On 11 December 2020 the Federal Council tasked the Department of Finance with drafting a bill which will introduce a cyberattack notification obligation for operators of critical infrastructure.(1)
The reporting of cyberattacks which affect critical infrastructure, such as that used in the telecoms or financial sectors or for energy supply, is not currently subject to over-arching mandatory rules. Rather, reporting happens on a voluntary basis through the National Cyber Security Centre (NCSC) or based on sectoral regulations or recommendations.
In congruence with the national strategy for the protection of Switzerland against cyber risks (NCS), which aims, among other things, to expand the capabilities for information gathering around cyberattacks, the NCSC examined the need for and relevance of implementing an obligation to report cyberattacks and how such an obligation could be framed.
Based on the NCSC's findings, the Federal Council has instructed the Department of Finance to submit a draft which creates the necessary legal provisions by the end of 2021. The draft will appoint a central reporting office and provide uniform criteria for all sectors in order to clarify:
- which party is responsible for reporting which incident;
- which incidents must be reported;
- the timeframe for reporting; and
- how this new obligation will align with existing obligations to report deficiencies and security breaches in certain sectors.
The reporting of cyberattacks will facilitate the early identification of cyberattack methods and enable the NCSC to issue faster warnings.
This step forward by the Federal Council represents a key point of implementation of the NCS and will reinforce Switzerland's security and overall awareness of cyber risks.
Endnotes
(1) The announcement is avalaible here in German, French and Italian.
