Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Switzerland
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
Online services newsletter Legal Flash
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Deutsch English Français
Legal Update

Failure to report cyberattacks on critical infrastructure: legal obligations and criminal consequences

01 Jul 2025 Switzerland 9 min read

Since April 2025, the Information Security Act of 18 December 2020 (ISA) requires various authorities, public sector enterprises and private organisations operating critical infrastructure to report cyberattacks to the National Cyber Security Centre (NCSC).

Starting in October 2025, non-compliance with this reporting obligation may lead to criminal liability for individuals within these organisations, particularly board members, executives and employees, who are internally responsible for complying with the reporting obligation.

This article provides a short overview of the obligation to report cyberattacks to the NCSC and the consequences under criminal law if this obligation is not fulfilled.

Scope of the Reporting Obligation under ISA

Authorities, public sector enterprises and private organisations operating critical infrastructure must ensure that cyberattacks on their IT resources are reported to the NCSC (art. 74b para. 1 ISA). The reporting obligation serves exclusively to enable the NCSC to identify attack patterns on critical infrastructures at an early stage so that it can warn those potentially affected and recommend appropriate prevention and defence measures (art. 74a para. 4 ISA).

According to art. 5 let. c ISA, the critical infrastructure includes drinking water and energy supply, information, communication and transport infrastructure, as well as other processes, systems and facilities that are essential for the functioning of the economy and the well-being of the population.

Authorities or companies operating in these sectors must clarify whether they must report cyberattacks to the NCSC. The NCSC provides interested authorities and organisations with information on whether they are subject to the reporting obligation and issues a corresponding order upon request (art. 74a para. 2 ISA).

Pursuant to art. 74b ISA, the following organisations, among others, are subject to the reporting obligation: universities, federal, cantonal and communal authorities, organisations with public law functions in the areas of security and rescue, drinking water supply, waste water treatment and waste disposal, companies that are active in the areas of energy supply, energy trading, energy measurement or energy control, banks and insurers and other companies that are subject to banking, insurance or financial market infrastructure regulations, hospitals, pharmaceutical companies, the Swiss Radio and Television Corporation, news agencies of national importance, or companies that supply the population with essential everyday goods and whose failure or impairment would lead to significant supply bottlenecks (art. 74b ISA).From a substantive point of view, art. 74d ISA declares a notification of authorities and organisations falling under art.74b ISA to be mandatory if the cyberattack:

  • jeopardises the functionality of the critical infrastructure affected;
  • has led to a manipulation or outflow of information;
  • remained undetected for an extended time period, in particular if there are indications that it was carried out in preparation for further cyberattacks; or
  • is associated with blackmail, threats or coercion.

A notification of the cyberattack must be filed within 24 hours of its discovery (art. 74e para. 1 ISA). Only the information known up to that point must be reported within 24 hours; the report can be supplemented later.

The cyberattack must be reported on the "Federal Law Publication Platform" in German, French or Italian only. A step-by-step guide is provided to help organisations determine whether an incident must be reported and how to report it correctly.

Overlap between reporting obligation to FINMA and other authorities

According to art. 29 para. 2 of the Financial Market Supervision Act (FINMASA), any entity supervised by FINMA, as well as their auditors, must report incidents of substantial supervisory relevance to FINMA immediately. This obligation may overlap with the reporting obligation under the ISA. A single cyber incident can trigger both, requiring separate reports to FINMA and the NCSC. Reporting to only one authority is insufficient.

Further overlaps may arise with other legal frameworks, particularly data-protection law. Hence, in the event of a data breach during a cyberattack, there may also be an obligation to report the incident to the Swiss Federal Data Protection and Information Commissioner (FDPIC) in accordance with applicable data protection regulations.

To simplify this process, particularly for smaller entities, art. 74f para. 2 ISA requires that the reporting system of the NCSC allows cyber-incident notifications to be shared (fully or partially) with all relevant authorities. Ideally, a single legally compliant report would cover multiple authorities, depending on the nature of the incident. For instance, an attack affecting a financial service provider and involving personal data may need to be reported to the NCSC, FINMA, and the FDPIC. Each authority, however, requires different information: the NCSC focuses on the nature of the attack, the FDPIC on data protection, and FINMA on institutional stability and client protection. Therefore, art. 74f para. 2 ISA allows simultaneous reporting, but each authority may access only the data relevant to its mandate in line with the data minimisation principle. Granting broad or undifferentiated access would violate this principle and could breach other laws, such as banking secrecy. Therefore, any consolidated report must ensure that each authority can only view the section intended for it (art. 74f para. 3 ISA).

