Cyber attacks, reporting obligation from 1 April 2025

Post on: 10.03.2025

The Federal Council has formalized the entry into force of the obligation to report of cyberattacks for operators of critical infrastructures as of 1 April 2025. The aim of this measure is to strengthen the cybersecurity in Switzerland and to improve the coordinated response to cyberattacks.

Cyberattacks | Reporting obligation and timelines

According to the new regulation, operators of critical infrastructures are required to report any cyberattack to the Federal Office of Cybersecurity (FOCS) within 24 hours of its detection. This obligation applies to key sectors such as energy and water supply, transport and cantonal and municipal administrations.

Early reporting will enable the FOCS to support affected organisations and alert other critical infrastructure operators. A cyberattack must be reported if:

• Threatens the operation of the critical infrastructure concerned;
• Resulted in a data leak or manipulation;
• It is related to crimes of extortion, threat or coercion.

In the event of failure to report, the law provides for fines, which will come into force from October 1, 2025. In the first six months, although it is mandatory to report attacks, there are no penalties for any omissions.

Cyberattacks | Simplified reporting form and procedures

To make it easier for organisations, the FOCS has set up an online reporting form on its existing platform. Alternatively, reports can also be submitted by e-mail via a form that can be downloaded from the official FOCS website.

If within the first 24 hours it is not possible to provide all the necessary information, the report can be completed within 14 days.

The Cybersecurity Ordinance and Exceptions

At the same time, the Federal Council approved and brought into force, also from 1 April 2025, the Cybersecurity Ordinance (SCO), which regulates the enforcement aspects of the reporting obligation, including any exceptions provided for in Article 74c of the Information Security Act (ISA).

The Ordinance also lays down the procedures for coordination with other reporting obligations, e.g. in the area of data protection, allowing organisations to forward information to the competent authorities in a single procedure.

A milestone for cybersecurity in Switzerland

The introduction of the reporting obligation for cyberattacks is a step towards crucial for Switzerland's digital security, aligning with international standards. As early as 2018, EU member states adopted a similar obligation for cyber incidents according to the NIS directive.

Strengthening the exchange of information between critical infrastructures will be essential to address growing cyber threats and improve the resilience of the Swiss digital system.