In view of the “increasing threat of cyber incidents,” Switzerland is aiming to bolster cybersecurity defenses by introducing a reporting obligation for cyberattacks on critical infrastructure, effective April 1st.
The Swiss National Cyber Security Centre (NCSC) has announced that operators of critical infrastructure will be required to report cyberattacks within 24 hours of discovery.
“These reports will enable the NCSC to assist victims of cyberattacks and alert operators of critical infrastructure,” the statement reads.
“The move is considered a significant step for Swiss cybersecurity, enhancing information sharing and response to cyber threats.“
The new law is an amendment to the Information Security Act (ISA) and will enter into force on April 1st. The reporting obligation applies to energy and drinking water suppliers, transport companies, cantonal and communal administrations, and other critical organizations.
Failure to report can result in fines, though sanctions will only be imposed starting October 1st, 2025, giving operators some time to prepare.
“This means that the reporting obligation will apply for six months before failure to report becomes sanctionable,” NCSC said.
“Examples of when a cyberattack must be reported include when it threatens the functioning of critical infrastructure, has resulted in the manipulation or leakage of information, or involves blackmail, threats, or coercion. Critical infrastructure operators who fail to report a cyberattack may be fined.”
To streamline the reporting process NCSC uses Cyber Security Hub for information exchange.
The introduction of the reporting requirement aligns with international standards, such as the EU Directive, which requires all EU member states to report cyber incidents.
Your email address will not be published. Required fields are markedmarked