The Architecture of Obligation
On 1 April 2025, Switzerland crossed a threshold that most liberal democracies have long debated but few have acted on decisively: mandatory cyberattack reporting for operators of critical infrastructure became law. The requirement, embedded in amendments to the federal Information Security Act (ISG) and administered by the National Cyber Security Centre (NCSC), imposes a legally binding obligation on a defined set of organisations to notify the NCSC within 24 hours of detecting a cyberattack that materially impairs their ability to operate, results in manipulation or theft of sensitive information, or is directed at control systems that could have physical consequences.
The scope of covered entities is deliberately broad. Energy suppliers, water utilities, hospitals, transport operators, financial market infrastructures, telecommunications providers, and entities in the cantonal and federal public administration are all captured. Notably, Switzerland has also included operators of “critical digital infrastructure” — cloud providers and data centre operators serving these sectors — a forward-looking provision absent from many comparable regimes at the time of adoption. The reporting obligation does not require the incident to have been confirmed as malicious; it attaches to incidents where the observable effects meet the threshold criteria, a design choice that prioritises speed over forensic certainty.
The 24-hour window applies to an initial notification, which may be brief and partial. Operators are expected to provide a more complete report within 14 days, covering their preliminary analysis of attack vectors, affected systems, and estimated impact. The NCSC assumes a coordination and analysis role, not an enforcement or prosecutorial one — at least in this initial phase. Reported data is treated as confidential by statute and cannot be passed to law enforcement without the operator’s consent, a safeguard introduced explicitly to reduce reporting disincentives. The NCSC is also prohibited from using incident reports as the basis for any regulatory sanction against the reporting operator, creating what the Federal Council described as a “no-penalty” safe harbour for candid disclosure.
Policy Objectives: From Signal to Situational Awareness
Three interrelated objectives animate the regime. The first is early warning: by requiring rapid notification, the NCSC gains a signals-intelligence function over live attack campaigns, enabling it to warn other operators facing similar threats before they are themselves compromised. The second is national situational awareness — the accumulation of structured incident data that allows Switzerland to understand the tempo, targeting patterns, and technical characteristics of adversarial activity against its infrastructure. The third, and ultimately the most strategic, is resilience: normalising reporting behaviour changes organisational culture, pushing boards and senior leaders to invest in detection capability, incident response plans, and the internal processes necessary to comply.
The architecture supports these objectives through deliberate design. The confidentiality protections address the principal barrier to voluntary reporting: fear of reputational or legal consequence. The tiered timeline — 24 hours then 14 days — acknowledges operational reality while still capturing information when it is most actionable. The NCSC’s analytical output is expected to feed into threat intelligence products distributed back to the critical infrastructure community, creating a reciprocal value loop that should, over time, give operators a positive incentive to report beyond mere compliance.
Balancing Security and Burden
Switzerland has been notably careful to calibrate its reporting thresholds to avoid what European regulators have come to call “notification fatigue” — the phenomenon in which an excessively broad obligation generates a flood of low-value reports that overwhelm both the reporting body and the companies obliged to produce them. The threshold criteria — operational impairment, data manipulation or theft, or effects on control systems — are operational rather than purely technical. A routine malware infection caught by endpoint protection that has no observable effect on service delivery is not reportable. A ransomware event that encrypts backup servers, even if quickly remediated, likely is.
The NCSC has accompanied the legal framework with practical guidance: standardised reporting templates, a secure digital submission portal, and a 24-hour helpline staffed by technical analysts. For smaller operators — municipal water authorities, regional hospitals — the NCSC has established a “notification support” function under which operators can speak to an analyst to assess whether an incident crosses the threshold before formally submitting. This reduces the risk of both under- and over-reporting, and arguably shifts some classification burden to the state, where the expertise arguably belongs.
There are no financial penalties for non-compliance in the initial phase, a deliberate choice to prioritise norm-building over enforcement. The Federal Council has signalled that penalties may be introduced after 2027 once the regime has matured and operators have had time to build compliance infrastructure. This sequencing is wise: enforcement before capability creates antagonism without improving security outcomes.
