Bolstering its already impressively proactive stance on cyber threats, Switzerland has made a move designed to further strengthen its digital defences: From 2025, critical infrastructure operators will be required to report cyber attacks to the government.
What is critical infrastructure? This term refers to organisations that provide essential services such as power grids, transport and communications. This new requirement is an element of the Cybersecurity Ordinance (OCyS), which is currently out for public consultation.
This move follows the Swiss Information Security Act (ISCA), which came into force in early 2024. The ISCA introduced a comprehensive cybersecurity framework, but the law did not include mandatory reporting for attacks on critical infrastructure. Given the potential impact of attacks on such organizations, the OCyS addresses this vulnerability and sets out a process for reporting, as well as who needs to report.
Nuanced reporting requirements
Not all organizations involved in critical infrastructure face the same degree of risk, and some have far greater resources than others. The OCyS recognises this diversity and aims to accommodate it by exempting organisations where an attack wouldn’t result in significant disruption to public wellbeing or the economy. It also acknowledges that not all cyber attacks have the same magnitude, introducing thresholds meaning that some operators will only need to report incidents that surpass a certain severity level, as set out in Article 16.
As well as attack size, the legislation considers organisation size. To avoid placing a disproportionate burden on very small organisations, companies with fewer than 50 employees and an annual turnover or balance sheet under 10 million francs is exempt, as are local authorities serving fewer than 1,000 residents. However, providers of services or infrastructure that is crucial for exercising political rights are not exempt.
Heading off uncertainty
As is often the case with regulations like the OCyS, there is potential for confusion—recent studies back this up. Acknowledging this, the Swiss government has set up support mechanisms. Organisations can reach out to the Federal Office for Information Security (OFCS) to confirm their exemption or reporting status. The OFCS is committed to examining each case individually and to making sure that the reporting requirements are applied fairly and effectively.
There’s a crucial caveat here, though: If an organisation's situation changes significantly, they bear the responsibility for ensuring that their reporting activities reflect their reporting status. Therefore, it’s important to contact the OFCS again when undergoing any changes or upscaling.
The regulations go into more detail about specific definitions and cyber attack forms, so all organisations are advised to read it in full.
Building threat intelligence
This goes beyond simply reporting for the sake of reporting. By defining and delineating different types of attack, the OCyS aims to not only give organisations a better understanding of what they need to report, but it allows the government to gather useful data on exactly which types of threats are targeting which kinds of providers. This plays a pivotal role in developing defenses and responses in the future.
How does this affect IT services specifically?
The OCyS makes new demands on IT service providers, particularly those playing a role in critical infrastructure. While cybersecurity is a priority for the vast majority of providers, the OCyS will raise the bar within the industry. This is a positive development, as it highlights IT’s importance in national security.
The OCyS public consultation closes on September 13, 2024, after which the feedback will be incorporated to produce a final version.
This development represents significant progress for Swiss cybersecurity. It’s possible that other countries may use the OCyS as a template for their own regulations to dial up their defences against evolving threats.
Is your organisation prepared?
The emergence of the OCyS reminds us all of the importance of robust, adaptable cybersecurity. In this demanding environment, cloud migration can be a powerful ally. It can deliver enhanced security, scalability and efficiency at a time when it’s never been more important.
Is your organisation fit for the future of cyber threats and compliance? Contact Penta today to explore how cloud migration can transform your security, resilience and agility.