Cyberattacks have become a serious threat for Switzerland’s security and economy. On average, the Swiss National Cyber Security Center (NCSC) receives over 300 reports concerning successful or attempted cyberattacks every week. These reports to the NCSC are submitted on a voluntary basis by companies, authorities and private individuals. The Swiss Federal Council now wishes to strengthen the reporting system by obliging the operators of critical infrastructures to report cyberattacks to the NCSC.

Therefore, on 12 January 2022, the Federal Council published a draft law on a cyberattack reporting obligation for cyberattacks on critical infrastructures. At the same time, the Federal Council initiated a consultation that will last until 14 April 2022. According to the press release of the Federal Council, the reporting obligation is intended to ensure that the NCSC can have a clearer picture of the situation based on comprehensive information and thus warn other critical infrastructure operators about cyberattacks at an early stage.

According to the draft, the obligation to report shall apply to: a) universities, b) Swiss federal, cantonal and municipal authorities, c) organisations in the field of security, rescue, drinking water and waste disposal, d) energy suppliers, e) providers of online marketplaces, cloud computing and search engines, f) hospitals, medical laboratories and pharmaceutical companies, g) media companies, h) postal and transport companies, i) air and shipping companies, j) suppliers of basic utility and k) IT companies. To make reporting as simple as possible, it is envisaged that the NCSC will provide an electronic reporting form. Additionally, the NCSC shall support critical infrastructure operators as mentioned above in dealing with cyber incidents. It should also be able to access the information and IT resources of the operator concerned for the purpose of analysing a cyber incident with the operator’s consent. This consent might be granted independently of any confidentiality obligations.