TL;DR
Switzerland now requires operators of critical infrastructure to report cyberattacks to the National Cyber Security Centre within 24 hours of discovery. The obligation is law, not guidance — and the hard part isn't knowing the rule, it's proving you can detect, decide, and report inside a single day. Building that muscle before an incident is the difference between a controlled notification and a compliance failure on your worst day.
A reporting clock measured in hours
Under the amended Information Security Act, Switzerland's National Cyber Security Centre (NCSC/BACS) operates a mandatory reporting duty for operators of critical infrastructure. The core mechanic is exacting: once a qualifying cyberattack is discovered, the clock to notify the NCSC with an initial report runs in hours, not days.
Why 24 hours is harder than it sounds
Most operators assume they'd know quickly if they were attacked. In reality, the reporting window exposes three weaknesses at once: whether your monitoring actually detects the event, whether your team can classify it as reportable fast enough, and whether someone has the authority and the information to file within the window. A duty measured in hours turns incident response from a technical exercise into a governance one.
From chaos to a repeatable workflow
The operators who handle this well pre-decide everything they can: what counts as reportable, who owns the decision, what information the notification needs, and where the supporting evidence lives. This is exactly where a GRC platform earns its place. 6clicks lets critical infrastructure teams log, triage, and escalate incidents through automated workflows, with the control and evidence trail tied to the obligation so a 24-hour notification is retrieved from a live system rather than reconstructed under pressure. Because 6clicks runs on Sovereign GRC Infrastructure — deployable in Swiss-hosted sovereign cloud, on-premises, or air-gapped environments — operators keep sensitive incident data inside Swiss boundaries while still maintaining audit-ready records.
Don't wait for an incident to test your reporting process. Book a strategy call with 6clicks to pressure-test your 24-hour readiness.
Frequently asked questions