12.01.2022 - The Federal Council today initiated the consultation on the proposed introduction of a reporting obligation for cyberattacks on critical infrastructures. The proposal creates the legal basis for the reporting obligation and defines the tasks of the National Cybersecurity Centre (NCSC), which is intended to be the central reporting office for cyberattacks. The consultation will last until 14 April 2022.
Cyberattacks have become a serious threat for Switzerland's security and economy. Every day, attacks are carried out on companies and authorities. On average, the NCSC receives over 300 reports concerning successful or attempted cyberattacks every week. These reports to the NCSC are submitted on a voluntary basis by companies, authorities and private individuals. They help the competent federal authorities to assess the threat situation and to recognise current attack patterns early on. The Federal Council now wishes to strengthen the reporting system by obliging the operators of critical infrastructures to report cyberattacks to the NCSC. The reporting obligation is intended to ensure that the NCSC can have a clearer picture of the situation based on comprehensive information and thus warn other critical infrastructure operators about cyberattacks at an early stage.
Reporting obligation for critical infrastructures
The reporting obligation for operators of critical infrastructures is to apply to cyberattacks that have the potential to cause significant damage. Specifically, these are attacks that endanger the proper functioning of critical infrastructures or are associated with extortion, threats or coercion. The NCSC is intended to be the central reporting office. In order to make reporting as simple as possible, the NCSC will provide an electronic reporting form. This will allow reports to be created easily and, if desired, transmitted directly to other units.
Confederation's obligation to provide support in the event of cyberattacks
The proposal not only obliges companies to help protect against cyberattacks; it also defines the Confederation's tasks in supporting the economy and the general public. The NCSC is thus tasked with warning the general public about cyberthreats and raising awareness of cyber-risks. The NCSC should also take receipt of reports concerning incidents and vulnerabilities, conduct technical analyses and recommend how those reporting should proceed. The NCSC should additionally support critical infrastructure operators, including cantonal and communal authorities, in dealing with cyberincidents. This support is to be provided as a type of first aid and only to the extent that it does not compete with services available on the market.
Previously, these cyber-risk protection tasks of the Confederation were carried out on the basis of existing mandates, but without being defined at legislative level. By enshrining the reporting obligation in the Information Security Act (ISA), the tasks of the NCSC, especially its responsibility as a reporting office, are now likewise to be set out in the ISA.
The consultation on the proposal will last until 14 April 2022.