BR: Mandatory notification of critical infrastructure in the event of cyber attacks

On December 11, 2020, the Federal Council instructed the FDF to develop a Consultation draft for the Introduction of a reporting obligation for operators of critical infrastructures in the event of cyber attacks to work out.

In 2012, the Federal Council had for the first time developed or adopted a strategy for the protection of critical infrastructures (CIP), which at the end of 2017 was SKI 2017-2022 was replaced. However, a definition of the term “safety incident” was missing, which is also reflected in the Postulate “Mandatory reporting of serious security incidents in critical infrastructures”. had been taken up by NR Graf-Litscher. The postulate was adopted in parliament advise and written off on 14.9.2020. However, the Federal Council had acknowledged the need for improvement and decided to examine the introduction of a reporting obligation.

On this basis, the Federal Council had commissioned a report, the result of which is the present FDF report of 11 December 2020 on the legal basis for a reporting obligation for serious security incidents in critical infrastructures followed by the decision of the Federal Council to prepare a consultation draft.

In its decision, the Federal Council specified,

to designate a central reporting office and to determine it uniformly for all sectors;
Define criteria for who should report which incidents and within what timeframe;
to define the specific provisions for the reporting obligation in appropriate decrees, adapted to the sector-specific circumstances;
align the reporting obligation with existing sectoral and data protection reporting obligations.

The reports to MROS are intended to establish an early warning system. Not only the reporting of “cyber incidents” is under discussion, but also a reporting obligation for significant security gaps in critical infrastructures (report, p. 14). – The consultation draft should also examine how existing de lege lata reporting obligations for functional failures of critical infrastructures (see p. 9 f. of the report) can or should be developed or expanded.

David Vasella

December 14, 2020

Deutsch

Authority

Federal Council

Area

Privacy, Security & Resilience

Topics

Cybercrime, Cybersecurity, ISG, critical infrastructures

common search words

Topics

BR: Mandatory notification of critical infrastructure in the event of cyber attacks

Federal Department of Defense, Civil Protection and Sport (DDPS): Mandatory reporting of cyberattacks on critical infrastructures will probably come in 2025

FINMA Risk Monitor 2023: Cyber risks and outsourcing

Federal Council: ISG and ordinance law in force as of 1.1.2024

National Council: Mandatory reporting of cyber attacks supported

com­mon search words

Topics

BR: Man­da­to­ry noti­fi­ca­ti­on of cri­ti­cal infras­truc­tu­re in the event of cyber attacks

Fede­ral Depart­ment of Defen­se, Civil Pro­tec­tion and Sport (DDPS): Man­da­to­ry report­ing of cyber­at­tacks on cri­ti­cal infras­truc­tures will pro­ba­b­ly come in 2025

FINMA Risk Moni­tor 2023: Cyber risks and outsourcing

Fede­ral Coun­cil: ISG and ordi­nan­ce law in force as of 1.1.2024

Natio­nal Coun­cil: Man­da­to­ry report­ing of cyber attacks supported

common search words

BR: Mandatory notification of critical infrastructure in the event of cyber attacks

Federal Department of Defense, Civil Protection and Sport (DDPS): Mandatory reporting of cyberattacks on critical infrastructures will probably come in 2025

FINMA Risk Monitor 2023: Cyber risks and outsourcing

Federal Council: ISG and ordinance law in force as of 1.1.2024

National Council: Mandatory reporting of cyber attacks supported