A new Information Security Act came into force in Switzerland at the beginning of 2024. But the obligation to report cyberattacks on critical infrastructure isn’t included in the (relatively) new law. This is because it will be introduced in 2025, as part of the Cybersecurity Ordinance (OCyS), which was put out for consultation on 22 May of this year.
As part of this, critical infrastructures must report cyber attacks. But… authorities and organisations for which a cyber attack does not have “a direct impact on the functioning of the economy or the well-being of the population” are explicitly exempted from the notification obligation.
So, it’s not all that simple.
And it goes on… Article 16 contains a whole series of threshold values for certain companies.
As an example of one such anomaly, providers and operators of cloud computing and search engines, as well as data centres headquartered in Switzerland are only subject to the reporting obligation if they provide their services in part or in full to third parties and for remuneration. Similarly, data centres that provide their services exclusively for their own needs are not subject to this obligation.
So, no specific threshold is defined, but the rule is written as follows: “A general exemption is granted to companies employing fewer than fifty people and with an annual turnover or balance sheet of less than ten million francs as well as to authorities responsible for a community of fewer than 1,000 people".
The federal authorities also specify that the administrations of these municipalities (which are generally small) must not be burdened by an obligation to notify. But, regardless of size, providers and operators of services and infrastructure that serve the exercise of political rights do have to notify the police about their cyber attacks — and that’s even if they offer their services and infrastructure to fewer than 1,000 inhabitants.
Unsurprisingly, perhaps, a recent study has shown that many companies are unsure whether they have to report cyber attacks that affect them. Uncertain or interested authorities and organisations are encouraged to contact the Federal Office for Cyber Security (FOCS). There. They can request to be subject to a reporting obligation — or indeed to be exempt from it.
The aforementioned Cybersecurity Ordinance (OCyS) consultation is scheduled to last until September 13, 2024.