Topics
Services
Home > Cyber reporting obligation ...
EN
EN DE FR IT

Cyber reporting obligation: «If no one takes responsibility, the whole company is affected»

The biggest challenge in OT projects lies in early planning: clear risk analysis and less complexity. What if they are not clearly defined and a cyber incident occurs?

Editorial - October 30, 2025
«Ultimately, the responsibility lies with the management. This is often underestimated,» says Christoph Steiner, security project expert and owner of the management team at EPRO SECURE. Photo: © David Hubacher

 

When no one is prepared

This hypothetical but realistic case shows the weak points.

Spring 2025: A cyber incident occurs in a medical laboratory with 80 employees via the building automation system. A remote maintenance interface was inadequately secured. Attackers infiltrated control commands. Ventilation and climate zones were changed in an uncontrolled manner. Temperatures rose in several laboratory rooms, sample material was damaged and sensitive devices no longer responded reliably. Operations came to a standstill. The analysis results could not be delivered. The resulting operational downtime and reputational damage were enormous.

But the real mistake?

The reporting obligation was underestimated. Responsibilities were not regulated and procedures, processes and roles were not defined. «Structures and processes must be in place before valuable time is lost during the crisis.», says Christoph Steiner.

Who is affected? - Legally binding, organizationally underestimated

Since April 1, 2025, the cyber reporting obligation (ISG Art. 74ff) has applied to operators of critical infrastructures. It's not just about technology. It's about clear responsibilities in management, IT, FM and crisis communication.

Preparation is the best planning:

  1. ACTUAL analysis of the protection goals
  2. Workshops with the right questions
  3. Risk analysis
  4. Decision on protective measures
  5. Implementation and training

«Setting up the crisis organization is part of the planning. So is testing and practicing.», emphasizes Christoph Steiner.

Conclusion: Safety must be managed, not just built

Anyone with responsibility - whether in planning, operations or IT - has to think differently about OT security today.

The statutory reporting obligation is not a purely technical task. It requires an interdisciplinary view of operational safety, organization and risk management. Operators, building owners and planners must create structures that work in an emergency.

Because the damage does not begin with the incident. It begins with the assumption that someone else is responsible.

Do you know your risks? You need a plan for emergencies.

We support you from the risk analysis to the reporting process.

So that responsibility is clearly regulated and safety works.

 
 

 

 

 

EPRO SECURE GmbH

Comprehensive and integral security planning

Bahnhofstrasse 4, 3073 Gümligen, Switzerland

www.eprosecure.ch

Tel landline: +41 58 502 73 60

Email: info@eprosecure.ch

(Visited 47 times, 41 visits today)

More articles on the topic

Exam preparation for fire protection specialist and fire protection expert

Optimize your processes and value chains with iManSys

SIAXMA® access control for the cantonal administration of Zug

SECURITY NEWS

Stay informed about current security topics - practical and reliable. Receive exclusive content directly to your inbox. Don't miss any updates.

Register now!
register
You can unsubscribe at any time!
close-link