Criminal consequences of non-compliance

From 1 October 2025 onwards, failure to comply with the obligation to report cyberattacks may result in criminal liability. Any board member, managing director or employee of an entity subject to the duty to report cyberattacks under ISA who is responsible for fulfilling this obligation on behalf of the entity and who fails to comply with the reporting obligation may face fines of up to CHF 100,000 after two deadlines set by the NCSC have passed without result. In this context, it should be noted that the individuals within the organisation who are obliged to report to the NCSC do not have to provide any information that could incriminate them under criminal law (art. 74e para. 2-4 ISA).

The enforcement mechanism is structured in three phases. Initially, the NCSC will inform the authority or organisation subject to the reporting obligation about indications of a breach of their obligation and set a reasonable deadline for compliance. This gives the entity another opportunity to fulfil its obligation within a reasonable period of time. Thus, the NCSC will first inform the entities about a possible violation of their reporting obligation. The NCSC may request further information from the reporting party at the time of the notification of a cyberattack if the information in the notification is incomplete or imprecise. Furthermore, the deadline set by the NCSC can be extended.

Should the organisation fail to comply within the initial deadline, the NCSC proceeds to the second phase by issuing a formal order under art. 74g ISA. This order will determine that the reporting obligation has been breached, set a second deadline, and refer to the penal provision under art. 74h ISA. The NCSC must clearly specify the violated obligations in the order so that there is no doubt as to what those subject to the reporting obligation must do to comply. Pursuant to the message of the Federal Council to the amendment of the ISA, if those obliged to report fail to take action within the set deadline despite an obvious breach of obligation, the NCSC issues an order threatening a fine. The wording of the relevant art. 74g para. 2 ISA, however, neither requires a complete failure of action nor other obvious breaches of obligation as conditions for the NCSC to issue an order threatening criminal liability.

In principle, the second deadline set by the NCSC can also be extended if the entity subject to the reporting obligations requests it. Practice, however, will show how willing the NCSC will be to extend the second deadline.

If the entity subject to the obligation to report still does not fulfil the binding order referring to the criminal liability issued by the NCSC or a possible appeals decision regarding the order, the NCSC will, in a third step, file a criminal complaint to the competent cantonal law enforcement authority (art. 74h para. 4 ISA).

Who may face criminal liability?

Although the obligation to report cyberattacks under the ISA applies to the organisation as a whole, it is the individuals within the organisation who are responsible for ensuring compliance and who may be subject to personal criminal liability. Therefore, those responsible for implementing the reporting obligation may be subject to criminal liability.

Who is responsible for fulfilling the reporting obligation depends on the entity’s internal organisational structure. Typically, this includes employees who are explicitly assigned to report cyber incidents. Liability, however, is not limited to these individuals. Senior personnel such as board members, managing directors, and other executives may also be held criminally liable if, in breach of their supervisory or organisational duties, they fail to prevent the violation committed by a subordinate employee or fail to remedy its effects (art. 6 para. 2 of the Administrative Criminal Law Act in connection with art. 74h para. 2 ISA).

If the fine envisaged does not exceed CHF 20,000, the law enforcement authority may refrain from prosecuting the responsible individuals and instead impose the fine directly on the company (art. 74g-74h ISA). This applies particularly where identifying the liable individuals would require investigative measures that would be disproportionate considering the penalty incurred.

Importantly, the legislator has refrained from criminalising negligent failure to comply with the reporting obligation. The scope of an intentional breach of the reporting obligation, however, will be broad, as the NCSC will establish a breach in its order and set a deadline for remedying the breach under threat of a fine.

Outlook

The introduction of an obligation to report cyberattacks on critical infrastructure was an essential step towards improving cybersecurity in Switzerland. By recording cyber incidents centrally, threats can be analysed more effectively, enabling preventive measures to be implemented more efficiently.

The fact that such an obligation is accompanied by criminal liability for those responsible is in line with the current trend towards criminalising breaches of duty. Until the criminal consequences come into force in October 2025, companies and authorities should use the remaining time to review their reporting processes and optimise their IT security strategies.

 For more information on reporting obligations and criminal proceedings in Switzerland, contact your CMS client partner or local CMS experts.

More insights
TMC – Technology, Media & Communications Compliance

Explore more

Event Switzerland

IP Insights webinar series 2026

28 Apr 2026
Expert Guide International

Data protection and cybersecurity laws in Switzerland

8 min read
Publication Switzerland

Since Music Got Digital – What’s the Role of a Record Label Today?

05 Nov 2025 2 min read
Back to top Back to top
Warning: Fraudulent emails and messages
Find out more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.