Switzerland Enters a New Era of Cyberattack Reporting

1 October 2025 marks an important milestone for Switzerland’s cybersecurity landscape. Starting today, the mandatory reporting obligation for cyberattacks on critical infrastructures—introduced in April—comes fully into force, with potential fines of up to CHF 100,000 for failure to comply.

This regulation, enforced by the National Cyber Security Centre (NCSC), requires operators of critical infrastructure to report significant cyber incidents within 24 hours. After six months of trial enforcement, the NCSC reports that 164 incidents have already been logged, spanning multiple sectors: finance, IT, energy, healthcare, telecoms, and government. Denial of Service (DoS) attacks accounted for 18% of reported cases, followed by system hacks, ransomware, and stolen credentials.

 

 

Why This Matters for Switzerland

The introduction of this obligation represents a major step in strengthening Switzerland’s role as a trusted digital hub. By institutionalizing cyberattack reporting, authorities aim to:

• Improve national threat awareness

• Enable early warnings across sectors

• Build a stronger foundation for resilience and response

Cybersecurity is increasingly a matter of national security, and countries that systematize reporting obligations gain an important advantage in mitigating risks before they escalate.

 

 

How Switzerland Compares Internationally

While Switzerland’s framework is new, similar laws already exist elsewhere:

• European Union: The NIS2 Directive (2022) requires a broad set of essential and important entities to report significant cyber incidents within 24 hours. Member States must transpose NIS2 into national law by October 2024, making Europe a pioneer in harmonizing such obligations.

• United States: The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA, 2022) obliges critical infrastructure operators to report substantial cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours.

• Other jurisdictions: Australia, Singapore, and Japan have also introduced reporting frameworks for operators of essential services, highlighting a global shift toward proactive cyber governance.

Switzerland may not have been the first mover, but by introducing enforcement now, it is joining this international trendand aligning itself with best practices.

 

 

The Road Ahead

Mandatory reporting is only the first step. The true value lies in how the collected data is used:

• Sharing anonymized insights with industry to raise resilience

• Enabling public–private collaboration for incident response

• Building a culture of cyber accountability that extends beyond compliance

For Swiss organizations, this is also an opportunity. By complying, they not only avoid penalties but also contribute to strengthening the collective security ecosystem that underpins Switzerland’s digital economy.

 

 

Conclusion

With the start of enforcement on 1 October 2025, Switzerland has entered a new era of cyber resilience. Mandatory reporting obligations will not eliminate cyber threats, but they provide a framework to detect, share, and respond more effectively.

As Switzerland integrates this practice into its national digital strategy, the challenge will be ensuring that reporting does not remain a bureaucratic exercise, but instead becomes a driver of trust, intelligence, and resilience across all critical sectors.

Sources

• National Cyber Security Centre (NCSC). Six-month reporting obligation for cyberattacks on critical infrastructures – Press release, 29 September 2025. Federal Department of Finance (FDF). https://www.efd.admin.ch/en/newnsb/gezctyF6KYR7UkCjXBC5s

• European Union. Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive), 14 December 2022. EUR-Lex. https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng

• United States Congress. Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Public Law No: 117-103. https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia

• Australian Government. Security of Critical Infrastructure Act 2018 (as amended). https://www.cisc.gov.au/legislation-regulation-and-compliance/soci-act-2018