Full Report
Switzerland's National Cybersecurity Centre (NCSC) has announced a new reporting obligation for critical infrastructure organizations in the country, requiring them to report cyberattacks to the agency within 24 hours of their discovery. [...]
Analysis Summary
# Regulation/Compliance: Swiss 24-Hour Cyberattack Reporting Mandate
## Overview
This mandate introduces a strict, time-bound requirement for critical sector organizations in Switzerland to report confirmed cyberattacks to the National Cybersecurity Center (NCSC) within 24 hours of discovery. This amendment aims to significantly enhance national cybersecurity resilience.
## Key Details
- Issuing Authority: Swiss Federal Council (via amendment to the Information Security Act - ISA)
- Effective Date: April 1, 2025 (Initial enforcement begins)
- Jurisdiction: Switzerland
- Status: Final (Amendment to the ISA of September 29, 2023)
## Requirements
### Mandatory Requirements
1. **Reporting Window:** Report all qualifying cyberattacks to the NCSC within **24 hours** of the incident's discovery.
2. **Reporting Mechanism:** Submissions must be made via an online form on the NCSC website or via email. No prior registration is required for reporting.
3. **Follow-up Reporting:** Organizations must submit a follow-up report containing additional details within **14 days** of the initial notification.
4. **Scope Definition:** Organizations must report incidents that compromise the operation of critical infrastructure, including:
* Manipulation, encryption, or exfiltration of data.
* Extortion, threats, and coercion leveraged against the organization.
* Installation of malware on systems.
* Unauthorized access to systems.
### Recommended Practices
1. Establish clear internal procedures and playbooks defining the discovery threshold and triage process necessary to meet the 24-hour reporting deadline.
2. Ensure secure, tested communication channels (online form/email) are readily available 24/7 for incident reporting.
3. Proactively review the full list of entity types published by the government to confirm applicability.
## Affected Organizations
- Industries: Critical service providers, including utilities (energy, drinking water suppliers), transport companies, and cantonal and communal administrations.
- Organization Size: Not explicitly defined by size, but tied to sector criticality.
- Geographic Scope: Switzerland.
## Compliance Timeline
- **April 1, 2025:** Amendment to the Information Security Act (ISA) officially enters into force, establishing the reporting requirement.
- **Until October 1, 2025:** Leniency period granted for full compliance implementation.
- **October 1, 2025:** End of the leniency period; fines become enforceable for non-compliance.
- **Ongoing:** Initial report required within 24 hours of discovery; follow-up report within 14 days thereafter.
## Implementation Guidance
### Assessment Phase
- Review the official final entity list to determine if the organization falls under the scope of "critical service providers."
- Assess the organization’s current incident response plan to establish a clear process for incident identification, decision-making authority for reporting, and deadline tracking.
### Implementation Phase
- Develop and document the standardized NCSC incident reporting templates/protocols to facilitate the 24-hour notification.
- Train relevant security, IT management, and legal staff on the new reporting deadlines and methods.
### Validation Phase
- Conduct tabletop exercises simulating a major cyber incident to test the efficiency and speed of the 24-hour notification process.
- Verify technical access to the required NCSC reporting portals/email addresses.
## Technical Requirements
The primary requirement is related to **timeliness and data submission**, rather than prescriptive technical controls. However, organizations must have robust systems that can:
1. Detect and confirm incidents rapidly.
2. Securely capture necessary data points for initial reporting (details of the attack type, scope, and impact) within the tight deadline.
## Penalties & Enforcement
- Fines: Up to **CHF 100,000 ($114,000)** for failure to comply after the leniency period ends on October 1, 2025.
- Other Consequences: Potential legal liabilities associated with failing to meet statutory obligations for critical infrastructure protection.
- Enforcement: Enforcement actions will be carried out by the relevant Swiss authorities (likely the NCSC or affiliated bodies) based on the ISA.
## Related Standards
- **NIS Directive (EU):** The Swiss requirement is noted as being in accordance with this EU legislation, suggesting alignment in spirit regarding essential service protection.
- **Information Security Act (ISA):** The national legislation under which this mandate is introduced.
## Resources
- Official Documentation: Information available via the NCSC website announcements (search for "meldepflicht 2025").
- Guidance Documents: Details regarding exceptions are outlined in Art. 74c of the ISG, available via the provided document links.
## Practical Recommendations
1. **Map Criticality:** Immediately map current incident response workflows against the 24-hour window, focusing on the time elapsed between "discovery" and "submission."
2. **Prepare Templates:** Draft internal checklist templates mirroring the anticipated initial data requirements for the NCSC report to reduce reporting friction.
3. **Monitor Guidance:** Closely track official NCSC guidance released before April 2025, particularly concerning the specific data fields required for the initial 24-hour report.