Back
Insurances - Risk management | publié par Loyco | 02.04.2025
Obligation de signaler les cyberattaques

Critical infrastructures: obligation to report cyber attacks

Since April 1, 2025, operators of critical infrastructures in Switzerland have been required to report any cyber-attack to the Federal Office for Cybersecurity (FOCS) within 24 hours of detection. Our Risk Management specialist, Grégoire Mottier, and Cyber Risk specialist, Lionel Ducommun, take a closer look at this landmark measure.

This new measure is designed to strengthen the resilience of the organizations concerned in the face of the growing threat of cyber incidents, and to ensure a rapid response to protect the country’s vital sectors.

A proactive approach

In the face of an upsurge in cyber-attacks, Switzerland is adopting a stricter framework to ensure the protection of the country’s strategic infrastructures, thanks to a proactive approach that is now indispensable. The new regulations, the result of an amendment to the Information Security Act adopted in 2023, are designed to ensure effective coordination between the OFCS and the companies concerned, in order to quickly bring incidents under control and limit their impact.

Which sectors are affected?

Sectors affected by this obligation include:

  • Energy: electricity, gas, oil
  • Drinking water supply
  • Transport: rail, road, air, sea
  • Health: hospitals, clinics, emergency services
  • Finance: banking, insurance, financial markets
  • Information and communication technologies: telecommunications, internet
  • Food: production, distribution
  • Public administration: government services, local authorities, municipalities
  • Public safety: police, emergency services

Challenges not to be underestimated

This new regulation raises a number of key questions for the players involved:

  • Are existing security systems still adapted to today’s cyberthreats?
  • Are the risks of information manipulation or leakage sufficiently anticipated?
  • Do the players involved have the tools they need to report quickly and effectively?
  • Are even minor incidents systematically reported?
  • Are the framework conditions for the right to make mistakes applied radically within the organizations concerned?

A simplified system

To support this transition, a dedicated reporting form has been set up on a dedicated platform. This system enables operators to report incidents rapidly, and to add additional information within 14 days if necessary.

On this subject, the obligation to report cyber attacks against critical infrastructures comes into force on April 1, 2025.

In addition, penalties for non-compliance with this obligation will only be applied from October 1, 2025, giving companies a six-month adaptation period.

A stronger commitment from the federal authorities

With this new measure, Switzerland is reaffirming its commitment to protecting its strategic infrastructures and fostering close cooperation between the public and private sectors.

Contact us!

Would you like to know more about risk management or cyber attacks? Our experts are at your service:
📩 Grégoire Mottier: gmottier@loyco.ch
📩 Lionel Ducommun: lducommun@loyco.ch

Editor's note: This article was written in French and automatically translated into English and German.
See all news