The National Council is in favor of requiring operators of critical infrastructures to report cyberattacks with major damage potential to the NCSC within 24 hours in the future (Media release).
A corresponding amendment to the Information Security Act would require operators of critical infrastructures to report cyber attacks to the National Cyber Security Center (NCSC) in the future. The reporting obligation would apply, for example, to the Federal Council and Parliament, the Office of the Attorney General of Switzerland, the Armed Forces, universities, banks, private insurance companies and financial market infrastructures, healthcare facilities, medical laboratories, social insurers, the SRG, postal service providers, data center providers, etc. We have learned about the corresponding message and the draft reported.
Controversial issues in the National Council were the time limit of 24 hours between incident and report and the fine for a breach of the reporting obligation despite the NCSC’s order. In both cases, the majority in the National Council left it at the Federal Council’s draft.
The bill now goes to the Council of States, which will deal with it in the summer session.