New Cybersecurity Regulations for Essential Services
Switzerland is set to implement a mandatory new cybersecurity regulations for operators of critical infrastructure. This requirement was officially announced by the Federal Council on March 7 and will be incorporated into an amendment to the Information Security Act (ISA) of September 29, 2023. The legislation is scheduled to take effect on April 1, 2025.
Under the new regulations, key sectors such as energy and drinking water suppliers, transportation networks, and local government administrations will be required to notify the National Cyber Security Centre (NCSC) of any cyber-attacks within 24 hours of detection. The obligation to report applies when an attack poses a risk to the operation of essential services, results in unauthorized data access or manipulation, or involves coercion or extortion. This initiative aims to strengthen national cybersecurity and ensure a coordinated response to cyber threats.
Penalties for Non-Compliance and Reporting Procedures New Cybersecurity Regulations
To facilitate compliance, a dedicated reporting system will be available through the NCSC’s Cyber Security Hub. Organizations registered on the platform can submit reports through this portal, while those without accounts can use an email-based reporting form available on the NCSC website. Following an initial notification within 24 hours of discovering an incident, entities will be given 14 days to provide a comprehensive report detailing the nature and impact of the attack.
Failure to adhere to these reporting requirements may result in financial penalties. While specific fine amounts have yet to be disclosed, the government emphasizes the importance of timely and transparent communication to mitigate risks and enhance national security. To allow businesses and agencies sufficient time to adjust, a grace period will be in effect until October 1, 2025.
Switzerland Aligns with Global Cybersecurity Practices
Switzerland’s introduction of mandatory cyber-attack reporting aligns with international standards, as several nations have already implemented similar new cybersecurity regulations. Countries including Australia, the European Union member states, Japan, Singapore, South Korea, the United Kingdom, and the United States have established reporting mandates for critical infrastructure operators. These measures reflect a growing global recognition of cybersecurity as a fundamental aspect of national security and public safety.
By adopting this policy, Switzerland aims to enhance its cyber resilience, improve its ability to respond to security incidents, and foster collaboration between government authorities and private-sector operators. The NCSC will play a central role in gathering intelligence on cyber threats and providing support to organizations facing digital risks. As cyber-attacks continue to pose significant challenges worldwide, Switzerland’s proactive stance underscores the need for coordinated efforts to safeguard critical infrastructure and ensure the stability of essential services.