federal Council states how it intends to implement the reporting obligation in the future and which organisations will be exempt. The ordinance specifies the exemptions from the reporting obligation for authorities and organisations, indicates which cyberattacks must be reported and clarifies the content to be reported. It also describes the procedures to be followed in relation to the reporting obligation and establishes the deadline and reporting completion requirements.

On 22 May 2024, the Federal Council launched the consultation phase for the proposed Cybersecurity Ordinance. Consultation will continue until 13 September 2024.

The NCSC has drawn up a draft reporting form to clarify how the reporting obligation should be implemented in the future. This draft form indicates what information is required and in what form. While currently only available in hardcopy, an online version will be posted to the NCSC's Cyber Security Hub as soon as the reporting obligation comes into force.

Subsequent steps:

The Cybersecurity Ordinance will be submitted to the Federal Council after completion of the consultation phase. The obligation to report cyberattacks on critical infrastructure is expected to be introduced in the first half of 2025.