Starting April 1, 2025, the new cyber incident reporting obligation will come into effect in Switzerland. The regulation particularly affects companies classified as critical infrastructure (CI) – such as those in energy, healthcare, finance, telecommunications, transport, and water supply sectors. The goal is to strengthen cybersecurity at the national level, detect incidents early, and improve coordination.
Operators of critical infrastructure, meaning organizations and companies whose failure would have serious impacts on society, economy, or public security. These include:
Cyber incidents that result in significant impairment of the availability, confidentiality, or integrity of IT systems and could thereby endanger the operation of critical infrastructure. These include:
Reports should be submitted to the National Center for Cybersecurity (NCSC), which is centrally responsible for coordinating and analyzing incidents. Companies and organizations must report relevant incidents immediately, or within a maximum of 24 hours after an incident is detected.
The new reporting obligation requires affected companies to establish clear internal processes:
Additionally, companies should verify whether they formally fall under the CI definition – if unclear, early clarification with the NCSC or the relevant industry association is recommended.
The introduction of the reporting obligation is an important step for Switzerland's cyber resilience. Operators of critical infrastructure are required to adapt their security processes and be prepared for potential incidents. Those who act now can not only meet legal requirements but also sustainably strengthen their cyber defense.
Further information: https://www.ncsc.admin.ch/ncsc/de/home/aktuell/im-fokus/2025/meldepflicht-2025.html
Das sind weitere Beiträge, die Sie interessieren könnten.
Zur Blogübersicht