Switzerland’s NCSC mandates critical infrastructure organizations to report cyberattacks within 24 hours of discovery.
Switzerland’s National Cybersecurity Centre (NCSC) now requires critical infrastructure organizations to report cyberattacks within 24 hours due to rising cybersecurity threats.
The new policy related to security breach notification is introduced as a response to the increasing number of cyber incident.
“In view of the increasing threat of cyber incidents, Switzerland is introducing a reporting obligation for cyberattacks on critical infrastructure. Operators of critical infrastructure will be required to report attacks to the National Cyber Security Centre (NCSC).” reads the announcement published by the NCSC. “The Federal Council has decided that the amendment to the Information Security Act (ISA) of 29 September 2023 will enter into force on 1 April. The ISA stipulates that authorities and organisations subject to the reporting obligation, such as energy and drinking water suppliers, transport companies and cantonal and communal administrations, must report cyberattacks to the NCSC within 24 hours of discovery.”
The Swiss authorities require critical infrastructure organizations to report attacks against critical infrastructure, including data breaches, blackmail, coercion, and manipulation or leakage of information. The announcement states that organizations that will not report the incidents may result in fines.
Switzerland has approved the Cybersecurity Ordinance, effective April 1, 2025. It regulates the reporting obligation for cyber attacks on critical infrastructure, setting exceptions and procedures. The NCSC manages reporting and coordinates information exchange between authorities and organizations. The consultation showed broad support for strengthening cybersecurity, with a focus on simplifying reporting obligations and aligning them with other regulations.
A grace period runs until October 1, 2025, after which non-compliance may result in fines up to CHF 100,000 ($114,000).
Impacted organizations must report cybersecurity incidents to the NCSC within 24 hours via an online form or email, with a detailed follow-up due in 14 days.
Switzerland’s new cyber incident reporting requirement aligns with international standards, enhancing information exchange to counter evolving threats.
The list of all entity types that are impacted by this new requirement is available here.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Switzerland’s NCSC)
