DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Swiss critical sector faces new 24-hour cyberattack reporting rule

Posted on March 12, 2025 by Dissent
AI generated. DataBreaches.net.

Bill Toulas reports:

Switzerland’s National Cybersecurity Centre (NCSC) has announced a new reporting obligation for critical infrastructure organizations in the country, requiring them to report cyberattacks to the agency within 24 hours of their discovery. According to the NCSC announcement, this new requirement is introduced as a response to the increasing number of cybersecurity incidents and their impact on the country.

Examples of types of cyberattacks that will have to be reported include:

  • Cyberattacks that jeopardize the operation of critical infrastructure
  • Manipulation, encryption, or exfiltration of data
  • Extortion, threats, and coercion
  • Malware installed on systems
  • Unauthorized access to systems

Read more at BleepingComputer.

The reporting obligation under section 74(B) applies to a broad swath of entities and sectors:

a. Universities according to Article 2 paragraph 2 of the Higher Education Promotion and Coordination Act of 30 September 2011 10 ;
b. Federal, cantonal and municipal authorities and intercantonal, cantonal and intercommunal organisations, with the exception of the Defence Group, when the army provides assistance service under Article 67 or active service under Article 76 of the Military Law of 3 February 1995 11 ;
c. Organisations with public-law tasks in the areas of security and rescue, drinking water supply, wastewater treatment and waste disposal;
d. Companies active in the fields of energy supply pursuant to Article 6 paragraph 1 of the Energy Act of 30 September 2016 12 , energy trading, energy measurement or energy control, with the exception of licence holders under the Nuclear Energy Act of 21 March 2003 13 , if a cyberattack occurs on a nuclear installation;
e.  Companies subject to the Banking Act of 8 November 1934 14 , the Insurance Supervision Act of 17 December 2004 15 or the Financial Market Infrastructure Act of 19 June 2015 16 ;
f. Health care establishments that are included on the cantonal hospital list pursuant to Article 39 paragraph 1 letter e of the Federal Act of 18 March 1994 17 on health insurance;
g. medical laboratories authorised under Article 16(1) of the Epidemics Act of 28 September 2012 18 ;
h. Companies that have a licence under the Therapeutic Products Act of 15 December 2000 19 for the manufacture, marketing and import of medicinal products ;
i. Organisations that provide benefits to protect against the consequences of illness, accident, incapacity for work and earning a living, old age, disability and helplessness;
j. the Swiss Broadcasting Corporation;
k. news agencies of national importance;
l. Providers of postal services registered with the Postal Commission in accordance with Article 4(1) of the Postal Services Act of 17 December 2010 20 ;
m. Railway undertakings pursuant to Article 5 or 8c of the Railways Act of 20 December 1957 21 and cable car, trolleybus, bus and shipping undertakings holding a concession pursuant to Article 6 of the Passenger Transport Act of 20 March 2009 22 ;
n. Civil aviation companies that hold a licence from the Federal Office of Civil Aviation, as well as the state airports in accordance with the Aviation Infrastructure Plan;
o. Companies that transport goods on the Rhine in accordance with the Maritime Navigation Act of 23 September 1953 , as well as companies that carry out registration, loading or unloading in the port of Basel;
p. Companies that supply the population with essential daily goods and whose failure or disruption would lead to significant supply bottlenecks;
q. Providers of telecommunications services registered with the Federal Office of Communications pursuant to Article 4 paragraph 1 of the Telecommunications Act 24 ;
r. Registry operators and registrars of Internet domains according to Article 28 b FMG;
s. providers and operators of services and infrastructures that serve the exercise of political rights;
t. Providers and operators of cloud computing, search engines, digital security and trust services and data centers, provided they are based in Switzerland;
u. Manufacturers of hardware or software whose products are used by critical infrastructures, provided that the hardware or software has remote maintenance access or is used for one of the following purposes:

1. Control and monitoring of operational systems and processes,
2. Ensuring public safety.

A cyber attack must be reported if it:

a. the functionality of the affected critical infrastructure is endangered;
b. has resulted in manipulation or leakage of information;
c. remained undetected for a long period of time, especially if there are indications that it was carried out in preparation for further cyberattacks; or
d. involves blackmail, threats or coercion.

The new obligations also state (English machine translation): “By reporting a cyber-attack, the authorities and organisations required to report shall be entitled to the assistance of the NCSC in incident management in accordance with Article 74(3).”

It is not (yet) clear to DataBreaches exactly what types and scope of assistance in incident management will be available to entities.

 

Category: LegislationNon-U.S.Of Note

Post navigation

← Computers containing thousands of patients’ records stolen from Belfast hospital
Pinehurst Radiology Associates remains closed more than 1 month after cyberattack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them
  • Iranian Man Pleaded Guilty to Role in Robbinhood Ransomware
  • Developments surrounding data breach at Dutch police
  • Estonia launches international search for Moroccan citizen wanted over data theft
  • Now it’s Tiffany: Another LVMH luxury brand hit by hackers
  • Dutch Government: More forms of espionage to be a criminal offence from 15 May onwards
  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.