The New Reporting Obligation for Cyberattacks in Switzerland: Everything You Need To Know

Since January 1, 2025, a reporting obligation for cyberattacks on critical infrastructure is into force in Switzerland, regulated by the Information Security Act (ISA) and the Cyber Security Ordinance (CSO). This obligation aims to increase national resilience to cyber threats, recognize attack patterns early, and promote information exchange (Art. 73a ISG).

What does the new reporting obligation cover?

The reporting obligation applies to organizations that ensure essential social functions. The sectors affected include critical infrastructure operators such as energy, healthcare, finance, telecommunications, and transportation (Art. 74b ISG). Providers of cloud services, search engines and security-critical hardware and software are also covered by the regulation if attacks could significantly impair their ability to function (Art. 74d ISG).

Formal requirements and deadlines

The legal requirements for the notification include:

• Notification content: Information on the type of attack, its effects, and measures taken (Art. 74e para. 2 ISG).
• Deadline: The report must be made within 24 hours of the discovery of the attack, with the possibility of subsequent supplementation (Art. 74e para. 3 ISG)
• System: The National Cyber Security Center (NCSC) provides a secure reporting system (Art. 74f ISG)

Why is this reporting obligation important?

Increasing digitalization increases the attack surface for cyber threats. The objectives of the new regulations are transparency, prevention, and resilience. Similar to the EU's NIS2 Directive, which sets out comparable reporting obligations for operators of essential services and digital service providers (Art. 23 NIS2), the Swiss regulation aims to strengthen threat management and promote cooperation at national and European level. However, NIS2 affects a broader range of companies and sectors and in some cases requires stricter sanctions, but it can also indirectly affect Swiss companies with an EU connection and should be examined by the companies concerned.

Consequences of non-compliance

Companies that do not comply with their reporting obligation risk fines of up to CHF 100,000 (Art. 74h ISG) and can be excluded from public tenders in the event of repeated violations. These sanctions reflect the strict requirements of the NIS2 Directive, which provides for similar penalties for non-compliance in the EU.

How can companies prepare?

1. Analyze the security situation: Identify vulnerabilities and assess your systems.
2. Use modern technologies: Solutions such as ExeonTrace help to effectively detect threats and facilitate compliant reporting.
3. Employee training: Teams should know and prepare for the new requirements.
4. Collaboration with the NCSC: Use the tools and information provided to optimize your processes

Exceptions

In the Cybersecurity Ordinance the Federal Council has defined numerous exemptions from the obligation to report cyberattacks on critical infrastructure, including for smaller companies, authorities with a small population and organizations below industry-specific thresholds. In addition, a National Cyber Strategy Steering Committee (StA NCS) is set up to review the cyber strategy every five years, evaluate its implementation and submit proposals to the Federal Council.

Exeon Analytics: Your Swiss Network Detection and Response solution

Exeon Analytics supports companies in efficiently fulfilling the new reporting obligations and strengthening their cyber security. Our AI-powered NDR platform ExeonTrace offers:

• Real-time threat detection: intelligent analytics identify anomalies at an early stage.
• Automated reporting: Accurate reporting facilitates compliance with regulatory requirements
• Complete network transparency: Monitoring of even encrypted data without additional hardware.
• Security compliance: All incidents are comprehensively documented to comply with regulations.
• Swiss quality: As a Swiss company, we understand the local requirements.

Conclusion

The new reporting obligation is a significant step towards strengthening cyber security in Switzerland. It presents companies with new challenges but also offers the opportunity to improve their resilience.