Concept for coordinated cyberincident response

27.10.2025 - Due to the close interconnection of digital systems, cyberincidents can have an immediate impact on many different organisations. Successfully managing these incidents requires a coordinated approach involving all affected stakeholders, including those from the business and economic community, the cantons, and the federal government. The National Cyber Security Centre (NCSC) has developed a plan for coordinated cyberincident response, setting out how the federal government organises itself to ensure effective, coordinated management of incidents.

Cyberincidents can have far-reaching consequences. In addition to directly impacting those affected by system failures and operational disruptions, these events can also endanger the cybersecurity of third parties, particularly when data or IT resources used by multiple actors are compromised. In such cases, it is crucial that all affected parties are involved in the response. Businesses, the cantons, and the Confederation must act swiftly and in a coordinated manner. Clear responsibilities and transparent processes are key: the faster responsibility for each task is established, the better the damage can be contained. The necessary legal foundations for clarifying responsibilities and tasks are now in place, following the entry into force of the Information Security Act (ISA) in 2024 and the Cybersecurity Ordinance (CySO) and the Ordinance on the Crisis Organisation of the Federal Administration (OCOFA) in 2025.

Building on this legal framework, the NCSC has defined how coordinated incident response is to be organised. Central to this is a four-tier classification that ranks cyberincidents as low, moderate, serious or critical. The classification is based in particular on how many organisations in Switzerland are affected, and the impact on the economy and population. Depending on the classification, different coordination processes are activated and specific organisations become involved in the response. No coordination by the NCSC is envisaged for minor incidents ('low' category). For 'moderate' incidents, the NCSC provides subsidiary support to affected organisations. For 'significant' incidents, the NCSC assumes an active coordinating role. In the case of 'critical' incidents, the Federal Council is tasked with activating a crisis unit in accordance with the processes set out in the OCOFA. This classification system ensures that the measures taken reflect the actual scale of the incident, enabling resources to be deployed efficiently. The classification can be adjusted as an incident evolves, since the full extent of a cyberattack often only becomes clear as analysis progresses.

The coordinated incident response processes are already being applied in practice. Incidents in the 'low' and 'moderate' categories occur regularly, and cooperation between the NCSC and critical infrastructure operators and federal and cantonal authorities is well established. Thanks to the new legislation, the processes for 'significant' and 'critical' incidents are now defined. However, not all stakeholders are yet equally familiar with their respective roles, and these processes still need to become more firmly embedded. The NCSC will use this document on coordinated incident response to provide transparent information on responsibilities and tasks, and to support the further development of cooperation between all parties involved.