The Swiss Federal Council recently confirmed this regulation, aiming to enhance national cybersecurity by ensuring swift responses to cyber threats.
Mandatory Reporting Within 24 Hours
Under the new cybersecurity ordinance (OCyS), organisations such as energy and water suppliers, transport companies, and cantonal and municipal administrations must report cyber incidents within 24 hours of detection. This applies to cyber attacks that:
-
Endanger the operation of critical infrastructure
-
Result in data manipulation or information leaks
-
Involve extortion, threats, or coercion
Reporting can be completed via a dedicated form on the FOCS platform or through email. To ease the transition, non-compliance will not be penalised for the first six months. But, as of October 2025, fines will be imposed for failure to report incidents.
Aligning with Broader Cybersecurity Efforts
The obligation to report cyber attacks is a key part of Switzerland’s broader cybersecurity strategy. While the Information Security Act, enacted in early 2024, laid the groundwork for strengthened digital defences, it did not include a mandatory reporting requirement for cyber attacks. The OCyS now fills this gap, with regulations shaped by a public consultation process that showed strong support for enhanced cybersecurity measures.
One of the main concerns raised was making sure reporting procedures are simple and in line with existing obligations, such as those relating to data protection. Which is why the FOCS says its reporting form is designed to allow quick submission of necessary details and (on request) it can forward information to other relevant authorities, including the Federal Financial Market Supervisory Authority and the Federal Data Protection and Information Commissioner.
Who Is Affected – And Who Is Exempt?
The OCyS outlines exemptions for organisations where cyber incidents would not directly impact economic stability or public welfare. Specifically:
-
Small businesses with fewer than 50 employees and annual revenue or assets below CHF 10 million are exempt.
-
Municipal administrations serving fewer than 1,000 residents are also exempt, unless they provide services related to political rights, such as election infrastructure.
-
Cloud computing providers, search engine operators, and data centres headquartered in Switzerland are only required to report incidents if they provide services to third parties for compensation.
Addressing Uncertainty Around Compliance
A recent study by The Swiss Infosec Training Institute revealed many companies remain uncertain about their reporting obligations. In recognition of this, the Swiss government has specified that businesses can proactively contact the FOCS if they need clarification about whether they're subject to the new requirements. Companies seeking exemption or inclusion must submit relevant documentation to justify that – and any significant operational changes might mean they have to reassess their obligations.
The FOCS has also split reportable cyber attacks into distinct sections, to try and help businesses understand which incidents must be disclosed and when.
Next Steps
As cyber threats continue to evolve, Switzerland is taking proactive steps to safeguard its critical infrastructure, by "strengthening national resilience against digital attacks". For more information, or help with what to do next, get in touch – we're very happy to help.