Cyber reporting obligation: Why resilience is not an IT project, but a management task

When no one is prepared

This hypothetical but realistic case shows the weak points.

Spring 2025: A cyber incident occurs in a medical laboratory with 80 employees via the building automation system. A remote maintenance interface was inadequately secured. Attackers infiltrated control commands. Ventilation and climate zones were changed in an uncontrolled manner. Temperatures rose in several laboratory rooms, sample material was damaged and sensitive devices no longer responded reliably. Operations came to a standstill. The analysis results could not be delivered. The resulting operational downtime and reputational damage were enormous.

The incident is fictitious, but its structure is real

The reporting obligation was underestimated. Responsibilities were not regulated and procedures, processes and roles were not defined.

«OT security is no longer just an IT issue; various functions in the company are affected. If the organization is not prepared, time becomes a burden and returning to normality becomes a mammoth task,» says Michel Renfer.

Responsibility is not an IT issue, but a management task

Today, IT managers in particular are at the interface between technology, management and other specialist areas and have to bring together various business functions. Many organizations are not even aware that they are subject to the obligation to report cyber incidents (Art. 74c ISG).

They have defined even fewer clear processes for correctly recognizing, reporting and documenting incidents. If an incident occurs, time pressure, stress and uncertainty cause a blackout. In an emergency, it takes too much time to know what to do.

Seizing the cyber reporting obligation as an opportunity for responsibility - From risk to routine:

1. Where does our organization stand today?
2. Which systems, processes and roles are affected?
3. Where are the weak points - technical, organizational, communicative?
4. How can common standards and clear responsibilities be established?
5. How do we ensure stability during staff changes through documented processes?
6. And how do we train for emergencies before they happen?

«Safety becomes robust when it is practiced. Anything that is not practiced regularly will not work in an emergency.», knows Michel Renfer.

Conclusion: Resilience does not mean preventing every attack.

But rather to create structures that work in an emergency - technically, organizationally and communicatively. Success lies where IT, OT, FM and management rely on common standards and good preparation.

How vs your company prepared for the cyber reporting obligation?

We support you with technical expertise, process understanding and an eye for the big picture. So that IT and OT security don't work side by side, but together.