As of October 1, 2025, the sanctioning regime under the Information Security Act (ISecA) will come into force in Switzerland regarding the obligation to report cyberattacks reguarding critical infrastructure.
The reporting obligation has already been in effect since April 1, 2025.
From October 1, 2025, however, sanctions will apply: failure to report incidents in cases provided by law may result in fines.
The Federal Cybersecurity Office (FCSO) can intervene if an authority or an organization fails to submit a required report, and it may impose deadlines and fines. If the obligation continues to be disregarded, penalties of up to CHF 100,000 may be imposed.
If the violation occurs within a company, the rules of administrative criminal law apply (Art. 6 DPA). If the fine is below CHF 20,000 and identifying the individual offenders would be too complex, the authority may fine the company directly. In cases of non-compliance with FCSO decisions, it is the Cantons that handle the proceedings and impose sanctions.
Quick recap:
The ISecA requires that authorities and organizations subject to the reporting obligation (Art. 74b Authorities and organizations subject to reporting) notify the Federal Cybersecurity Office (FCSO) of cyberattacks within 24 hours of detecting the attack.
If all the relevant information is not yet available at the time of reporting, the authority or organization must complete the notification as soon as new details are obtained.
A cyberattack must be reported (Art. 74d Reportable cyberattacks) if:
a. it compromises the functioning of the affected critical infrastructure;
b. it has resulted in manipulation or leakage of information;
c. it has gone undetected for a prolonged period, particularly if there are indications it may have been carried out to prepare further cyberattacks; or
d. it is connected with extortion, threats, or coercion.
