The Information Security Act (ISA), Art.74b, stipulates that authorities and organisations subject to the reporting obligation, such as energy and drinking water suppliers, transport companies and cantonal and communal administrations, must report cyberattacks to the NCSC within 24 hours of discovery.
ISG - Art. 74b Authorities and organisations subject to the reporting obligation
The Cybersecurity Ordinance (CSO) contains the implementing provisions for the reporting obligation and, in particular, regulates the exceptions.