Comparative Perspective: NIS2, CIRCIA, and the Swiss Difference
Switzerland’s regime invites direct comparison with the European Union’s NIS2 Directive, which entered into force in January 2023 and required member state transposition by October 2024, and with the United States’ Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, whose implementing rules are still being finalised by CISA.
NIS2 establishes a tiered reporting obligation: a “significant incident” must generate an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month. The scope is broader than Switzerland’s in some respects — covering sixteen sectors — but NIS2 relies on member state transposition, producing significant variation in implementation stringency, threshold definition, and enforcement. Germany’s BSI has implemented robustly; some smaller member states remain substantially non-compliant. NIS2 also lacks Switzerland’s explicit prohibition on using incident reports as the basis for sanctions against the reporting entity, creating a persistent disincentive that national implementations have addressed inconsistently.
CIRCIA, once fully implemented, will require covered entities to report substantial cyber incidents within 72 hours and ransom payments within 24 hours. The U.S. approach is notably more enforcement-oriented: CISA will have subpoena authority to compel reporting from non-compliant entities. The covered entity definition is still being contested, with industry groups arguing for narrower scope and CISA pushing for breadth. CIRCIA does not contain a statutory no-penalty safe harbour equivalent to Switzerland’s, though CISA has indicated it will adopt a “use limitation” principle administratively. The U.S. approach reflects the adversarial legal culture of American regulation — there will be litigation over thresholds, scope, and enforcement — in a way the Swiss consensus-based model explicitly avoids.
The genuinely distinctive Swiss features are two. First, the governance structure: the NCSC sits within the Federal Department of Finance, giving it proximity to financial infrastructure regulators and an institutional culture more oriented toward risk management than law enforcement. This placement shapes behaviour — operators engage with the NCSC as a peer-support function rather than a regulator with prosecution authority. Second, Switzerland’s federal structure creates both a complexity and an opportunity. Cantonal operators are covered, but cantonal governments also have responsibilities for implementing local critical infrastructure, meaning the NCSC must work through federated relationships rather than direct mandate. The regime has addressed this by establishing cantonal liaison points and including cantonal information security officers in the incident notification flow, a model that has parallels for federal states like Germany, Australia, and the United States.
Implementation Challenges
No mandatory reporting regime is immune from under-reporting, and Switzerland’s is not an exception. The principal challenge is incident classification ambiguity at the threshold margin. The criteria — operational impairment, data manipulation, control system effects — require judgment at the moment of highest operational stress, when security teams are focused on containment, not compliance. The 2021 incident at the Olten water treatment facility — where an external intrusion was not disclosed to cantonal authorities for eleven days because operators assessed it as non-material — illustrates the cost of classification delay. Under the new regime, such delay would be non-compliant, but the incentive to defer classification remains where operators fear reputational consequence.
The NCSC’s capacity to process reports at scale is a second challenge. Switzerland has approximately 300 organisations within the initial mandatory reporting scope. At steady state, the NCSC might receive dozens of reports per week during elevated threat periods. The analytical function — triage, attribution, threat product dissemination — requires skilled analysts whose labour market is competitive globally. The NCSC’s current staffing, while expanded in anticipation of the new mandate, may be insufficient if a coordinated campaign against multiple operators generates simultaneous reports, precisely the scenario early-warning systems most need to handle well.
Smaller operators present a structural challenge. A regional energy cooperative with a three-person IT function faces a qualitatively different compliance burden than a major bank. The 24-hour timeline assumes detection capability that smaller operators may not have. The NCSC’s notification support function mitigates this at the margin, but does not resolve the underlying capacity gap.
Implications for Critical Infrastructure Operators
For boards and executives, the new requirement reframes cyber incident response as a governance matter, not merely an operational one. Compliance with the 24-hour notification window requires pre-approved incident classification criteria, clear escalation paths to senior management, and tested communication protocols with the NCSC — all elements of a mature incident response programme that many operators currently lack. Energy and transport operators, whose operational technology environments often have limited logging and detection capability, face the most acute gap.
