(19.03.2025) As of April 1, 2025, operators of critical infrastructure will be required to report any cyberattack to the Federal Office for Cybersecurity (OFCS) within 24 hours of detection.
These reports will enable the OFCS (formerly the National Cybersecurity Center, NCSC) to better support businesses affected by cyberattacks. Critical infrastructure includes nine sectors: public authorities, energy, waste management, finance, healthcare, information and communication, food supply, public security, and transportation.
An online form has been created for reporting incidents to the OFCS. To access it, companies must register with the Cyber Security Hub. Organizations that prefer not to register on this platform can submit their incident report via email at notification@ncsc.ch.
If all information regarding the cyberattack is not available within 24 hours, the report may be completed within 14 days. To allow businesses time to adapt, non-compliance will not be sanctioned during the first six months. However, from October 1, 2025, failure to comply with the reporting obligation may result in a fine.
Certain companies within the sector are exempt from the reporting requirement. This applies to businesses with fewer than 50 employees and an annual turnover or balance sheet of less than 10 million francs in the sector related to critical infrastructure.
Even companies not subject to the reporting obligation are encouraged to voluntarily inform the authorities using the dedicated form, thereby contributing to overall cybersecurity.
Last modification 19.03.2025
