The Switzerland National Cyber Security Centre (NCSC) has introduced a mandatory reporting requirement for cyberattacks targeting critical infrastructure, effective from April 1. Critical infrastructure operators must report any cyberattacks to the NCSC within 24 hours of detection. The reporting requirement is set out in the Information Security Act (ISA) and the Cybersecurity Ordinance (CSO). Also, these reports will allow the NCSC to support victims of cyberattacks and notify other critical infrastructure operators.
Additionally, the NCSC’s Federal Council has decided to implement the relevant legislation for fines on Oct. 1 to give those concerned sufficient time to prepare for the new reporting obligation. This means that the reporting obligation will apply for six months before failure to report becomes sanctionable.
The NCSC stipulates that authorities and organizations subject to the reporting obligation, such as energy and drinking water suppliers, transport companies, and cantonal and communal administrations, must report cyberattacks to the NCSC within 24 hours of discovery.
“The introduction of a reporting requirement that includes multiple sectors is a milestone for cybersecurity in Switzerland. Improving the exchange of information is crucial in order to be able to respond to rapidly evolving cyberthreats with appropriate measures,” the NCSC said in a statement. “The introduction of this reporting requirement is in line with international standards. Since 2018, all EU member states have been required to report cyber incidents in accordance with the NIS Directive.”
Due to the growing risk of cyber incidents, Switzerland is implementing a mandate for reporting cyberattacks on critical infrastructure. Critical infrastructure operators must report such attacks to the NCSC. To make the reporting process as simple as possible, the reporting form will be available on the NCSC’s Cyber Security Hub, which it already uses to exchange information with critical infrastructure operators. Organisations not registered on the platform can submit reports by email using a form available on the NCSC website. After submitting the initial report within 24 hours of discovering the incident, they have 14 days to complete their report.
The Federal Council has decided that the amendment to the ISA of 29 September 2023 will enter into force on 1 April. The ISA stipulates that authorities and organisations subject to the reporting obligation, such as energy and drinking water suppliers, transport companies, and cantonal and communal administrations, must report cyberattacks to the NCSC within 24 hours of discovery.
The agency provided examples of when a cyberattack must be reported, including when it threatens the functioning of critical infrastructure, has resulted in the manipulation or leakage of information, or involves blackmail, threats, or coercion. Critical infrastructure operators who fail to report a cyberattack may be fined.
The Federal Council has also approved the Cybersecurity Ordinance, which will enter into force on April 1. The Cybersecurity Ordinance contains the implementing provisions for the reporting obligation and, in particular, regulates the exceptions under Art. 74c ISA. It also contains provisions on Switzerland’s cyber strategy, the tasks of the NCSC, and the exchange of information between the NCSC and authorities and organisations.
The NCSC identified that the consultation on the Cybersecurity Ordinance took place between 22 May and 13 September 2020 and showed broad support for strengthening cybersecurity in Switzerland. The main concern of those affected was that the reporting obligation should be as easy as possible to fulfil and harmonised with other reporting obligations (e.g., data protection reporting obligations). These concerns have been taken into account.
With the CSO, the Federal Council states how it intends to implement the reporting obligation in the future and which organisations will be exempt. The ordinance specifies the exemptions from the reporting obligation for authorities and organizations, indicates which cyberattacks must be reported, and clarifies the content to be reported. It also describes the procedures to be followed concerning the reporting obligation and establishes the deadline and reporting completion requirements.
In May 2024, the Federal Council launched the consultation phase for the proposed Cybersecurity Ordinance. The consultation lasted until Sept. 13, last year. On Mar. 7 this year, the Federal Council also adopted the CSO, which will enter into force on April 1, 2025. The CSO contains the implementing provisions for the reporting obligation and, in particular, regulates the exceptions.
The NCSC’s reporting form makes it possible to collect the necessary information quickly and, if required, to forward it to other authorities to which there is also a reporting obligation, such as the Swiss Financial Market Supervisory Authority (FINMA) or the Federal Data Protection and Information Commissioner.
The Federal Council has issued a further ordinance with effect from April 1 concerning the official change of name of the National Cyber Security Centre in the four national languages in connection with its transformation into a federal office within the DDPS.
Last March, the U.S. Department of Homeland Security (DHS) and the European Commission’s Directorate General for Communications, Networks, Content, and Technology (DG CONNECT) announced a comparison of cyber incident reporting elements. The effort aims to shape cyber incident reporting requirements for the U.S. and the European Union (EU) under the NIS 2 Directive.
