Switzerland: Reporting obligation for cyber attacks on critical infrastructures under amended Information Security Act comes into effect

On 1 April 2025, the reporting obligation for cyber attacks on critical infrastructures included in 2023 amendments to the Information Security Act comes into effect. This follows the adopted amendment of the law on 29 September 2023 and the official approval of these obligations by the Federal Council on 7 March 2025. The obligation applies to critical infrastructure operators including providers of cloud computing, search engines, digital security and trust services and data centres based in Switzerland. Critical infrastructure includes energy and water supply, transportation, and administration of municipalities or cantons. These operators must report any cyber attacks that threaten infrastructure functionality, cause data leaks or manipulation, or involve threats or coercion through the Federal Office for Cyber Security (BACS) platform within 24 hours of discovery.