Natio­nal Coun­cil: Man­da­to­ry report­ing of cyber attacks supported

The Natio­nal Coun­cil is in favor of requi­ring ope­ra­tors of cri­ti­cal infras­truc­tures to report cyber­at­tacks with major dama­ge poten­ti­al to the NCSC within 24 hours in the future (Media release).

A cor­re­spon­ding amend­ment to the Infor­ma­ti­on Secu­ri­ty Act would requi­re ope­ra­tors of cri­ti­cal infras­truc­tures to report cyber attacks to the Natio­nal Cyber Secu­ri­ty Cen­ter (NCSC) in the future. The report­ing obli­ga­ti­on would app­ly, for exam­p­le, to the Fede­ral Coun­cil and Par­lia­ment, the Office of the Att­or­ney Gene­ral of Switz­er­land, the Armed Forces, uni­ver­si­ties, banks, pri­va­te insu­rance com­pa­nies and finan­cial mar­ket infras­truc­tures, heal­th­ca­re faci­li­ties, medi­cal labo­ra­to­ries, social insu­r­ers, the SRG, postal ser­vice pro­vi­ders, data cen­ter pro­vi­ders, etc. We have lear­ned about the cor­re­spon­ding mes­sa­ge and the draft repor­ted.

Con­tro­ver­si­al issues in the Natio­nal Coun­cil were the time limit of 24 hours bet­ween inci­dent and report and the fine for a breach of the report­ing obli­ga­ti­on despi­te the NCSC’s order. In both cases, the majo­ri­ty in the Natio­nal Coun­cil left it at the Fede­ral Council’s draft.

The bill now goes to the Coun­cil of Sta­tes, which will deal with it in the sum­mer session.