A reporting obligation is intended to better protect critical infrastructures from 1 April
Das Wichtigste in Kürze
- From 1 April 2025, operators of critical infrastructures (universities, authorities, energy suppliers, drinking water, security and rescue, hardware/software manufacturers) must report cyberattacks to the BACS
- Reporting window: 24 hours, completion within 14 days. From 1 October 2025, fines threaten for violations
- SMEs with products in the EU: an additional reporting obligation under the EU Cyber Resilience Act
Universities, authorities at all levels of government, companies in the areas of drinking water supply, security and rescue, energy suppliers, manufacturers of software and hardware for critical infrastructures as well as other important companies and organisations are affected by the reporting obligation.
«These reports will enable the BACS to support those affected in coping with cyberattacks and to warn operators of critical infrastructures at an early stage,» writes the Federal Council. That is why the Federal Office has made the reporting process as simple as possible: those who have access to the Cyber Security Hub, the existing platform for the exchange of information with operators of critical infrastructures, use the reporting form provided. Alternatively, reports are also possible via an email form, which will be available on the BACS website.
Fines threaten from 1 October 2025
A cyberattack must be reported, among other things, if it endangers the functionality of the affected critical infrastructure, has led to a manipulation or an outflow of information, or is associated with extortion, threat or coercion. The BACS cites the following examples:
- Malware successfully installed in the system
- Encryption trojans
- Attacks on availability
- Unauthorized intrusion into data processing systems by exploiting vulnerabilities.
Often not all information is available within 24 hours. That is why the report can be completed within 14 days. Those who do not report an attack risk a fine after a transitional period of six months – the legal foundations are currently being drawn up.
«The introduction of the reporting obligation as the first cross-sector regulation is a milestone for Switzerland's cybersecurity,» the Federal Council is certain. Strengthening the exchange of information is crucial in order to counter the rapid development of cyber threats with appropriate measures.
Voluntary reports also help
The introduction of the reporting obligation for cyberattacks in Switzerland corresponds to international standards. Since 2018, a reporting obligation for cyber incidents has applied in all EU member states under the NIS Directive.
In general, all companies are advised to report a cyberattack. For organisations that do not operate critical infrastructure, this is voluntary. However, with a report they contribute to the general strengthening of cybersecurity in Switzerland, as the BACS can identify trends more quickly and react in a more targeted way.
In any case, the Swiss economy must not get comfortable. New compliance requirements await SMEs, triggered by the EU's Cyber Resilience Act (CRA), which has been in force since the end of 2024. After a transitional period, there is a reporting obligation for companies that export «products with digital elements» to the EU. They must report attacks on their products and corresponding security vulnerabilities, and also follow stricter documentation obligations in the development of their products.
More information on the reporting obligation for attacks on critical infrastructures
