Switzerland’s National Cybersecurity Centre (NCSC) has announced a new reporting obligation for critical infrastructure organizations in the country, requiring them to report cyberattacks to the agency within 24 hours of their discovery.
According to the NCSC announcement, this new requirement is introduced as a response to the increasing number of cybersecurity incidents and their impact on the country.
Examples of types of cyberattacks that will have to be reported include:
- Cyberattacks that jeopardize the operation of critical infrastructure
- Manipulation, encryption, or exfiltration of data
- Extortion, threats, and coercion
- Malware installed on systems
- Unauthorized access to systems
The mandate is introduced via an amendment to the Information Security Act (ISA), which will go into effect on April 1, 2025. The law applies to critical service providers such as utilities, local government, and transportation organizations.
“The Federal Council has decided that the amendment to the Information Security Act (ISA) of 29 September 2023 will enter into force on 1 April,” reads the announcement.
“The ISA stipulates that authorities and organisations subject to the reporting obligation, such as energy and drinking water suppliers, transport companies and cantonal and communal administrations, must report cyberattacks to the NCSC within 24 hours of discovery.”
The complete list of all entity types that are impacted by this new requirement is published here.
A leniency period will be given until October 1, 2025, but failure to comply after that date will result in fines of up to CHF 100,000 ($114,000).
Organizations impacted by a cybersecurity incident will have to report it via an online form on the NCSC site or via email, with no registration required.
The first report must be submitted within 24 hours of the incident’s discovery, and a follow-up report with additional details will be expected in the next 14 days.
There are provisions for particular exceptions under Art. 74c of the ISG, with more details available here.
Switzerland calls this new requirement a milestone for cybersecurity in the country, noting that it is in accordance with the NIS Directive, an EU-wide cybersecurity legislation that applies to operators of essential services and digital service providers.
Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Related Articles:
Privacy tech firms warn France’s encryption and VPN laws threaten privacy
US healthcare org pays $11M settlement over alleged cybersecurity lapses
US sanctions Chinese firm, hacker behind telecom and Treasury hacks
Look up: The new frontier of cyberthreats is in the sky
Quantum leap: Passwords in the new era of computing security