On March 7, 2025, the Federal Council approved the new reporting obligation for cyberattacks on operators of critical infrastructures. Starting from April 1, 2025, affected companies and IT service providers must report cyberattacks to the National Cyber Security Centre (NCSC) within 24 hours. Notably, cyber incidents that are discovered after a long period—more than 90 days—are also subject to this reporting obligation.
The aim of this measure is to enhance resilience against cyber threats and strengthen collaboration between affected organizations. Learn more about what this means here.
For submitting reports, the NCSC provides a specially designed form on its existing platform. If access to this platform is not possible, a report can alternatively be submitted via an email form available on the NCSC website. If not all required information is included in the initial report, the NCSC grants an additional 14-day period to complete the report.
While the reporting obligation applies from April 1, 2025, the Federal Council has decided to enforce the sanction provisions only from October 1, 2025. During the first six months after implementation, failure to report cyberattacks will not be penalized. This gives companies and organizations the necessary time to adjust their internal processes to meet the new requirements.
The new regulation is based on the revised Federal Act on Information Security in the Confederation (ISA) and the new Cybersecurity Ordinance. This ordinance clarifies, among other things, the exceptions to the reporting obligation and defines the tasks of the NCSC, as well as the framework for information exchange with other authorities. At the same time, the new reporting procedure harmonizes the requirements with existing obligations, such as those in data protection law.
With the introduction of this first cross-sector reporting obligation for cyberattacks, Switzerland sets an important milestone in building a resilient digital infrastructure and aligns itself with international standards such as the EU-wide NIS Directive.
BNC helps businesses and organizations efficiently implement the new requirements and further strengthen their cybersecurity strategy. Here’s more about our consulting services.