2 min read

Mandatory reporting of cyberattacks on critical infrastructures

Picture of Géraldine Wymann Géraldine Wymann : Apr 8, 2025 5:19:08 PM

cybersecurity

Mandatory reporting of cyberattacks on critical infrastructures

a measure to strengthen cybersecurity in Switzerland

Starting in April 2025, operators of critical infrastructures and IT service providers must report cyberattacks within 24 hours.

On March 7, 2025, the Federal Council approved the new reporting obligation for cyberattacks on operators of critical infrastructures. Starting from April 1, 2025, affected companies and IT service providers must report cyberattacks to the National Cyber Security Centre (NCSC) within 24 hours. Notably, cyber incidents that are discovered after a long period—more than 90 days—are also subject to this reporting obligation.

The aim of this measure is to enhance resilience against cyber threats and strengthen collaboration between affected organizations. Learn more about what this means here.

In short:

Who is affected?

Operators of critical infrastructures (e.g., energy, healthcare, banking)
IT service providers (data centers, cloud providers, security services)
Manufacturers with remote maintenance access
Companies providing security services for critical infrastructures

What must be reported?

Attacks that threaten operations
Manipulation or loss of sensitive data
Undetected cyberattacks (over 90 days)
Attacks involving extortion, threats, or coercion

Here's how the reporting works

The report must be submitted to the NCSC within 24 hours.
Use the online reporting form or email form.
Complete any missing information within 14 days.

What happens in case of non-compliance?

Transition period until October 2025: no sanctions.
From October 2025: fines of up to CHF 100'000 may apply.

Your actions to take:

Check if your company is affected.
Adapt processes to comply with the 24-hour reporting obligation.
Raise awareness among your IT service providers and employees.
Improve early detection of attacks.
Seek advice from the NCSC if in doubt.

Reporting procedure: How to report to the NCSC

For submitting reports, the NCSC provides a specially designed form on its existing platform. If access to this platform is not possible, a report can alternatively be submitted via an email form available on the NCSC website. If not all required information is included in the initial report, the NCSC grants an additional 14-day period to complete the report.

Transitional regulation: Deadline for implementation

While the reporting obligation applies from April 1, 2025, the Federal Council has decided to enforce the sanction provisions only from October 1, 2025. During the first six months after implementation, failure to report cyberattacks will not be penalized. This gives companies and organizations the necessary time to adjust their internal processes to meet the new requirements.

Legal framework: ISA and Cybersecurity Ordinance regulate the new requirements

The new regulation is based on the revised Federal Act on Information Security in the Confederation (ISA) and the new Cybersecurity Ordinance. This ordinance clarifies, among other things, the exceptions to the reporting obligation and defines the tasks of the NCSC, as well as the framework for information exchange with other authorities. At the same time, the new reporting procedure harmonizes the requirements with existing obligations, such as those in data protection law.

A milestone for cybersecurity in Switzerland

With the introduction of this first cross-sector reporting obligation for cyberattacks, Switzerland sets an important milestone in building a resilient digital infrastructure and aligns itself with international standards such as the EU-wide NIS Directive.

BNC: Your Partner for Cybersecurity

BNC helps businesses and organizations efficiently implement the new requirements and further strengthen their cybersecurity strategy. Here’s more about our consulting services.