In a presentation at the University of Bern on 22 August 2023, I explained the modalities regarding data security and reporting obligations under the DPA and the ISG in procurement. Now there is something to report again in this area: From 1 April 2025, operators of critical infrastructures in Switzerland will be obliged to report cyberattacks they have suffered to the Federal Office for Cybersecurity (BACS) within 24 hours of their discovery. This measure is intended to strengthen cyber security and increase the resilience of essential services. We showed that this is necessary in the Insight of 31 December 2024, in which we reported on the high number of cyber incidents in Switzerland (every 8.5 minutes!). The current article explains the background to the new reporting obligation, the legal basis, the sectors affected and the practical implications, and provides recommendations for action for companies and authorities.
Introduction of mandatory reporting of cyberattacks on critical infrastructure in Switzerland
Critical infrastructures such as the energy supply, healthcare and public transport are increasingly becoming the target of cyberattacks. In order to counter the rapid development of such threats with suitable measures, the Federal Council has decided to introduce a reporting obligation for cyberattacks. This will come into force on 1 April 2025 and obliges operators of critical infrastructure to report cyberattacks to the Federal Office for Cybersecurity (BACS) within 24 hours of their discovery. Switzerland is thus aligning itself with the EU standard, which has had a corresponding reporting obligation for cyber incidents based on the NIS Directive since 2018.
Legal basis
The obligation to report cyberattacks is enshrined in the Information Security Act(ISG). On 7 March 2025, the Federal Council brought the corresponding amendments to the ISG into force on 1 April 2025. In addition, the Cybersecurity Ordinance(CSV) was adopted, which specifies the implementation of the reporting obligation.
Affected sectors
According to the Swiss Information Security Act (ISG), critical infrastructure operators are organisations whose failure or impairment could have a serious impact on the functioning of the economy or the well-being of the population. These organisations are obliged to report serious cyberattacks to the Federal Office for Cybersecurity (BACS) within 24 hours of their discovery. The ISG defines nine sectors of critical infrastructure, which are divided into 27 sub-sectors. The main sectors include:
Energy: This includes electricity, gas and oil supply companies as well as energy trading, measurement and control.
Health: Includes healthcare facilities such as hospitals, nursing homes and medical laboratories with the appropriate authorisation.
Finance and insurance: Includes banks, insurance companies and financial market infrastructures.
Transport and traffic: Includes railway companies, cable car, trolleybus, bus and shipping companies as well as airport and harbour operators.
Information and communication technology: Includes telecommunications service providers, registrars, providers and operators of cloud computing, search engines, digital security and trust services as well as data centres based in Switzerland.
Public safety and order: Includes organisations with public tasks in the areas of security and rescue.
Supply and disposal: Includes drinking water supply, wastewater treatment and waste disposal organisations, provided they act in a sovereign capacity
Food: Companies that supply the population with essential everyday goods and whose failure would lead to significant supply bottlenecks.
State administration: Includes federal, cantonal and municipal authorities as well as intercantonal and intercommunal organisations.
This categorisation serves to ensure the security and availability of essential services and goods in Switzerland.
Notification procedure
A cyberattack must be reported within 24 hours of its discovery. The BACS provides a reporting form on its platform for this purpose. Organisations without access to this platform can use an email form. If not all information is available at the time of the initial report, there is a period of 14 days to provide the missing information. However, experience shows that this second deadline of 14 days is rather tight, as the first endeavours in the event of a cyberattack are to restore operations and not to collect all the information.
Sanctions for non-compliance
The law provides for fines in the event of non-compliance with the reporting obligation. In order to give the organisations concerned time to adapt to the new requirements, the legal basis for these sanctions will not come into force until 1 October 2025. Although the reporting obligation will therefore apply for the first six months, omissions during this period will not yet be penalised.
Practical implications and recommendations
For companies and authorities:
Review IT security measures: Ensure that your IT infrastructure meets the latest security standards and implement the latest updates as soon as they are released.
Implement or adapt an “incident response plan”: Develop a plan or expand an existing one for rapid response to cyber incidents and integrate it into the business process.
Employee training: Sensitise your staff to cyber threats and conduct regular internal training and testing.
Establish internal reporting processes: Define clear processes for the internal recording and forwarding of cyber incidents and ensure that all employees are familiar with this procedure. It is particularly important that the reporting processes are also coordinated with other reporting processes such as data protection breach reports or reports to FINMA or OFCOM.
Conclusion and outlook
The introduction of the obligation to report cyberattacks on critical infrastructures represents an important step towards strengthening cybersecurity in Switzerland. By recording cyber incidents centrally, threats can be better analysed and preventive measures can be implemented more effectively. Companies and authorities should use the time remaining until the sanctions come into force to establish their reporting processes and optimise their IT security strategies.