- ISG and four implementing ordinances came into force on January 1, 2024.
- Amendments with mandatory reporting of cyber attacks on critical infrastructures are still pending.
- Parliament adopted the amendments on September 29, 2023; referendum period ends on January 18
- DDPS plans consultation in 1st half of 2024; reporting obligation expected to enter into force on January 1, 2025
The Information Security Act and its four implementing ordinances recently came into force on January 1, 2024 (see here). This legislative package does not include the amendments to the ISG, which were introduced during the legislative process and in particular provide for a reporting obligation for cyberattacks on critical infrastructures. According to this, operators of critical infrastructures must report cyberattacks to the National Cyber Security Center within 24 hours under certain circumstances (for details, see here). Parliament has approved the Amendments to the ISG adopted on September 29, 2023, the referendum deadline expires on January 18.
The associated ordinance provisions are currently being drafted by the Department of Defense, Civil Protection and Sport (DDPS). The DDPS has communicated on November 13, 2023The Federal Council is expected to conduct a consultation in the first half of 2024. It is therefore to be expected that information on the consultation procedure will soon be available on Fedlex (see Planned consultationsor Ongoing consultations).
According to the DDPS, planning is currently geared towards the provisions on the reporting obligation coming into force on January 1, 2025. Operators of critical infrastructures are therefore likely to have a good year to prepare for the new obligations.