Cyber attacks on critical infrastructure - sanctions come into force
Seit dem 1. April 2025 gilt in der Schweiz die gesetzliche Meldepflicht für Cyberangriffe auf kritische Infrastrukturen. Das Bundesamt für Cybersicherheit (BACS) zieht nach den ersten sechs Monaten eine positive Bilanz. Bisher sind insgesamt 164 Meldungen von kritischen Infrastrukturen eingegangen. Ab dem 1. Oktober 2025 treten die vorgesehenen Sanktionen bei Nichtmeldung in Kraft.
The obligation to report cyberattacks on critical infrastructures has been in force for six months. Overall, the Federal Office for Cybersecurity (BACS) is satisfied with the implementation: the operators of critical infrastructures comply with the obligation on time and report cyberattacks within 24 hours. It is particularly positive that the reporters use the Cyber Security Hub, which makes processing much easier for the BACS. Even before the introduction of the reporting obligation, there was a close relationship of trust between the BACS and many operators of critical infrastructure. This long-standing cooperation formed the basis for the successful launch of the reporting obligation.
164 Notifications from critical infrastructures
The BACS has received a total of 164 reports from critical infrastructures since the beginning of April. DDoS attacks were reported most frequently (18.1%), followed by hacking (16.1%), ransomware (12.4%), credential theft (11.4%), data leaks (9.8%) and malware (9.3%). In several cases, combined phenomena were described, such as ransomware attacks with simultaneous data leakage. The sectors affected are diverse. The financial sector (19%) has been the most affected so far, followed by the IT sector (8.7%) and the energy sector (7.6%). Other reports have come from the authorities, the healthcare sector, telecommunications companies and, in isolated cases, the postal service, the transportation sector, the media industry, food supply and the technology sector.
Strengthening the exchange of information
The incoming reports are statistically recorded and analyzed. The information thus obtained not only helps with the specific response to an incident, but also contributes to a better assessment of the national threat situation and serves as an early warning to other potentially affected organizations. Since the reporting obligation came into force, many more organizations have been directly involved in the exchange of information. As a result, warnings and recommendations now reach significantly more stakeholders directly.
Sanctions for reporting violations will apply from October 1, 2025
From October 1, 2025, the sanctions under the Information Security Act will come into force. Operators of critical infrastructure who fail to comply with their reporting obligation can be fined up to CHF 100,000. If the BACS has indications that a report has not been made, it is obliged to contact the operators of critical infrastructures first. The BACS can only press criminal charges if there is no response to this contact and the subsequent order by the affected parties.
Source: Bacs
