Post

Switzerland’s NCSC Implements Mandatory Cyberattack Reporting for Critical Infrastructure

Switzerland’s National Cybersecurity Centre (NCSC) has introduced a new policy requiring critical infrastructure organizations to report cyberattacks within 24 hours. This move aims to enhance cybersecurity measures amid rising threats. Learn more about the implications and requirements of this new regulation.

Switzerland’s NCSC Implements Mandatory Cyberattack Reporting for Critical Infrastructure

TL;DR

Switzerland’s NCSC now mandates that critical infrastructure organizations report cyberattacks within 24 hours to bolster cybersecurity measures. This policy aims to address the increasing frequency of cyber incidents and ensure timely response and mitigation.

Main Content

Switzerland’s NCSC Mandates Critical Infrastructure Organizations to Report Cyberattacks Within 24 Hours

Switzerland’s National Cybersecurity Centre (NCSC) has introduced a new policy requiring critical infrastructure organizations to report cyberattacks within 24 hours of discovery. This measure is a response to the escalating number of cybersecurity threats and incidents.

Increasing Cyber Threats Prompt New Reporting Obligations

The NCSC announced that the amendment to the Information Security Act (ISA) will come into effect on April 1, 2025. This amendment stipulates that critical infrastructure operators, including energy suppliers, transport companies, and administrative bodies, must report cyberattacks to the NCSC within 24 hours.

“In view of the increasing threat of cyber incidents, Switzerland is introducing a reporting obligation for cyberattacks on critical infrastructure. Operators of critical infrastructure will be required to report attacks to the National Cyber Security Centre (NCSC).”

NCSC Announcement

Types of Attacks and Penalties for Non-Compliance

Organizations are required to report various types of attacks, including data breaches, blackmail, coercion, and information manipulation or leaks. Failure to comply with the reporting obligation may result in significant fines.

Cybersecurity Ordinance and Implementation Timeline

The Cybersecurity Ordinance, effective from April 1, 2025, outlines the reporting obligations and procedures for cyberattacks on critical infrastructure. The NCSC will manage the reporting process and facilitate information exchange between authorities and organizations. A grace period until October 1, 2025, is provided, after which non-compliance may incur fines up to CHF 100,000 ($114,000).

Reporting Procedures and International Alignment

Affected organizations must report cybersecurity incidents to the NCSC within 24 hours via an online form or email, followed by a detailed report within 14 days. This new requirement aligns with international standards, enhancing information exchange to counter evolving cyber threats.

Impacted Organizations and Additional Resources

The list of entity types impacted by this new requirement is available here.

For more details, visit the full article: Read More

Additional Resources

For further insights, check:

This post is licensed under CC BY 4.0 by the author.