On 7 March, the Federal Council introduced a reporting obligation for cyberattacks on critical infrastructure, which will come into force on 1 April. Operators of critical infrastructure will be required to report cyberattacks to the National Cyber Security Centre (NCSC) within 24 hours of discovery. After submitting the initial report within 24 hours of discovering the incident, they have 14 days to complete their report.
Authorities and organisations subject to the reporting obligation
The Federal Council has decided that the amendment to the Information Security Act (ISA) of 29 September 2023 will enter into force on 1 April. The ISA stipulates that authorities and organisations subject to the reporting obligation, such as energy and drinking water suppliers, transport companies and cantonal and communal administrations, must report cyberattacks to the NCSC within 24 hours of discovery.
The Federal Council has also approved the Cybersecurity Ordinance, which will also enter into force on 1 April. The Cybersecurity Ordinance contains the implementing provisions for the reporting obligation and, in particular, regulates the exceptions under Art. 74c ISA.
Reportable incidents
Examples of when a cyberattack must be reported include when it threatens the functioning of critical infrastructure, has resulted in the manipulation or leakage of information, or involves blackmail, threats or coercion. Critical infrastructure operators who fail to report a cyberattack may be fined.
The Federal Council has decided to implement the relevant legislation for fines on 1 October in order to give those concerned sufficient time to prepare for the new reporting obligation. This means that the reporting obligation will apply for six months before failure to report becomes sanctionable.
Easy reporting process
To make the reporting process as simple as possible, the reporting form will be available on the NCSC's Cyber Security Hub, which it already uses to exchange information with critical infrastructure operators.
Online events on the topic of "reporting obligation for cyberattacks on critical infrastructure"
Online events for communes:
| Date | Time | Language | Link to registration |
|---|---|---|---|
| 13.03.2025 | 12.00 – 13.00 | German | Registration |
| 27.03.2025 | 12.00 – 13.00 | French | Registration |
Online events for companies:
| Date | Time | Language | Link to registration |
|---|---|---|---|
| 20.03.2025 | 12.00 – 13.00 | German | Registration |
Last modification 13.03.2025
