Legal basis for the reporting obligation

Languages

Service navigation

Search

Navigation

Legal basis for the reporting obligation

Parliament has decided to introduce a reporting obligation for cyberattacks on critical infrastructure. Implementation of the reporting obligation is set out in the proposed Cybersecurity Ordinance (CSO). This will come into force in the first half of 2025.

Reporting obligation anchored in ISA

Already with the publication of the ‘The National strategy for the protection of Switzerland against cyber risks (NCS) for 2018 to 2022’ there were calls for the feasibility of a reporting obligation to be examined. In 2021, the Federal Council decided to establish the legal basis for introduction of a reporting obligation and to implement this as an amendment to the Information Security Act (ISA).

  • On 12 January 2022, it submitted the proposed draft of the revised ISA for consultation. The results showed general support for a reporting obligation from the private sector, research communities and the cantons.

  • On 2 December 2022, the Federal Council adopted the dispatch on amendment of the ISA to introduce a reporting obligation for cyberattacks on critical infrastructures.

  • The amendments to the ISA were then adopted by Parliament on 29 September 2023.

Implementation regulated in the Cybersecurity Ordinance

With the Cybersecurity Ordinance (CSO), the Federal Council states how it intends to implement the reporting obligation in the future and which organisations will be exempt. The ordinance specifies the exemptions from the reporting obligation for authorities and organisations, indicates which cyberattacks must be reported and clarifies the content to be reported. It also describes the procedures to be followed in relation to the reporting obligation and establishes the deadline and reporting completion requirements.

  • On 22 May 2024, the Federal Council launched the consultation phase for the proposed Cybersecurity Ordinance. The consultation lasted until 13 September 2024.

Federal Council launches consultation on Cybersecurity Ordinance

Next steps:

In the first quarter of 2025, the Cybersecurity Ordinance will be submitted to the Federal Council. The introduction of the reporting obligation for cyber attacks on critical infrastructure is expected to take place in the first half of 2025.

Further Information

22.11.2023 - Staatssekretariat für Sicherheitspolitik (SEPOS) und Bundesamt für Cybersicherheit (BACS): Bundesrat beschliesst rechtliche Grundlagen

02.12.2022 - Federal Council submits dispatch on mandatory reporting of cyberattacks on critical infrastructures to Parliament

12.05.2022- Broad support among businesses and cantons for cyberattack reporting obligation

Last modification 06.01.2025

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/meldepflicht/gesetzliche-grundlagen-mp.html