Switzerland obliges critical companies to report cyberattacks within 24 hours

Switzerland is introducing a new obligation for critical organizations: from April 1, 2025, they must report cyber incidents to the National Cyber ​​Security Center (NCSC) within 24 hours of their discovery. Failure to comply after October 1, 2025 will result in fines of up to 100,000 Swiss francs (about $114,000).

The attacks that must be reported include:

• Hacking that threatens the operation of critical infrastructure;
• Theft, encryption or manipulation of data;
• Extortion, threats or coercion;
• Installation of malicious software;
• Unauthorized access to systems.

The new policy is in line with the EU NIS Directive, which regulates the cybersecurity of critical service providers in Europe. Similar measures are already in place in the US and UK, where governments are requiring rapid notification of attacks to ensure a swift response and reduce risks. Recent experience has shown that critical infrastructure is increasingly becoming a target for hacking groups. Attacks such as hacking energy systems or disrupting transport networks can have devastating consequences. Switzerland’s new rules are an important step forward in strengthening the country’s cybersecurity. They will help it respond quickly to threats and minimize potential damage from attacks. At the same time, companies will need to prepare to comply to avoid financial sanctions after October 1, 2025.