Cyberattacks on Swiss critical infrastructure to be reported within 24 hours

Starting April 1st, companies and organizations operating in the Swiss critical infrastructure are required to report cyberattacks to the National Cyber Security Centre (NCSC) within 24 hours of discovery.

The mandatory reporting of cyberattacks on Switzerland’s vital infrastructure is an amendment to the Information Security Act (ISA) and goes into effect on April 1st. The new law has been introduced by the Federal Council to combat the increasing threat of cybersecurity incidents.

Businesses like energy and drinking water suppliers, transport companies, and local and regional government agencies are obliged to report cybersecurity incidents within 24 hours. If for whatever reason they fail to comply, they may be fined.

The maximum amount of the fine remains unclear at this moment. Legislation for imposing fines has been postponed to October 1st to give all entities time to prepare for the reporting process.

All incidents that pose a threat to the functioning of critical infrastructure must be reported to the NCSC. The same goes for data breaches, ransomware and DDoS attacks, blackmail attempts, coercion, and other digital threats.

“These reports will enable the NCSC to assist victims of cyberattacks and alert operators of critical infrastructure,” the NCSC’s statement reads.

The reporting process will take place via the NCSC’s Cyber Security Hub, which is available on the NCSC website. After submitting the initial report, companies and organizations have 14 days to complete their report.

The National Cyber Security Centre calls the mandatory reporting a “milestone for cybersecurity in Switzerland”.

“Improving the exchange of information is crucial in order to be able to respond to rapidly evolving cyberthreats with appropriate measures,” the NCSC says.

The introduction of mandatory reporting of cybersecurity incidents is in line with international standards, including the Network and Information Security (NIS) Directive.

This directive, which was introduced in 2018, aims to increase the digital resilience of companies and organizations that are operational in Europe’s critical infrastructure. Its secondary objective is to harmonize the security of network and information systems across the European Union.