Switzerland’s National Cyber Security Centre (NCSC) received 145 mandatory incident reports from critical infrastructure operators in the second half of 2025 – the first complete half-year under the country’s new mandatory reporting regime – alongside approximately 29,000 voluntary reports.
The findings, published 30 March 2026, document a clear professionalisation of attack methods: generative AI is being used to personalise campaigns at scale, and Covert Operational Relay Box (ORB) networks are being identified with increasing frequency across Swiss infrastructure. For financial services firms in Geneva under FINMA supervision, the report directly informs regulatory expectations.
The source document – the NCSC Semi-Annual Report 2025/2, “Cyberthreat level remains high – attacks becoming more targeted and complex” (30 March 2026) – is the first semi-annual report to cover a complete half-year of mandatory critical infrastructure reporting data, following the introduction of the reporting obligation on 1 April 2025. FINMA has drawn a direct line between the NCSC’s findings and the operational risk obligations it places on supervised institutions.
In H2 2025, the NCSC processed 145 mandatory critical infrastructure incident reports, covering energy, transport, finance, healthcare, communications and public administration. Of those mandatory reports, public administration accounted for 25 percent, the largest single sector by volume. Financial services followed closely.
Approximately 29,000 voluntary incident reports were also received in the same period, keeping Switzerland’s annual total above 64,000 for the second consecutive year. The overall volume has stabilised at a high level. What has changed is the nature of the attacks: more targeted, more complex, and increasingly assisted by AI.
The NCSC semi-annual report covers voluntary incident reports submitted online by individuals and organisations, and – from H2 2025 for the first time – mandatory reports from critical infrastructure operators. The mandatory reporting obligation came into force on 1 April 2025 under the Cybersecurity Ordinance, requiring operators to notify the NCSC within 24 hours of detecting a significant cyberattack.
The H2 2025 figures therefore represent the first complete half-year of mandatory data, providing the first structurally reliable baseline for tracking threats to critical sectors. Voluntary reporting continues to depend on willingness to submit; the mandatory channel captures incidents that might otherwise have gone unreported.
Two developments stand out in the NCSC’s H2 2025 analysis.
The first is the use of generative AI to scale and personalise social engineering. Phishing campaigns that once required significant manual effort can now be produced at scale, in fluent local language, tailored to the individual recipient. What once looked like a generic phishing attempt increasingly looks like credible, personalised correspondence.
The second is the growing identification of ORB networks in Switzerland. These are networks of compromised internet-connected devices – routers, servers, Internet of Things (IoT) devices – infected with malware and remotely controlled by attackers. In some cases they are rented to third parties and used as launch points for further attacks while concealing the attacker’s true origin. The NCSC notes that consistently updating and securing internet-exposed devices is essential to prevent these networks from forming.
“The cyberthreat level remains high – attacks are becoming more targeted and complex.” – NCSC, Semi-Annual Report 2025/2
A significant proportion of incidents did not originate at the target organisation. They entered through service providers and outsourcing partners. An organisation that has invested heavily in its own security perimeter can still be compromised through a vendor operating with weaker controls.
For firms using managed IT or cloud services, this makes the security posture of the provider a material question, not an administrative one.
FINMA’s supervisory priorities reference Switzerland’s national threat landscape directly. Institutions are expected to assess not just their own security posture but that of third parties with access to their systems and data.
The mandatory reporting regime also creates a compliance dimension of its own: firms in scope must have incident detection and reporting capabilities in place, not just preventive controls. The 24-hour reporting window leaves no room for process gaps.
NCSC, “Cyberthreat level remains high – attacks becoming more targeted and complex” (Semi-Annual Report 2025/2), 30 March 2026: https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2026/ncsc-hjb-2025-2.html
NCSC Mandatory Reporting Obligation (Cybersecurity Ordinance, April 2025): https://www.ncsc.admin.ch/ncsc/en/home/meldepflicht.html
FINMA Annual Report 2025: https://www.finma.ch/en/documentation/finma-publications/annual-reports--and-financial-statements/