Switzerland's NCSC Mandates Cyberattack Reporting for Critical Infrastructure within 24 Hours
Switzerland's National Cybersecurity Centre (NCSC) has introduced a new policy requiring critical infrastructure organizations to report cyberattacks on their systems within 24 hours of discovery. This move aims to enhance the country's cybersecurity posture in the face of rising threats.
The new policy, which will come into effect on April 1, 2024, is part of the amendment to the Information Security Act (ISA) that was approved by the Swiss authorities last September. The ISA stipulates that organizations subject to the reporting obligation, such as energy and drinking water suppliers, transport companies, and cantonal and communal administrations, must report cyberattacks to the NCSC within 24 hours of discovery.
The types of cyberattacks that will trigger this requirement include data breaches, blackmail, coercion, manipulation or leakage of information. Failure to comply with this new policy may result in fines up to CHF 100,000 (approximately $114,000). Organizations that do not report cybersecurity incidents within the specified timeframe will be subject to penalties.
The NCSC plays a crucial role in managing reporting and coordinating information exchange between authorities and organizations. The centre is responsible for ensuring that these reports are submitted correctly and that all relevant stakeholders are informed about potential threats.
International Alignment
Switzerland's new cyber incident reporting requirement aligns with international standards, enhancing information exchange to counter evolving threats. This move reflects the country's commitment to maintaining a robust cybersecurity framework that protects its critical infrastructure from cyber threats.
Implementation and Compliance
A grace period runs until October 1, 2025, during which time impacted organizations must report cybersecurity incidents to the NCSC within 24 hours via an online form or email. A detailed follow-up is required within 14 days of submission. Organizations that fail to comply with this requirement may face fines and other penalties.
Support for Cybersecurity
A consultation process was conducted to gauge support for strengthening cybersecurity measures, including the reporting obligation for cyberattacks on critical infrastructure. The results showed broad backing for these initiatives, with a focus on simplifying reporting obligations and aligning them with other regulations.
What You Need to Know
For more information on the entities affected by this new requirement, please refer to the list available on the NCSC website. Stay up-to-date with the latest developments in cybersecurity by following me on Twitter (@securityaffairs), Facebook, and Mastodon.