Legal basis for the reporting obligation

Languages

Service navigation

Search

Navigation

Legal basis for the reporting obligation

On 7 March, the Federal Council introduced a reporting obligation for cyberattacks on critical infrastructure, which will come into force on 1 April. Operators of critical infrastructure will be required to report cyberattacks to the National Cyber Security Centre (NCSC) within 24 hours of discovery. The reporting requirement is set out in the Information Security Act (ISA) and in the Cybersecurity Ordinance (CSO).

Information Security Act (ISA) 

Already with the publication of the ‘The National strategy for the protection of Switzerland against cyber risks (NCS) for 2018 to 2022’ there were calls for the feasibility of a reporting obligation to be examined. In 2021, the Federal Council decided to establish the legal basis for introduction of a reporting obligation and to implement this as an amendment to the Information Security Act (ISA).

  • On 12 January 2022, it submitted the proposed draft of the revised ISA for consultation. The results showed general support for a reporting obligation from the private sector, research communities and the cantons.

  • On 2 December 2022, the Federal Council adopted the dispatch on amendment of the ISA to introduce a reporting obligation for cyberattacks on critical infrastructures.

  • The amendments to the ISA were then adopted by Parliament on 29 September 2023.

  • On 7 March 2025, the Federal Council brought the amendments to the ISG into force on 1 April 2025.

The ISA stipulates that authorities and organisations subject to the reporting obligation, such as energy and drinking water suppliers, transport companies and cantonal and communal administrations, must report cyberattacks to the NCSC within 24 hours of discovery.

Information Security Act (ISA)

Cybersecurity Ordinance (CSO)

With the Cybersecurity Ordinance (CSO), the Federal Council states how it intends to implement the reporting obligation in the future and which organisations will be exempt. The ordinance specifies the exemptions from the reporting obligation for authorities and organisations, indicates which cyberattacks must be reported and clarifies the content to be reported. It also describes the procedures to be followed in relation to the reporting obligation and establishes the deadline and reporting completion requirements.

  • On 22 May 2024, the Federal Council launched the consultation phase for the proposed Cybersecurity Ordinance. The consultation lasted until 13 September 2024.

  • On 7 March 2025 the Federal Council has also adopted the Cybersecurity Ordinance (CSO), which will enter into force on 1 April 2025. The CSO contains the implementing provisions for the reporting obligation and, in particular, regulates the exceptions.

Cybersecurity Ordinance (CSO)
The document is available in:

German
French

Further Information

Federal Council launches consultation on Cybersecurity Ordinance

22.11.2023 - Staatssekretariat für Sicherheitspolitik (SEPOS) und Bundesamt für Cybersicherheit (BACS): Bundesrat beschliesst rechtliche Grundlagen

02.12.2022 - Federal Council submits dispatch on mandatory reporting of cyberattacks on critical infrastructures to Parliament

12.05.2022- Broad support among businesses and cantons for cyberattack reporting obligation

Last modification 07.03.2025

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/meldepflicht/gesetzliche-grundlagen-mp.html