- National Council advocates mandatory reporting of cyberattacks with high damage potential to the NCSC within 24 hours.
- Mandatory reporting affects numerous critical infrastructures such as authorities, banks, healthcare, SRG, Swiss Post and data center providers.
- Controversy over 24-hour deadline and fines for non-compliance despite NCSC ruling; National Council follows Federal Council draft.
- The bill will be referred to the Council of States for discussion in the summer session.
The National Council is in favor of requiring operators of critical infrastructures to report cyberattacks with major damage potential to the NCSC within 24 hours in the future (Media release).
A corresponding amendment to the Information Security Act would require operators of critical infrastructures to report cyber attacks to the National Cyber Security Center (NCSC) in the future. The reporting obligation would apply, for example, to the Federal Council and Parliament, the Office of the Attorney General of Switzerland, the Armed Forces, universities, banks, private insurance companies and financial market infrastructures, healthcare facilities, medical laboratories, social insurers, the SRG, postal service providers, data center providers, etc. We have learned about the corresponding message and the draft reported.
Controversial issues in the National Council were the time limit of 24 hours between incident and report and the fine for a breach of the reporting obligation despite the NCSC’s order. In both cases, the majority in the National Council left it at the Federal Council’s draft.
The bill now goes to the Council of States, which will deal with it in the summer session.