Switzerland Introduces Mandatory Cyber-Attack Reporting for Critical Infrastructure
Switzerland is set to introduce a new cyber news mandate. From April 1, 2025, operators of critical infrastructure will be legally required to report cyber-attacks within 24 hours of discovery. A grace period until October 1, 2025, is provided for preparation. Non-compliance could result in fines.
The Federal Council will implement the news on March 7, 2023. It covers entities like energy and water suppliers, transport companies, and public administrations. Attacks threatening critical infrastructure, manipulating or leaking information, or involving blackmail must be reported.
The Swiss Federal Office for Cybersecurity (BACS) will oversee compliance. From October 1, 2025, it can impose fines of up to 100,000 Swiss francs for non-compliance. Similar news requirements exist in several other countries, including Australia, the EU, Japan, Singapore, South Korea, the UK, and the US.
The new cyber news mandate aims to enhance Switzerland's cybersecurity resilience. Critical infrastructure operators must now prepare for the new obligation, which comes into force in April 2025. Failure to report cyber-attacks may result in significant fines after the grace period ends in October 2025.
