FAQ

No. As a private individual, you are not bound by this obligation to report. However, voluntary reports also help the NCSC to recognise trends or take countermeasures. You can find the form for voluntary reports here: https://www.report.ncsc.admin.ch/en/

In Switzerland, there is an obligation to report cyber incidents for companies that operate critical infrastructures. These companies are required to report cyber incidents to the NCSC. The reporting obligation is governed by the Information Security Act (ISA) and the Cybersecurity Ordinance. For companies that are not part of the critical infrastructure community, there is currently no legal obligation to report cyber incidents. However, it is recommended that such incidents be reported voluntarily to the NCSC to contribute to general cyber security.

All companies headquartered in Switzerland that fall within the scope of the law and the ordinance are subject to the reporting obligation.

A cyberattack must be reported if it jeopardises the operability of the critical infrastructure concerned, has led to a manipulation or information exfiltration, has remained undetected for a longer period or is associated with blackmail, threats or coercion.

Yes, you can report cyber incidents even if you are not required to do so. It is even recommended that you voluntarily report such incidents to the NCSC. This contributes towards improving overall cyber security and helps to recognise and combat potential threats at an early stage.

The organisation that is affected by the attack is always required to report it. If you have an attack and your customers are considered critical infrastructure, you must report it in accordance with the ISA/Cybersecurity Ordinance. In the case of municipalities, for example, the MSP can also submit a report on behalf of the municipality affected by the cyberattack, but this must then be indicated and documented accordingly.

The operator of the networks is required to report, in this case the canton.

The following reporting options are available:

Companies with an account on the Cyber Security Hub (CSH), the NCSC exchange platform with companies, can report directly via this portal. Reporting companies that do not yet have a CSH account are advised to open an account with the CSH.

Further information can be found at: Cyber Security Hub

For companies without an account on the CSH, the NCSC provides an alternative reporting channel via e-mail. Information on this process will be published on the NCSC website before the reporting obligation comes into force.

Yes, even if you do not yet have full information, you must submit an initial report within 24 hours. You can then submit a final and complete report with additional information within 14 days.

You can report the cyberattack via the report button on the NCSC website using an email template. The NCSC recommends critical infrastructures to register on the CSH.

In accordance with Art. 74a para. 2 ISA, the NCSC is required to inform all interested authorities and organisations whether they are subject to the reporting obligation. It issues a corresponding decision upon request.

For organisations that are registered on the CSH, the hub shows whether the NCSC considers them to be subject to the reporting obligation or not.

The additional workload for companies is generally low, as the reporting form is very simple and limited to the bare minimum. In the Cybersecurity Ordinance, the Federal Council also issued far-reaching exemptions for small companies.

In addition, the NCSC is available to provide initial assistance to the reporter, which in many cases can also reduce the initial workload.

The accounts on the CSH are personal accounts, there is no option for group mails. The NCSC must be able to identify the CSH participants.

No, this is not an attack on the critical infrastructure. However, the NCSC recommends seeking a detailed clarification by an IT specialist.

In the event of a DDoS attack on a non-critical application, there is no automatic reporting obligation. The decisive factor is whether the attack jeopardises the operability of the critical infrastructure as a whole. If the system interruption has no impact on mission-critical functions, the core services are not affected and there is no risk of lateral movement, the incident must not be reported. The reporting obligation is based on the actual impact on operability.

In such cases, the provider concerned - such as Q - is primarily responsible for reporting the incident, provided it falls under the reporting obligation. However, the NCSC is dependent on information from users: If you notice any signs of such an incident, please let us know so that we can assess the situation and act if necessary.

No. According to Art. 74e para. 4 of the Federal Information Security Act (ISG), you are not required to provide any information in your report that could incriminate you personally.

What does this mean in practice?

• You have the right to refuse to disclose information that could lead to criminal prosecution against you; and
• The report can still be complete and useful even if you do not provide certain personal details.

If reporters explicitly state that their report is to be sent to third-party authorities such as the FDPIC, FINMA, FSIO or SEPOS, it will be forwarded accordingly. This allows several reporting obligations to different authorities to be fulfilled from a single centralised form. Any queries or requests for additional information are then sent directly from the relevant authorities to the reporting organisation.

Institutions that are also subject to the reporting obligation under the Information Security Act (ISA; SR 128) can submit their initial report, which must be made within 24 hours of discovering the cyberattack, using the reporting form of the NCSC. It is possible to have the report forwarded to FINMA at the same time - as long as timely transmission can be ensured. The detailed report must still be submitted within 72 hours via FINMA's survey and application portal (EHP).

No, the reporting parties have to do that themselves.

The NCSC guarantees the protection of the reported information. For almost 20 years, the NCSC and its predecessor organisations such as MELANI have regularly exchanged information with operators of critical infrastructures and treated information confidentially.

The numerous reports received by the NCSC via the reporting form are also treated confidentially by the NCSC. In order to warn the population, these reports are anonymised, categorised and statistically recorded. This is also done with the data from the mandatory reporting system.

There will be no active supervision of compliance with the reporting obligation. If the NCSC learns of a cyberattack that is subject to the reporting obligation but has not been reported, it will contact the organisation concerned and draw its attention to the reporting obligation. If the organisation still fails to comply with the reporting obligation, the NCSC will issue a decision with a threat of a penalty. If a report is still not submitted, the NCSC can file a complaint with the competent prosecution authorities.

When a report is received by NCSC, it is analysed. If the company concerned requests support, the NCSC contacts them. Reported attacks help the NCSC to better assess the threat situation and warn potential victims earlier so that they can take appropriate protective measures.

The NCSC provides technical assistance as an initial support. However, this is not intended to compete with market-based services. Depending on the extent of the attack, the NCSC will therefore ask those affected to seek help from specialised companies if they have not already done so. The NCSC stays available to advise victims and any specialists that may have been hired.

No. The NCSC does not negotiate with blackmailers. It does, however, provide initial technical assistance and support in assessing the situation and restoring the systems. The police and prosecution authorities are responsible for legal action or negotiations.

An automated confirmation of receipt will be sent immediately. If you require technical support, NCSC can be contacted via the on-call number - even outside office hours and at weekends.

The deadline of 14 days includes non-working days (also Saturday/Sunday).

You must report the incident to the NCSC within 24 hours of discovering it. In this example, on Monday morning.

The NCSC can only inform a company subject to the reporting obligation of this obligation if it becomes aware of a reportable cyber incident itself. If there is no response within the deadline after the submission of the report, the NCSC will issue a decision with a threat of a penalty. If the report is still not submitted, the NCSC can report the incident to the competent prosecution authorities.

The NCSC can only inform a company subject to the reporting obligation of this obligation if it becomes aware of a reportable cyber incident itself. If there is no response within the deadline after the submission of the report, the NCSC will issue a decision with a threat of a penalty. If the report is still not submitted, the NCSC can report the incident to the competent prosecution authorities.