Article Details

Swiss critical sector faces new 24-hour cyberattack reporting rule. Switzerland's National Cybersecurity Centre (NCSC) has announced a new reporting obligation for critical infrastructure organizations in the country, requiring them to report cyberattacks to the agency within 24 hours of their discovery. According to the NCSC announcement, this new requirement is introduced as a response to the increasing number of cybersecurity incidents and their impact on the country. Examples of types of cyberattacks that will have to be reported include: The mandate is introduced via an amendment to the Information Security Act (ISA), which will go into effect on April 1, 2025. The law applies to critical service providers such as utilities, local government, and transportation organizations. "The Federal Council has decided that the amendment to the Information Security Act (ISA) of 29 September 2023 will enter into force on 1 April," reads the announcement. "The ISA stipulates that authorities and organisations subject to the reporting obligation, such as energy and drinking water suppliers, transport companies and cantonal and communal administrations, must report cyberattacks to the NCSC within 24 hours of discovery." The complete list of all entity types that are impacted by this new requirement is published here. A leniency period will be given until October 1, 2025, but failure to comply after that date will result in fines of up to CHF 100,000 ($114,000). Organizations impacted by a cybersecurity incident will have to report it via an online form on the NCSC site or via email, with no registration required. The first report must be submitted within 24 hours of the incident's discovery, and a follow-up report with additional details will be expected in the next 14 days. There are provisions for particular exceptions under Art. 74c of the ISG, with more details available here. Switzerland calls this new requirement a milestone for cybersecurity in the country, noting that it is in accordance with the NIS Directive, an EU-wide cybersecurity legislation that applies to operators of essential services and digital service providers. Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.