Switzerland's Cybersecurity — A New Requirement for Critical Infrastructure Operators
The Federal Council opened on January 12, 2022, the public discussion and request for statements for the implementation of the requirements to disclose cyberattacks to the National Cyber Security Defence Center (NCSC – former MELANI) and the accompanying revision to the Information Security Act (ISG). The deadline for statements is April 14, 2022.
Cyber risks have emerged as one of the most severe threats to Switzerland's economy and security. Attacks against Swiss enterprises must be detected as soon as feasible, and the dangerous situation must be assessed as precisely as possible.
The measure that has been presented demands that critical infrastructure operators such as telecommunication providers providing critical telecom infrastructure or providers of critical electricity infrastructure are required to report cyber attacks. The reporting requirement should allow the National Cybersecurity Center (NCSC) to get a more genuine perspective of cyber-attacks in Switzerland, assist those who are affected in coping with them, and alert all other critical infrastructure operators. At the same time, the new requirements also define the duties of the NCSC.
Many jurisdictions already have a reporting requirement for cyberattacks, and it has been in effect in all EU member states since 2018.
The proposed legislation is compatible with existing reporting duties (including the newly implemented monitoring requirements under the data protection law). It is meant to require the least amount of additional effort for the firms and agencies involved.