For financial institutions already operating under FINMA incident reporting rules (which have required disclosure of significant cyber events since 2019), the new NCSC obligation creates a dual reporting channel that must be coordinated. FINMA has indicated it will develop a joint notification arrangement with the NCSC to prevent redundant filings, but this coordination mechanism was not fully operational at the law’s entry into force.
The healthcare sector deserves particular attention. The 2023 ransomware attack on Inselspital Bern, which disrupted surgical scheduling and diverted emergency patients, was a stark reminder of the physical consequences of cyber incidents on health infrastructure. Under the new regime, such an incident would have been reportable within 24 hours, potentially enabling the NCSC to warn other hospitals before the same ransomware variant spread. The counterfactual is instructive: timely reporting could directly save lives.
Geopolitical and Cross-Border Dimensions
Switzerland’s political neutrality creates a distinctive position in international cyber governance. The country is neither an EU member nor a NATO ally, yet it is deeply integrated into European digital infrastructure and hosts major international organisations. This allows Switzerland to operate the NCSC as a potential bridge node in cross-border threat intelligence sharing — a trusted intermediary between EU mechanisms like ENISA’s reporting systems and non-EU actors.
The Federal Council has indicated interest in negotiating bilateral incident notification agreements with the EU and individual states under which anonymised or aggregated threat intelligence derived from Swiss mandatory reports could feed into EU early-warning systems. This is operationally sensible but politically complex: the EU’s NIS2 framework creates expectations of regulatory alignment that Switzerland’s parallel but distinct regime may not satisfy.
For jurisdictions considering importing the Swiss model, the most significant obstacle is legal culture. Switzerland’s consensus-based regulatory tradition, in which compliance is expected before enforcement, and in which government functions as a support provider rather than an adversary, is not universally replicable. Emerging economies with weaker institutional capacity face a more fundamental challenge: mandatory reporting is only as useful as the analytical function that receives and acts on reports. Building the NCSC equivalent — skilled, trusted, well-resourced — may be a precondition rather than a consequence of mandatory reporting obligations.
Conclusion: A Viable Model, With Important Caveats
Switzerland’s mandatory cyberattack reporting regime is among the most thoughtfully designed in the world. Its combination of confidentiality protections, tiered timelines, operational thresholds, and institutional placement as a support function rather than an enforcement body addresses the principal failures of voluntary reporting and the principal disincentives of punitive mandatory regimes. The explicit prohibition on using incident reports as the basis for sanctions is a design innovation that other jurisdictions should study carefully.
The regime is not a complete template. It requires adaptation for different governance cultures, regulatory traditions, and institutional capacities. Three concrete recommendations follow for policymakers considering analogous frameworks.
First, decouple reporting from enforcement in the initial years of any mandatory regime. The goal of early-stage mandatory reporting is norm-building and intelligence collection, not punishment. Penalties should follow capability development, not precede it. Switzerland’s sequenced approach — build the norm, then introduce sanctions — is correct.
Second, invest in the analytical function before the reporting obligation takes effect. A mandatory reporting regime that generates reports nobody processes is worse than voluntary reporting: it creates compliance burden without intelligence value and destroys operator trust. The NCSC received significant capacity investment before April 2025; this sequencing was critical.
Third, define thresholds operationally, not technically. Thresholds tied to observable operational effects — service impairment, data compromise, physical system impact — are more robust than those tied to technical classifications like “significant cyber incident,” which require forensic judgments unavailable at the 24-hour mark. Switzerland’s operational threshold design is its most underappreciated innovation, and the most immediately exportable.
The trajectory of infrastructure threats — increasingly sophisticated state-sponsored campaigns, ransomware at industrial scale, supply chain compromises of the kind demonstrated by the 2020 SolarWinds operation — makes mandatory reporting not a question of whether but of how. Switzerland has provided a credible answer to the how. The obligation now falls on other jurisdictions to learn from it.
Leave a comment