Cybersecurity · Switzerland
Cybersecurity regulation in Switzerland (2026)
Switzerland shaded by its cybersecurity status
Switzerland's primary cybersecurity instrument is the Information Security Act (ISG), which entered into force on 1 January 2024 and sets binding information-security requirements for federal authorities and their service providers. A 2023 amendment to the ISG—brought into force on 1 April 2025 alongside the Cybersecurity Ordinance (CSO)—introduced a mandatory 24-hour cyberattack reporting duty for operators of critical infrastructure, backed by fines of up to CHF 100,000 for intentional or grossly negligent non-compliance. Financial sector entities face additional obligations under FINMA Circular 2023/1 on Operational Risks and Resilience, with a hard deadline of 1 January 2026 for full operational-resilience compliance.
Key points
The Federal Act on Information Security in the Confederation (ISG, SR 128) entered into force on 1 January 2024. It mandates uniform minimum information-security requirements—aligned with ISO 27001—for federal authorities, cantons entrusted with federal data, and private service providers processing sensitive federal information.
From 1 April 2025, operators of critical infrastructure across nine sectors (energy, health, finance, transport, drinking water, telecoms, digital services, etc., divided into 27 sub-sectors) must report cyberattacks to BACS within 24 hours of discovery, with a full report due within 14 days. Cloud, hardware, and software providers whose products are used by critical infrastructure are also in scope.
Sanctions for breach of the reporting obligation came into force on 1 October 2025. Operators who intentionally or through gross negligence fail to report face fines of up to CHF 100,000. By end-2025, BACS had received 325 reports under the new regime, with public administration (25%), IT/telecoms (18%), and banks/insurance (15.7%) as the leading sectors.
FINMA Circular 2023/1 'Operational Risks and Resilience—banks' imposes cyber-risk governance, business continuity, and operational-resilience requirements on all FINMA-supervised banks and securities firms, effective 1 January 2024. FINMA Guidance 05/2025 (November 2025) set a hard compliance deadline of 1 January 2026 for full operational-resilience alignment.
The former National Cyber Security Centre (NCSC) was elevated to the Federal Office for Cybersecurity (BACS) within the Federal Department of Defence, Civil Protection and Sport (DDPS). BACS is the designated recipient of all critical-infrastructure cyber incident reports and coordinates national cybersecurity strategy.
A further revision of the ISG is planned to extend cybersecurity obligations to additional industries and sectors beyond the current critical-infrastructure perimeter, indicating Switzerland's framework is still maturing toward broader coverage.
Timeline - major decisions & events
Sanctions under Art. 74h of the Information Security Act became enforceable for critical infrastructure operators that wilfully fail to report significant cyberattacks within the 24-hour deadline set by the NCSC. The Federal Council deliberately delayed enforcement by six months to allow affected organisations to prepare.
NCSC – Swiss National Cyber Security Centre ↗Switzerland's first cross-sector mandatory cyber incident reporting regime — amending the Information Security Act — took effect, requiring energy, water, and transport operators as well as cantonal and communal administrations to notify the NCSC within 24 hours of discovering a significant attack and submit a full report within 14 days. The accompanying Cybersecurity Ordinance (adopted by the Federal Council on 7 March 2025) provides implementing rules and reporting exceptions.
Swiss Federal Council ↗Three major instruments took effect simultaneously: the NCSC formally became a federal office under the Federal Department of Defence, Civil Protection and Sport (DDPS); the Information Security Act (ISA/ISG) entered into force for the entire federal administration; and FINMA Circular 2023/1 on operational risks and resilience became mandatory for banks and securities dealers (with resilience-specific transition periods running to 2026).
NCSC – Swiss National Cyber Security Centre ↗Parliament approved an amendment to the Information Security Act creating a statutory reporting obligation for cyberattacks on critical infrastructure — Switzerland's first cross-sector cyber reporting requirement. The vote was partly catalysed by the May 2023 Xplain ransomware incident and the resulting exposure of thousands of sensitive federal files.
NCSC – Swiss National Cyber Security Centre ↗The Play ransomware gang breached Xplain, a technology supplier to federal police, justice, and migration authorities; attackers published roughly 65,000 sensitive federal documents on the dark web in June 2023, including classified files and PII from the Federal Department of Justice and Police. The incident became the most significant Swiss government data breach on record and directly accelerated the mandatory reporting legislation.
fedpol – Swiss Federal Police ↗Switzerland's third national cyberstrategy replaced the 2018–2022 NCS with five strategic objectives: empowering citizens and businesses, securing digital services and critical infrastructure, defending against and managing cyberattacks, combating cybercrime, and deepening international cyber cooperation.
NCSC – Swiss National Cyber Security Centre ↗FINMA issued a revised and consolidated circular integrating Basel Committee operational resilience principles, requiring banks and securities dealers to adopt a structured cyber risk framework (identify, protect, detect, respond, recover), carry out regular penetration testing, and report significant cyber incidents to FINMA within 24 hours with a detailed follow-up within 72 hours.
FINMA – Swiss Financial Market Supervisory Authority ↗In a single session, the Federal Council resolved to transform the NCSC into an autonomous federal office effective 1 January 2024 (to be housed under DDPS) and adopted the dispatch proposing mandatory cyberattack reporting for critical infrastructure for submission to the Federal Assembly.
NCSC – Swiss National Cyber Security Centre ↗This executive ordinance created the first legally binding cybersecurity obligations across all federal administrative units, mandating risk management processes, incident reporting to the NCSC, and minimum protective measures — translating the NCS II strategic goals into operational requirements for government bodies.
NCSC – Swiss National Cyber Security Centre ↗The Swiss government and GovCERT published a 34-page technical report revealing that Turla (Snake/Uroburos) APT malware — linked to Russian-language threat actors — had infiltrated RUAG, the state-owned defence company, since at least September 2014 and exfiltrated more than 23 GB of data. The incident was a watershed for Swiss federal cyber defence and infrastructure protection policy.
GovCERT / NCSC ↗Switzerland - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →