Switzerland: Federal Council adopted Decree on Implementation of the Amendment to Federal Act on Information Security

On 7 March 2025, the Federal Council adopted the Decree on the Implementation of the Amendment to the Federal Act on Information Security. The decree enforces the reporting obligation for cyber-attacks on critical infrastructure, introduced in the 2023 amendments to the Information Security Act. The obligation takes effect on 1 April 2025, following the amendment’s adoption on 29 September 2023. The requirement applies to critical infrastructure operators, including providers of cloud computing, search engines, digital security and trust services, and data centres based in Switzerland. Operators must report cyber-attacks that threaten infrastructure functionality, result in data leaks or manipulation, or involve threats or coercion. Reports must be submitted via the Federal Office for Cyber Security (BACS) platform within 24 hours of discovery. To provide those affected with enough time to adjust to the new reporting obligation, the Federal Council has decided not to enforce the legal basis for fines until 1 October 2025.