Introduction of a reporting obligation for cyber-attacks on critical infrastructures
Successful cyber-attacks can have far-reaching consequences for the availability and security of the Swiss economy. The population, authorities and undertakings are exposed to the risk of daily cyber-attacks. Today, there is no overview of which attacks have taken place where, as reports to the National Cybersecurity Centre (NCSC) are only made on a voluntary basis. The Federal Council therefore wants to introduce a reporting obligation for cyber-attacks on critical infrastructures. To this end, at its meeting on 2 December 2022, it approved the dispatch on the amendment of the Federal Act on Information Security as well as the associated draft law and passed it for the attention of the Swiss Parliament.
The law is intended to create the legal basis for the reporting obligation for operators of critical infrastructures and to specify the tasks of the NCSC, which is intended to be the central reporting office for cyber-attacks. Based on the reporting obligation, the NCSC shall in future have a better overview of the cyber-attacks occurred in Switzerland and the attackers’ modus operandi. According to the Federal Council’s press release, this shall make it possible to better assess the threat situation and to warn operators of critical infrastructures at an early stage.
According to the report on the consultation, there is broad support for the new law. The introduction of a reporting obligation and the establishment of the NCSC as a national reporting office are considered important steps towards improving cyber security in Switzerland. Another important concern mentioned in the consultation is that the reporting obligation should be implemented as unbureaucratically as possible and should not involve a great deal of additional work. To make reporting as simple as possible, the NCSC should provide an electronic reporting form. In this way, reports can be easily recorded and, if desired, transmitted directly to other agencies. The new law shall also define how the NCSC supports the economy and the population in protecting themselves against cyber threats. In particular, it shall regulate the function of the NCSC as a point of contact for questions on cyber threats and as a reporting centre for vulnerabilities.