DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Swiss critical sector faces new 24-hour cyberattack reporting rule

Posted on March 12, 2025 by Dissent
AI generated. DataBreaches.net.

Bill Toulas reports:

Switzerland’s National Cybersecurity Centre (NCSC) has announced a new reporting obligation for critical infrastructure organizations in the country, requiring them to report cyberattacks to the agency within 24 hours of their discovery. According to the NCSC announcement, this new requirement is introduced as a response to the increasing number of cybersecurity incidents and their impact on the country.

Examples of types of cyberattacks that will have to be reported include:

  • Cyberattacks that jeopardize the operation of critical infrastructure
  • Manipulation, encryption, or exfiltration of data
  • Extortion, threats, and coercion
  • Malware installed on systems
  • Unauthorized access to systems

Read more at BleepingComputer.

The reporting obligation under section 74(B) applies to a broad swath of entities and sectors:

a. Universities according to Article 2 paragraph 2 of the Higher Education Promotion and Coordination Act of 30 September 2011 10 ;
b. Federal, cantonal and municipal authorities and intercantonal, cantonal and intercommunal organisations, with the exception of the Defence Group, when the army provides assistance service under Article 67 or active service under Article 76 of the Military Law of 3 February 1995 11 ;
c. Organisations with public-law tasks in the areas of security and rescue, drinking water supply, wastewater treatment and waste disposal;
d. Companies active in the fields of energy supply pursuant to Article 6 paragraph 1 of the Energy Act of 30 September 2016 12 , energy trading, energy measurement or energy control, with the exception of licence holders under the Nuclear Energy Act of 21 March 2003 13 , if a cyberattack occurs on a nuclear installation;
e.  Companies subject to the Banking Act of 8 November 1934 14 , the Insurance Supervision Act of 17 December 2004 15 or the Financial Market Infrastructure Act of 19 June 2015 16 ;
f. Health care establishments that are included on the cantonal hospital list pursuant to Article 39 paragraph 1 letter e of the Federal Act of 18 March 1994 17 on health insurance;
g. medical laboratories authorised under Article 16(1) of the Epidemics Act of 28 September 2012 18 ;
h. Companies that have a licence under the Therapeutic Products Act of 15 December 2000 19 for the manufacture, marketing and import of medicinal products ;
i. Organisations that provide benefits to protect against the consequences of illness, accident, incapacity for work and earning a living, old age, disability and helplessness;
j. the Swiss Broadcasting Corporation;
k. news agencies of national importance;
l. Providers of postal services registered with the Postal Commission in accordance with Article 4(1) of the Postal Services Act of 17 December 2010 20 ;
m. Railway undertakings pursuant to Article 5 or 8c of the Railways Act of 20 December 1957 21 and cable car, trolleybus, bus and shipping undertakings holding a concession pursuant to Article 6 of the Passenger Transport Act of 20 March 2009 22 ;
n. Civil aviation companies that hold a licence from the Federal Office of Civil Aviation, as well as the state airports in accordance with the Aviation Infrastructure Plan;
o. Companies that transport goods on the Rhine in accordance with the Maritime Navigation Act of 23 September 1953 , as well as companies that carry out registration, loading or unloading in the port of Basel;
p. Companies that supply the population with essential daily goods and whose failure or disruption would lead to significant supply bottlenecks;
q. Providers of telecommunications services registered with the Federal Office of Communications pursuant to Article 4 paragraph 1 of the Telecommunications Act 24 ;
r. Registry operators and registrars of Internet domains according to Article 28 b FMG;
s. providers and operators of services and infrastructures that serve the exercise of political rights;
t. Providers and operators of cloud computing, search engines, digital security and trust services and data centers, provided they are based in Switzerland;
u. Manufacturers of hardware or software whose products are used by critical infrastructures, provided that the hardware or software has remote maintenance access or is used for one of the following purposes:

1. Control and monitoring of operational systems and processes,
2. Ensuring public safety.

A cyber attack must be reported if it:

a. the functionality of the affected critical infrastructure is endangered;
b. has resulted in manipulation or leakage of information;
c. remained undetected for a long period of time, especially if there are indications that it was carried out in preparation for further cyberattacks; or
d. involves blackmail, threats or coercion.

The new obligations also state (English machine translation): “By reporting a cyber-attack, the authorities and organisations required to report shall be entitled to the assistance of the NCSC in incident management in accordance with Article 74(3).”

It is not (yet) clear to DataBreaches exactly what types and scope of assistance in incident management will be available to entities.

 

Related posts:

  • Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements
  • RIBridges has many lines of defense. How was the system breached?
Category: LegislationNon-U.S.Of Note

Post navigation

← Computers containing thousands of patients’ records stolen from Belfast hospital
Pinehurst Radiology Associates remains closed more than 1 month after cyberattack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Avantic Medical Lab hacked; patient data leaked by Everest Group
  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined
  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets
  • Franklin, Tennessee Resident Sentenced to 30 Months in Federal Prison on Multiple Cyber Stalking Charges
  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.