Mandatory Reporting of Cyberattacks on Critical Infrastructure

As of April 1, 2025, operators of critical infrastructure are required to report cyberattacks to BACS within 24 hours of detection. This obligation is based on the Information Security Act (ISG), which defines when an incident must be reported, as well as the necessary details and scope of the report. The reporting requirement takes effect immediately, and starting in October, non-compliance could result in fines of up to CHF 100,000.

Only incidents that meet the following criteria must be reported:

➡️ Threaten the functionality of critical infrastructure
➡️ Involve extortion, threats, or coercion
➡️ Result in data manipulation or leaks
➡️ Remain undetected for an extended period, particularly if there are signs that the attack was part of a larger cyber threat campaign.

To streamline the reporting process, BACS has made a reporting form available on its existing platform, the Cyber Security Hub (CSH). If all necessary information cannot be provided within the initial 24-hour timeframe, additional details can be submitted or updated within 14 days.

The reporting form allows for quick and efficient submission of essential information. Additionally, reports can be forwarded to other relevant authorities that also require notification, such as FINMA or the Swiss Federal Data Protection and Information Commissioner (FDPIC).

BACS strongly encourages organizations that do not yet have a CSH login to register as soon as possible. By taking care of the administrative setup in advance, companies can ensure a swift reporting process should a cyberattack occur.

Further details are available in an online event recorded on March 20, 2025, which can be accessed on YouTube.

References:
ISG: https://www.fedlex.admin.ch/eli/fga/2023/85/de
CSH: https://security-hub.ncsc.admin.ch/
How to: https://www.ncsc.admin.ch/ncsc/de/home/meldepflicht/meldepflicht-vorgehen.html