Cyberattacks that paralyse public services or result in the disclosure of sensitive data can undermine the public's trust in government institutions. Past incidents and the «2025 Myni Gmeind » survey on cybersecurity demonstrate that many communes could enhance their preparedness for cyberincidents. To help communes and organisations in Switzerland strengthen their cyber resilience in a simple and hands-on way, the NCSC has launched a project together with its partner network. As part of this project, an emergency planning model was developed to provide practical guidance on enhancing cyber resilience.
Emergency plans are a vital part of effective risk management. They enable organisations to analyse potential problems and their impacts, and address them proactively. By considering possible risks at an early stage, emergency plans enable organisations to identify and implement preventive measures. The topics covered include crisis organisation, crisis communication, key emergency contacts and concrete measures. Together, these elements form the basis of a coordinated and appropriate response in time-critical situations.
Emergency plan: four phases
Cyberattacks are now commonplace and affect not only large companies, but also communes, public administrations and SMEs. A cyberattack can quickly escalate into a crisis and create uncertainty. That is why every organisation needs an emergency plan. This type of plan has four phases, starting before an attack ever happens.
Phase 1: Incident preparedness
Phase 1 is about preparing for a possible cyberincident. The focus here is on baseline protection: a defined minimum set of technical and organisational security measures that an organisation should implement. This includes incident response plans to prevent incidents from escalating into crises. Key processes must also be defined for emergencies and crises. It is equally important to monitor your supply chain.
Important resources:
- Recommendations ICT minimum standard
- Cybersecurity in the supply chain
- Basic requirements for IT and OT (basic protection - to be published in 2026)
Phase 2: An incident occurs
When a cyberincident occurs, every minute counts. Phase 2 begins. This is when the emergency checklist comes into play: it specifies who must be notified of a cyberincident and how the incident should be described.
Phase 3: Incident response
Phase 3 deals with incident response. If the incident cannot be contained quickly or if the impact is serious, the emergency and crisis plan is activated. Clearly defined responsibilities are crucial here. The emergency organisation – and, in the case of a crisis, a crisis management unit – coordinates measures, brings in external support if needed, and takes charge of internal and external communication.
Further information:
Phase 4: Debriefing
In phase 4, the cyberincident and its response are analysed. A structured debriefing helps draw lessons and continuously improve incident, emergency and crisis planning.
Brown Bag Lunch: emergency plan
On 20 and 27 November, the NCSC will hold Brown Bag Lunch for Swiss communes, each from 12pm to 1pm, to present the emergency planning model and associated tools. These events will be held in French and German, and will later be translated and subtitled before being published on the NCSC's YouTube channel.
To register for the event, visit:
MS Teams: Brown Bag Lunch in French on 20 November
MS Teams: Brown Bag Lunch in German on 27 November
Feedback form
Feedback on the project is collected on an ongoing basis via the feedback form.
Links
Last modification 10.11.2025
