Operators of critical infrastructure in Switzerland will soon be legally required to report cyber-attacks to the country’s authorities.

The cyber reporting mandate was introduced by the Federal Council on March 7. It will be mentioned in an amendment to the Information Security Act (ISA) of 29 September 2023, which will enter into force on April 1, 2025.

From this date, critical infrastructure entities operating in the country, including energy and drinking water suppliers, transport companies and cantonal and communal administrations, will have to report cyber-attacks to the National Cyber Security Centre (NCSC) within 24 hours of discovery.

The reporting mandate will apply if the cyber-attack threatens the functioning of critical infrastructure, has resulted in the manipulation or leakage of information or involves blackmail, threats or coercion.

Fines for Failure to Report Cyber Incidents

A reporting form will be available on the NCSC's Cyber Security Hub, a portal to exchange information between Switzerland’s federal government and critical infrastructure operators.

“Organizations not registered on the platform can submit reports by email using a form available on the NCSC website. After submitting the initial report within 24 hours of discovering the incident, they have 14 days to complete their report,” the NCSC said in a statement.

Critical infrastructure operators who fail to report a cyber-attack meeting the required criteria may face fines, though the authorities have not specified the exact amount.

A grace period will be in effect until October 1, 2025, to give affected organizations sufficient time to prepare for the new reporting obligation.

Other legislations worldwide impose similar reporting requirements on critical infrastructure operators, including in Australia, the EU, Japan, Singapore, South Korea, the UK and the US.

