• Military
• WMD
• Intelligence

• Security Menu                     

• Systems
• Industry
• Operations
• Hot Documents
• News
• Reports
• Policy
• Budget
• Congress
• Links

• Space

Six-month reporting obligation for cyberattacks on critical infrastructures

Swiss Government

Press release
Published on 29 September 2025

Bern, 29.09.2025 -- Since 1 April 2025, there has been a legal obligation in Switzerland to report cyberattacks on critical infrastructure. The National Cyber Security Centre (NCSC) regards the results after the first six months as positive. So far, a total of 164 reports have been received from critical infrastructures. From 1 October 2025, the planned sanctions for failing to report attacks will come into force.

The obligation to report cyberattacks on critical infrastructures has been in force for six months. Overall, the National Cyber Security Centre (NCSC) is satisfied: operators of critical infrastructure have fulfilled their obligation in a timely manner and reported cyberattacks within 24 hours. It is particularly positive that the reporting parties use the Cyber Security Hub, which makes processing much easier for the NCSC. Even before the introduction of the reporting obligation, there was a close relationship of trust between the NCSC and many operators of critical infrastructure. This long-standing cooperation formed the basis for the successful launch of the reporting obligation.

164 reports from critical infrastructure operators

In total, the NCSC has received 164 reports from critical infrastructure operators since the beginning of April. DDoS attacks were reported most frequently (18.1%), followed by hacking (16.1%), ransomware (12.4%), credential theft (11.4%), data leaks (9.8%), and malware (9.3%). In several cases, combined phenomena were described, such as ransomware attacks with simultaneous data leaks. The sectors affected are diverse. So far, the financial sector has been the most affected (19%), followed by the IT sector (8.7%) and the energy sector (7.6%). Other reports have come from public authorities, healthcare, telecommunications companies, as well as a few from the postal service, the transport sector, the media industry, food supply and the technology sector.

Improving the exchange of information

The incoming reports are recorded and analysed statistically. The information obtained in this way not only helps with the specific response to an incident, but also contributes to a better assessment of the national threat situation and provides an early warning to other organisations that may potentially be affected. Since the reporting obligation came into force, many more organisations have been directly involved in exchanging information. As a result, warnings and recommendations now reach significantly more stakeholders directly.

Sanctions for reporting violations will apply from 1 October 2025

The sanctions under the Information Security Act will come into force on 1 October 2025. Operators of critical infrastructure who fail to fulfil their reporting obligation may be fined up to CHF 100,000. If the NCSC has evidence that a report has not been submitted, it is obliged to contact the operator concerned first. Only if there is no response from the operator concerned to this contact and the subsequent order can the NCSC file a criminal complaint.