Switzerland’s NCSC Implements Mandatory Cyberattack Reporting for Critical Infrastructure
Switzerland’s National Cybersecurity Centre (NCSC) has introduced a new policy requiring critical infrastructure organizations to report cyberattacks within 24 hours. This move aims to enhance cybersecurity measures amid rising threats. Learn more about the implications and requirements of this new regulation.
TL;DR
Switzerland’s NCSC now mandates that critical infrastructure organizations report cyberattacks within 24 hours to bolster cybersecurity measures. This policy aims to address the increasing frequency of cyber incidents and ensure timely response and mitigation.
Main Content
Switzerland’s NCSC Mandates Critical Infrastructure Organizations to Report Cyberattacks Within 24 Hours
Switzerland’s National Cybersecurity Centre (NCSC) has introduced a new policy requiring critical infrastructure organizations to report cyberattacks within 24 hours of discovery. This measure is a response to the escalating number of cybersecurity threats and incidents.
Increasing Cyber Threats Prompt New Reporting Obligations
The NCSC announced that the amendment to the Information Security Act (ISA) will come into effect on April 1, 2025. This amendment stipulates that critical infrastructure operators, including energy suppliers, transport companies, and administrative bodies, must report cyberattacks to the NCSC within 24 hours.
“In view of the increasing threat of cyber incidents, Switzerland is introducing a reporting obligation for cyberattacks on critical infrastructure. Operators of critical infrastructure will be required to report attacks to the National Cyber Security Centre (NCSC).”
Types of Attacks and Penalties for Non-Compliance
Organizations are required to report various types of attacks, including data breaches, blackmail, coercion, and information manipulation or leaks. Failure to comply with the reporting obligation may result in significant fines.
Cybersecurity Ordinance and Implementation Timeline
The Cybersecurity Ordinance, effective from April 1, 2025, outlines the reporting obligations and procedures for cyberattacks on critical infrastructure. The NCSC will manage the reporting process and facilitate information exchange between authorities and organizations. A grace period until October 1, 2025, is provided, after which non-compliance may incur fines up to CHF 100,000 ($114,000).
Reporting Procedures and International Alignment
Affected organizations must report cybersecurity incidents to the NCSC within 24 hours via an online form or email, followed by a detailed report within 14 days. This new requirement aligns with international standards, enhancing information exchange to counter evolving cyber threats.
Impacted Organizations and Additional Resources
The list of entity types impacted by this new requirement is available here.
For more details, visit the full article: Read More
Additional Resources
For further insights, check: