Switzerland’s National Cybersecurity Centre (NCSC) has introduced a new rule that requires critical infrastructure organizations to report any cyberattacks within 24 hours of discovery. This mandate will go into effect on April 1, 2025, and applies to organizations that provide essential services such as utilities, transportation, and local government functions. The requirement specifically targets attacks that affect critical operations, including those that manipulate, encrypt, or exfiltrate data, as well as those that involve malware or unauthorized access to systems. The aim is to improve the country’s response time to cybersecurity threats and reduce the impact of such incidents.
The NCSC explained that the introduction of this rule was a response to the increasing number of cyberattacks targeting vital infrastructure.
By ensuring that these attacks are reported swiftly, Switzerland can take immediate action to mitigate the damage and prevent further harm. The reporting process will be handled via an online form or email, with no registration required. The first report must be submitted within 24 hours, followed by a more detailed follow-up report within 14 days. This approach will provide authorities with the necessary information to assess the threat and coordinate a response.
The new requirement covers a broad range of critical service providers, including energy and water suppliers, transport companies, and local government organizations. These entities will be held accountable for reporting cyberattacks, helping the authorities identify patterns and vulnerabilities across the country’s infrastructure. A leniency period will be in place until October 1, 2025, giving organizations time to adapt to the new rules. However, after this period, organizations that fail to comply will face penalties of up to CHF 100,000 ($114,000).
This financial incentive aims to ensure that the rule is taken seriously and that incidents are reported in a timely manner.
This new law aligns with the European Union’s NIS Directive, which sets cybersecurity standards for operators of essential services. By adopting similar regulations, Switzerland is enhancing its cybersecurity framework and contributing to a coordinated response across Europe. The NCSC views this as a milestone in strengthening the nation’s cybersecurity resilience, making it better prepared to handle cyber threats and protecting the critical infrastructure that supports everyday life. The new reporting requirement is seen as a proactive step to ensure the country remains secure in the face of growing cyber risks.
Reference:
