On December 11, 2020, the Federal Council instructed the FDF to develop a Consultation draft for the Introduction of a reporting obligation for operators of critical infrastructures in the event of cyber attacks to work out.
In 2012, the Federal Council had for the first time developed or adopted a strategy for the protection of critical infrastructures (CIP), which at the end of 2017 was SKI 2017-2022 was replaced. However, a definition of the term “safety incident” was missing, which is also reflected in the Postulate “Mandatory reporting of serious security incidents in critical infrastructures”. had been taken up by NR Graf-Litscher. The postulate was adopted in parliament advise and written off on 14.9.2020. However, the Federal Council had acknowledged the need for improvement and decided to examine the introduction of a reporting obligation.
On this basis, the Federal Council had commissioned a report, the result of which is the present FDF report of 11 December 2020 on the legal basis for a reporting obligation for serious security incidents in critical infrastructures followed by the decision of the Federal Council to prepare a consultation draft.
In its decision, the Federal Council specified,
- to designate a central reporting office and to determine it uniformly for all sectors;
- Define criteria for who should report which incidents and within what timeframe;
- to define the specific provisions for the reporting obligation in appropriate decrees, adapted to the sector-specific circumstances;
- align the reporting obligation with existing sectoral and data protection reporting obligations.
The reports to MROS are intended to establish an early warning system. Not only the reporting of “cyber incidents” is under discussion, but also a reporting obligation for significant security gaps in critical infrastructures (report, p. 14). – The consultation draft should also examine how existing de lege lata reporting obligations for functional failures of critical infrastructures (see p. 9 f. of the report) can or should be developed or expanded.