FAQ

No. As a private individual, you do not have a reporting obligation, but voluntary reports help us to identify trends or take countermeasures. The form for voluntary reports can be found here:
https://www.report.ncsc.admin.ch/en/

In Switzerland, there is a reporting obligation for companies that operate critical infrastructure. These companies are obliged to report cyberincidents to the National Cyber Security Centre (NCSC). The reporting obligation is set out in the Cybersecurity Ordinance., which will be submitted to the Federal Council for approval in the first quarter of 2025. For companies that do not operate critical infrastructure, there is currently no legal obligation to report cyberincidents. However, we recommend reporting incidents voluntarily to the NCSC as a contribution to the overall cybersecurity situation. 

Yes, you can report cyberincidents even if you do not have a reporting obligation. In fact, we recommend reporting incidents voluntarily to the National Cyber Security Centre (NCSC). This contributes to the overall cybersecurity situation and helps us to identify and combat threats at an early stage.

From the time the reporting requirement comes into force in the first half of 2025, the following reporting options will be available:

Companies with an account on the NCSC cyber security hub (CSH) can report directly via this portal.
Companies subject to the reporting requirement that do not yet have a CSH account are advised to open one with the cyber security hub.
Further information can be found at: 
Cyber Security Hub

For companies without an account on the Cyber Security Hub, the NCSC provides an alternative reporting channel via email. Information on this process will be posted on the NCSC website before the reporting requirement comes into force. 

Yes. Even if you do not yet have any information, you must submit an initial report within 24 hours. You can then submit a final report containing additional information within 14 days.