Switzerland: Fines for non-compliance with cyber-attack reporting obligations under amended Information Security Act takes effect
Description
Fines for non-compliance with cyber-attack reporting obligations under amended Information Security Act takes effect
On 1 October 2025, the enforcement of fines under the amended Information Security Act begins. Since 1 April 2025, operators including cloud computing providers, search engines, digital security and trust services, and data centres in Switzerland have been required to report cyber-attacks within 24 hours of discovery via the Federal Office for Cyber Security (BACS) platform. During the initial six-month period, reporting was mandatory but not subject to penalties. With the introduction of fines, operators that fail to report incidents affecting infrastructure functionality, causing data leaks or manipulation, or involving threats or coercion will now be subject to enforcement measures.
Original sourceScope
Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
other service provider
Implementation Level
national
Government Branch
executive
Government Body
central government
Complete timeline of this policy change
Hide details
2022-01-12
in consultation
2022-04-14
processing consultation
2022-12-02
under deliberation
2023-09-29
adopted
2025-04-01
in force