Obligation to report cyber attacks on critical infrastructures applies from April 1

Due to the increasing threat of cyber incidents, a reporting obligation for cyber attacks on critical infrastructures is being introduced in Switzerland. Operators of critical infrastructure are obliged to report cyberattacks to the Federal Office for Cybersecurity (BACS).

The Federal Council brought the necessary amendment to the Federal Act on Information Security at the Confederation (Information Security Act, ISG) of September 29, 2023 into force on April 1. The ISG stipulates that notifiable authorities and organizations such as energy and drinking water suppliers, transport companies and cantonal and municipal administrations must report cyberattacks to the BACS within 24 hours of their discovery.

A cyberattack must be reported if, among other things, it jeopardizes the functionality of the critical infrastructure concerned, has led to a manipulation or outflow of information or is associated with blackmail, threats or coercion. If the reporting obligation is not complied with, the law provides for fines.

To give those affected sufficient time to adjust to the new reporting obligation, the Federal Council has decided not to bring the legal basis for the fines into force until October 1, 2025. The reporting obligation will therefore apply for the first 6 months, but failure to report will not yet be sanctioned.

BACS registration form on existing platform

In order to make the reporting process as simple as possible, the BACS provides a reporting form on its existing platform for the exchange of information with operators of critical infrastructure. Organizations that do not have access to the platform can alternatively submit their reports using an e-mail form, which will be available on the BACS website. If not all information can be provided within 24 hours of the initial notification, there is a period of 14 days to complete the notification.

Cybersecurity Ordinance regulates exceptions

The Federal Council also approved the Cybersecurity Ordinance (CSO) and brought it into force on April 1, 2025. The CSV contains the implementing provisions for the reporting obligation and in particular regulates the exceptions under Art. 74c of the ISG. Furthermore, the ordinance also contains provisions on the national cyber strategy, the tasks of the BACS and the exchange of information between the BACS and authorities and organizations.

The consultation on the CSV was conducted between May 22 and September 13, 2024 and showed broad support for strengthening cybersecurity in Switzerland. The most important concern of those affected was that the reporting obligation should be as simple as possible to fulfil and harmonized with other reporting obligations (e.g. data protection reporting obligations). This concern was taken into account. The BACS reporting form enables the necessary information to be recorded quickly and, if desired, forwarded to other authorities to which there is also a reporting obligation, such as the Swiss Financial Market Supervisory Authority or the Federal Data Protection and Information Commissioner.

Another ordinance concerns the name change in connection with the transfer of the National Cybersecurity Center (NCSC) to a federal office within the DDPS. In order to reflect this name change in the legal basis, the Federal Council has issued a corresponding ordinance with effect from April 1, 2025.

Milestone for cyber security in Switzerland

The introduction of the reporting obligation as the first cross-sector regulation is a milestone for cybersecurity in Switzerland. Strengthening the exchange of information is crucial in order to counter the rapid development of cyber threats with appropriate measures. The introduction of mandatory reporting of cyberattacks in Switzerland is in line with international standards. Since 2018, all EU member states have had an obligation to report cyber incidents in accordance with the NIS Directive.