Cyber attacks on critical infrastructure - sanctions come into force

The obligation to report cyberattacks on critical infrastructures has been in force for six months. Overall, the Federal Office for Cybersecurity (BACS) is satisfied with the implementation: the operators of critical infrastructures comply with the obligation on time and report cyberattacks within 24 hours. It is particularly positive that the reporters use the Cyber Security Hub, which makes processing much easier for the BACS. Even before the introduction of the reporting obligation, there was a close relationship of trust between the BACS and many operators of critical infrastructure. This long-standing cooperation formed the basis for the successful launch of the reporting obligation.

164 Notifications from critical infrastructures

The BACS has received a total of 164 reports from critical infrastructures since the beginning of April. DDoS attacks were reported most frequently (18.1%), followed by hacking (16.1%), ransomware (12.4%), credential theft (11.4%), data leaks (9.8%) and malware (9.3%). In several cases, combined phenomena were described, such as ransomware attacks with simultaneous data leakage. The sectors affected are diverse. The financial sector (19%) has been the most affected so far, followed by the IT sector (8.7%) and the energy sector (7.6%). Other reports have come from the authorities, the healthcare sector, telecommunications companies and, in isolated cases, the postal service, the transportation sector, the media industry, food supply and the technology sector.

Strengthening the exchange of information

The incoming reports are statistically recorded and analyzed. The information thus obtained not only helps with the specific response to an incident, but also contributes to a better assessment of the national threat situation and serves as an early warning to other potentially affected organizations. Since the reporting obligation came into force, many more organizations have been directly involved in the exchange of information. As a result, warnings and recommendations now reach significantly more stakeholders directly.

Sanctions for reporting violations will apply from October 1, 2025

From October 1, 2025, the sanctions under the Information Security Act will come into force. Operators of critical infrastructure who fail to comply with their reporting obligation can be fined up to CHF 100,000. If the BACS has indications that a report has not been made, it is obliged to contact the operators of critical infrastructures first. The BACS can only press criminal charges if there is no response to this contact and the subsequent order by the affected parties.

Source: Bacs