Starting April 1, 2025, Switzerland will enforce mandatory reporting of cyberattacks on critical infrastructure. The regulation, based on the amended Information Security Act (ISA), requires operators in sectors such as energy, water supply, transportation, and public administration to notify the National Cyber Security Centre (NCSC) within 24 hours of detecting an attack. The obligation applies to incidents that threaten infrastructure functionality, result in data manipulation or leaks, or involve extortion.
Failure to report will initially not be sanctioned, but from October 1, 2025, non-compliance will be punishable by fines. Reports can be submitted via the NCSC’s Cyber Security Hub or through email using a designated form. A new Cybersecurity Ordinance will define exemptions and facilitate coordination with other regulatory bodies such as FINMA and the Federal Data Protection and Information Commissioner.
Expert Analysis:
Switzerland’s delayed but necessary move toward mandatory cyber incident reporting finally aligns it with international standards, particularly the EU’s NIS Directive. However, a six-month grace period before enforcing penalties raises concerns about compliance gaps in the early months. The reliance on voluntary adherence until October is a gamble—one that assumes businesses will act responsibly without immediate legal consequences.
While the initiative improves transparency and incident response, its true effectiveness will depend on whether organizations see this as bureaucratic red tape or a genuine security measure. Given the rising volume of cyber threats, operators who fail to report incidents on time might not need to worry about fines—they’ll have bigger problems to deal with.
Read the full article here.
