Full Report
Starting April 2025, Swiss critical infrastructure organizations will have to report cyber-attacks to the country’s authorities within 24 hours of discovery
Analysis Summary
# Regulation/Compliance: Swiss Critical Infrastructure Cyber Reporting Mandate
## Overview
This regulation introduces a mandatory requirement for operators of critical infrastructure within Switzerland to report cyber-attacks to the National Cyber Security Centre (NCSC). This reporting is mandated when an attack threatens the infrastructure's functioning, involves information manipulation or leakage, or includes blackmail, threats, or coercion.
## Key Details
- Issuing Authority: Federal Council (Swiss Government)
- Effective Date: April 1, 2025
- Jurisdiction: Switzerland
- Status: Final (Introduced via amendment to the Information Security Act (ISA) of September 29, 2023)
## Requirements
### Mandatory Requirements
1. **Reporting Obligation:** Critical infrastructure entities must report cyber-attacks meeting specified criteria.
2. **Reporting Timeline (Initial):** Initial reports must be submitted to the NCSC within **24 hours** of discovering the incident.
3. **Reporting Timeline (Follow-up):** Organizations must complete their full report within **14 days** of submitting the initial 24-hour notification.
4. **Reporting Channels:** Reports must be submitted via a dedicated reporting form on the NCSC's Cyber Security Hub (for registered entities) or via email using a form available on the NCSC website (for non-registered entities).
### Recommended Practices
1. Registering with the NCSC Cyber Security Hub, as this is the primary information exchange portal.
2. Preparing the necessary materials and processes to complete the detailed report within the 14-day follow-up window.
## Affected Organizations
- Industries: Critical infrastructure operators, specifically including energy suppliers, drinking water suppliers, transport companies, and relevant cantonal and communal administrations.
- Organization Size: Not specified; compliance is based on sector classification (critical infrastructure).
- Geographic Scope: Switzerland.
## Compliance Timeline
- **April 1, 2025:** The cyber reporting mandate enters into force, and compliance obligations become legally effective.
- **October 1, 2025:** End of the grace period. Organizations must be fully prepared to comply without the initial grace period buffer.
- **Ongoing:** Mandatory reporting within 24 hours of discovery for applicable incidents.
## Implementation Guidance
### Assessment Phase
- Identify if the organization falls under the definition of a critical infrastructure entity as governed by the amended Information Security Act (ISA).
- Review existing incident detection and analysis procedures to ensure timely discovery thresholds can meet the 24-hour reporting requirement.
### Implementation Phase
- Establish communication channels and procedures to interface with the NCSC for reporting.
- Develop organizational processes to gather necessary data for the initial 24-hour report and the subsequent 14-day detailed report.
### Validation Phase
- Conduct internal readiness exercises simulating a major cyber-attack to test the 24-hour notification timeline adherence.
- Verify procedures for accessing and using the NCSC Cyber Security Hub or the designated email reporting mechanism.
## Technical Requirements
The article does not specify technical controls but implies that organizations must have sufficient monitoring and detection capabilities to discover an attack promptly to meet the 24-hour reporting deadline.
## Penalties & Enforcement
- Fines: Fines may be imposed for failure to report a qualifying cyber-attack. The exact monetary amount of these fines has **not yet been specified** by the authorities.
- Other Consequences: Potential legal sanctions resulting from non-compliance with the amended Information Security Act (ISA).
- Enforcement: Enforcement will be carried out by Swiss federal authorities responsible for the cybersecurity oversight of critical infrastructure.
## Related Standards
- Information Security Act (ISA) of September 29, 2023 (as amended).
- The structure suggests alignment with international best practices for Critical Information Infrastructure (CII) reporting, similar to the **EU's NIS2 Directive** (mentioned in the context), Japan, the UK, and the US requirements.
## Resources
- Official Documentation: The basis is the amendment to the Information Security Act (ISA) of 29 September 2023.
- Guidance Documents: Specific reporting forms and details are available on the **NCSC Cyber Security Hub**.
- Tools: The NCSC Reporting Form (accessible via the NCSC website).
## Practical Recommendations
1. **Immediate Action:** Critical infrastructure operators should immediately review their incident response plans to ensure a report can be drafted and submitted to the NCSC within 24 hours of detection, effective April 1, 2025.
2. **System Setup:** Ensure staff know how to access the NCSC's reporting mechanisms (Hub or email form) ahead of the mandate start date.
3. **Preparation Window:** Utilize the grace period ending October 1, 2025, to fully integrate the NCSC reporting workflow into standard operations.