Skip to content
All Blogs

Switzerland's 24-hour cyber reporting rule: What critical infrastructure operators must do now

Published
Switzerland's 24-hour cyber reporting rule: What critical infrastructure operators must do now
Switzerland's 24-hour cyber reporting rule: What critical infrastructure operators must do now
2:22

 

 


TL;DR

 

Switzerland now requires operators of critical infrastructure to report cyberattacks to the National Cyber Security Centre within 24 hours of discovery. The obligation is law, not guidance — and the hard part isn't knowing the rule, it's proving you can detect, decide, and report inside a single day. Building that muscle before an incident is the difference between a controlled notification and a compliance failure on your worst day.

A reporting clock measured in hours

 

Under the amended Information Security Act, Switzerland's National Cyber Security Centre (NCSC/BACS) operates a mandatory reporting duty for operators of critical infrastructure. The core mechanic is exacting: once a qualifying cyberattack is discovered, the clock to notify the NCSC with an initial report runs in hours, not days.

Why 24 hours is harder than it sounds

Most operators assume they'd know quickly if they were attacked. In reality, the reporting window exposes three weaknesses at once: whether your monitoring actually detects the event, whether your team can classify it as reportable fast enough, and whether someone has the authority and the information to file within the window. A duty measured in hours turns incident response from a technical exercise into a governance one.

From chaos to a repeatable workflow

The operators who handle this well pre-decide everything they can: what counts as reportable, who owns the decision, what information the notification needs, and where the supporting evidence lives. This is exactly where a GRC platform earns its place. 6clicks lets critical infrastructure teams log, triage, and escalate incidents through automated workflows, with the control and evidence trail tied to the obligation so a 24-hour notification is retrieved from a live system rather than reconstructed under pressure. Because 6clicks runs on Sovereign GRC Infrastructure — deployable in Swiss-hosted sovereign cloud, on-premises, or air-gapped environments — operators keep sensitive incident data inside Swiss boundaries while still maintaining audit-ready records.

 

Don't wait for an incident to test your reporting process. Book a strategy call with 6clicks to pressure-test your 24-hour readiness.

Frequently asked questions

Operators of critical infrastructure as defined under the Information Security Act — sectors such as energy, water, transport, health, telecoms, and finance. Confirm your specific scope against current NCSC guidance. 

The obligation centres on a 24-hour window after discovery of a qualifying cyberattack, followed by more detailed follow-up information within 14 days.

The regime carries enforcement provisions that apply starting April 1st, 2026. Beyond penalties, a missed or late report is a governance failure that's hard to defend to regulators, boards, and customers.

Ready to transform GRC with 6clicks?

Let’s show you how it works for your team.

awards-mobile-v3