Switzerland: Fines for non-compliance with cyber-attack reporting obligations under amended Information Security Act takes effect

Fines for non-compliance with cyber-attack reporting obligations under amended Information Security Act takes effect

On 1 October 2025, the enforcement of fines under the amended Information Security Act begins. Since 1 April 2025, operators including cloud computing providers, search engines, digital security and trust services, and data centres in Switzerland ha…

Scope

Policy Area

Data governance

Policy Instrument

Cybersecurity regulation

Regulated Economic Activity

other service provider

Implementation Level

national

Government Branch

executive

Government Body

central government

Complete timeline of this policy change

Hide details

2022-01-12

in consultation

On 12 January 2022, the Swiss Federal Council opened a public consultation on a proposal to introdu…

2022-04-14

processing consultation

On 14 April 2022, the Swiss Federal Council closed the public consultation on potential amendments …

2022-12-02

under deliberation

On 2 December 2022, the Federal Council published its explanatory draft of the proposed revision of…

2023-09-29

adopted

On 29 September 2023, the Swiss parliament adopted the revision of the Information Security Act inc…

2025-04-01

in force

On 1 April 2025, the reporting obligation for cyber attacks on critical infrastructures included in…

2025-10-01

in force

On 1 October 2025, the enforcement of fines under the amended Information Security Act begins. Sinc…

Description

Fines for non-compliance with cyber-attack reporting obligations under amended Information Security Act takes effect

Scope

Complete timeline of this policy change