Cybersecurity · Switzerland
Cybersecurity - Switzerland
Switzerland's primary cybersecurity instrument is the Information Security Act (ISG), which entered into force on 1 January 2024 and sets binding information-security requirements for federal authorities and their service providers. A 2023 amendment to the ISG—brought into force on 1 April 2025 alongside the Cybersecurity Ordinance (CSO)—introduced a mandatory 24-hour cyberattack reporting duty for operators of critical infrastructure, backed by fines of up to CHF 100,000 for intentional or grossly negligent non-compliance. Financial sector entities face additional obligations under FINMA Circular 2023/1 on Operational Risks and Resilience, with a hard deadline of 1 January 2026 for full operational-resilience compliance.
The Federal Act on Information Security in the Confederation (ISG, SR 128) entered into force on 1 January 2024. It mandates uniform minimum information-security requirements—aligned with ISO 27001—for federal authorities, cantons entrusted with federal data, and private service providers processing sensitive federal information.
From 1 April 2025, operators of critical infrastructure across nine sectors (energy, health, finance, transport, drinking water, telecoms, digital services, etc., divided into 27 sub-sectors) must report cyberattacks to BACS within 24 hours of discovery, with a full report due within 14 days. Cloud, hardware, and software providers whose products are used by critical infrastructure are also in scope.
Sanctions for breach of the reporting obligation came into force on 1 October 2025. Operators who intentionally or through gross negligence fail to report face fines of up to CHF 100,000. By end-2025, BACS had received 325 reports under the new regime, with public administration (25%), IT/telecoms (18%), and banks/insurance (15.7%) as the leading sectors.
FINMA Circular 2023/1 'Operational Risks and Resilience—banks' imposes cyber-risk governance, business continuity, and operational-resilience requirements on all FINMA-supervised banks and securities firms, effective 1 January 2024. FINMA Guidance 05/2025 (November 2025) set a hard compliance deadline of 1 January 2026 for full operational-resilience alignment.
The former National Cyber Security Centre (NCSC) was elevated to the Federal Office for Cybersecurity (BACS) within the Federal Department of Defence, Civil Protection and Sport (DDPS). BACS is the designated recipient of all critical-infrastructure cyber incident reports and coordinates national cybersecurity strategy.
A further revision of the ISG is planned to extend cybersecurity obligations to additional industries and sectors beyond the current critical-infrastructure perimeter, indicating Switzerland's framework is still maturing toward broader coverage.
Machine-assisted translation · verified 5/24/2026 · orientation, not legal advice. English version →