Swiss critical sector faces new 24-hour cyberattack reporting rule www.bleepingcomputer.com/news/secu…

Switzerland’s National Cybersecurity Centre (NCSC) has announced a new reporting obligation for critical infrastructure organizations in the country, requiring them to report cyberattacks to the agency within 24 hours of their discovery.

The mandate is introduced via an amendment to the Information Security Act (ISA), which will go into effect on April 1, 2025. The law applies to critical service providers such as utilities, local government, and transportation organizations.

The first report must be submitted within 24 hours of the incident’s discovery, and a follow-up report with additional details will be expected in the next 14 days.

Switzerland calls this new requirement a milestone for cybersecurity in the country, noting that it is in accordance with the NIS Directive, an EU-wide cybersecurity legislation that applies to operators of essential services and digital service providers.