Who is subject to the reporting obligation?
The obligation applies to a wide range of entities listed in Article 74b of the Information Security Act (ISA), including:
- Banks, insurance companies, and financial market infrastructures
- Social security institutions and pension funds
- Federal, cantonal, and municipal authorities
- Universities and higher education institutions
- Organizations responsible for key sectors (Art. 74b, letter c, ISA)
- Companies operating in telecommunications, transportation, civil aviation, and essential goods trade. This category also includes companies authorized under the Therapeutic Products Act of December 15, 2000, for the manufacturing, marketing, and importation of medicinal products (Art. 74b, letter h, ISA).
- Cloud service providers, search engines, and manufacturers of critical hardware/software.
When and how to report a cyberattack?
A report is mandatory for cyberattacks that:
- Endanger the operation of critical infrastructure, causing service disruptions or triggering emergency plans (Art. 74e para. 1 ISA).
- Lead to data leaks, manipulation, or deletion of sensitive information, jeopardizing privacy and data security.
- Remain undetected for more than 90 days.
- Are accompanied by threats or ransom demands.
Affected organizations must report the attack to the Federal Office for Cybersecurity (FOC) within 24 hours of detection using a dedicated online form (Art. 74e para. 1 ISA). Any missing details can be supplemented within 14 days (Art. 74e para. 3 ISA, Art. 16 CSO). Timely reporting is a crucial step to enable rapid and effective intervention, minimizing damage and preventing the spread of attacks to other infrastructures.
What are the consequences of reporting?
The Federal Office for Cybersecurity (FOC) will analyze the reports received and provide technical and organizational support to mitigate the impact of cyberattacks (Art. 74 para. 3 ISA).
Additionally, the reported piece of information may be shared with other relevant authorities, such as:
- FINMA (Swiss Financial Market Supervisory Authority)
- The Federal Data Protection and Information Commissioner (FDPIC)
- Other regulatory bodies, depending on the nature and implications of the attack.
The main goal of this reporting requirement is not only to ensure transparency in managing cyber incidents but also to build a collective defense system, allowing organizations to benefit from real-time threat intelligence and best protection strategies.
What happens if an organization fails to report?
If an organization does not comply with the reporting obligation, the Federal Office for Cybersecurity (FOC) will grant a deadline to fulfill it (Art. 74g para. 1 ISA).
If non-compliance persists, a formal decision may be issued, with potential fines of up to CHF 100,000 for the responsible individual (Art. 74h para. 1 and 2 ISA).
The legal basis for sanctions will come into effect on October 1, 2025, allowing for a six-month transition period during which no fines will be applied. This period aims to help organizations adapt to the new regulations and implement the necessary procedures for compliance.
How to prepare for the new obligation?
To avoid penalties and ensure system security, organizations should prepare in advance by taking the following steps:
- Update internal cybersecurity procedures to ensure quick identification and management of attacks.
- Train staff to recognize potential threats/risk and follow the correct reporting procedures.
- Collaborate with cybersecurity experts to strengthen IT infrastructure security and implement advanced monitoring tools.
- Test emergency plans to guarantee an effective response in case of an attack.
- Establish direct contact with the FOC to facilitate the reporting process and receive support when needed.
The introduction of the mandatory reporting of cyberattacks is a crucial step in strengthening Switzerland’s digital security. A centralized management of incident reports will enhance prevention and response to cyber threats, protecting critical infrastructure and the national economy.
Organizations subject to this obligation are encouraged to prepare in advance, rather than waiting until the October 1, 2025 deadline. By adopting appropriate procedures and tools, they can ensure compliance with the new regulations and contribute to a safer and more resilient digital ecosystem.
Cybersecurity is not just a technical issue, but a collective responsibility involving institutions, businesses, and citizens. Collaboration and information sharing will be key to successfully addressing cybersecurity challenges in the coming years.
For further insights on implementing these measures within your organization, our team of consultants is available to support you.
