From 1 April 2025: mandatory reporting of cyberattacks on critical infrastructure in Switzerland

From 1 April 2025, operators of critical infrastructure will be obliged to report cyberattacks to the Federal Office for Cybersecurity (Bundesamt für Cybersicherheit, BACS) within 24 hours. This new regulation is based on the Cybersecurity Regulation and aims to strengthen Switzerland’s resilience to cyber threats.

In response to the increasing threat of cyber incidents and to better assess the cybersecurity situation, the Federal Council introduced the reporting requirement on 1 April 2025. Affected organisations must report a cyber-attack to the BACS within 24 hours of detection. The aim is to strengthen national cybersecurity, support affected organisations in dealing with the attack and warn other institutions at an early stage. The reporting requirement applies to authorities and organisations as defined in Art. 74b Abs. 1 ISG – including, for example, energy or drinking water suppliers, transport companies, cantonal and municipal administrations, and companies involved in the production and distribution of medicines. Organisations that meet the requirements of Art. 12 CSV are exempt.

An incident must be reported if it jeopardises the functionality of a critical infrastructure. This includes, among other things, the theft or manipulation of sensitive data – regardless of whether this occurred recently or remained undetected for an extended period. Attempts at extortion, threats or coercion in connection with cyberattacks must also be reported.

Examples of reportable incidents:

• Installation of malware on the system
• Use of encryption trojans
• Attacks on the availability of IT systems
• Unauthorised access by exploiting vulnerabilities
•  Compromising digital identities with system access

The BACS provides a platform for the exchange of information. Alternatively, the report can be sent by e-mail. An initial report must be submitted within 24 hours of the discovery of a cyberattack. Incomplete information can be submitted within 14 days.

Reports will remain free of penalty until 1 October 2025. After that, fines of up to CHF 100,000 can be imposed in accordance with Art. 74h para. 1 ISG.

After receiving the report, the BACS analyses the information, offers support if needed and forwards data to other agencies if requested. The aim is to obtain a comprehensive assessment of the situation in order to detect similar attacks at an early stage and to warn other organisations.

While reporting to BACS, affected organisations continue their emergency response. This includes:

• Isolating and containing the attack
• Preserving evidence
• Informing employees, customers, suppliers and relevant authorities
• Quickly restoring affected systems to maintain operations

Organisations that have been informed by BACS of an increased threat must take additional protective measures, such as intensified monitoring of system and user activities, as well as disabling unnecessary access or connections.

Organisations are required to prepare for the worst-case scenario at an early stage – to avoid financial, operational or reputational damage and to meet legal requirements.

Proven methods for increasing cyber resilience include:

•  Risk-based assessment of the current state of technical and organisational processes
• Deriving targeted security measures
• Implementation of basic protection according to CIS Controls IG1
• Further development of existing measures based on IG2, IG3 or industry-specific standards

The focus is on emergency planning, employee awareness, crisis communication and incident response management. Attacks must be detected early and responded to quickly and effectively based on an emergency plan and defined playbooks. Communication with authorities, partners and stakeholders must be possible even if the infrastructure has been compromised. In addition, some of the risk can be transferred to cyber insurance companies by taking appropriate measures.

Organisations that do not fall directly under the new regulation can voluntarily submit a report to the BACS. In addition, regulated industries have their own requirements – for example, according to FINMA circulars, DORA, NIS2 or the revised Data Protection Act (revDSG) and the DSGVO.

We can help you detect and manage cyberattacks, develop effective emergency plans and crisis communication.

Contact us now – together we can strengthen your cyber resilience.

Security Operations as a Service – SITS

CSIRT as a Service – SITS