On March 7, 2025, the Swiss Federal Council announced a significant step to bolster national cybersecurity by mandating that operators of critical infrastructure report cyberattacks to the National Cyber Security Centre (NCSC) within 24 hours of discovery.
This mandate, effective from April 1, 2025, stems from an amendment to the Information Security Act (ISA) passed on September 29, 2023. It requires entities such as energy and drinking water suppliers, transport companies, and cantonal and communal administrations to promptly report cyber incidents. Incidents necessitating reports include those that threaten the functioning of critical infrastructure, result in data manipulation or leakage, or involve blackmail, threats, or coercion
To facilitate compliance, the NCSC will provide a reporting form on its Cyber Security Hub, streamlining the process for critical infrastructure operators. Organizations not registered on the platform can submit reports via email using a form available on the NCSC website. After the initial report within 24 hours of discovering the incident, organizations have 14 days to complete their report.
Recognizing the need for a transition period, the Federal Council has set October 1, 2025, as the date when fines for non-compliance will be enforced, allowing organizations six months to adapt to the new requirements.
This initiative aligns Switzerland with international standards, mirroring the European Union’s NIS Directive, which has mandated cyber incident reporting for member states since 2018.
The introduction of this reporting requirement marks a milestone in enhancing Switzerland’s cybersecurity posture, aiming to improve information exchange and enable timely responses to evolving cyber threats.
Image by Allexxandar on Freepik
