26 Sep 2023
Mandatory reporting of cyber attacks for critical infrastructures - update on the topic
Source: Marcel Suter, Head of NCSC Office, 28.08.2023
Goals of the reporting requirement
Early warning and overview of the threat situation.
More information about cyber attacks will enable NCSC to warn other organizations faster and more accurately and to get a good overview of the threat situation.
Legal certainty and equality
Voluntary information sharing has long been very effective. However, it leads to the problem of "free riding." Everyone benefits from the shared information but not everyone is willing to share information about cyber attacks.
International Context
In 2018, the EU introduced a cyberattack reporting requirement for all member states through the NIS Directive.
More information about cyber attacks will enable NCSC to warn other organizations faster and more accurately and to get a good overview of the threat situation.
Legal certainty and equality
Voluntary information sharing has long been very effective. However, it leads to the problem of "free riding." Everyone benefits from the shared information but not everyone is willing to share information about cyber attacks.
International Context
In 2018, the EU introduced a cyberattack reporting requirement for all member states through the NIS Directive.
The mandatory reporting requirement in the Information Security Act (ISG).
The ISG is a new law (decision 18 December 2020), which until now exclusively regulated the information security of the Confederation and partly of the cantons.
The ISG will come into force on January 1, 2024.
The introduction of the reporting obligation will be implemented as a revision of the ISG. The ISG will thus be expanded into an information security law with implications for critical infrastructures.
-> The reporting obligation will not yet enter into force on January 1, 2024. It will be adopted separately as a revision of the law.
The ISG will come into force on January 1, 2024.
The introduction of the reporting obligation will be implemented as a revision of the ISG. The ISG will thus be expanded into an information security law with implications for critical infrastructures.
-> The reporting obligation will not yet enter into force on January 1, 2024. It will be adopted separately as a revision of the law.
Status of debates in parliament
The National Council approved the bill on March 16, 2023. In doing so, it decided to extend the reporting obligation to include vulnerabilities
The Council of States approved the bill on 1.6.2023, but rejected the extension of the National Council.
-> Autumn session 2023: Difference revision procedure between the National Council and the Council of States. Subsequent final vote.
The Council of States approved the bill on 1.6.2023, but rejected the extension of the National Council.
-> Autumn session 2023: Difference revision procedure between the National Council and the Council of States. Subsequent final vote.
Next steps and timetable for introduction
After decision by parliament: drafting of an ordinance with concrete specifications on the reporting obligation.
- Q1 2024: Consultation on the ordinance.
- Q3 2024: Decision on the ordinance.
- The plan is to have the reporting obligation come into force as of January 1, 2025. The Federal Council will determine the date when deciding on the ordinance.
WHO must report (Art. 74b) - operators of critical infrastructure.
Basic idea: listed are those subsectors listed in the Critical Infrastructure Protection Strategy that are vulnerable to cyberattacks.
A total of 19 sectors are affected
For the definition of the addressees, reference is made to existing laws.
A total of 19 sectors are affected
For the definition of the addressees, reference is made to existing laws.
Restrictions on the obligation to report (Art 74c)
The Federal Council may limit the reporting obligation by appropriate criteria in the respective sectors if:
there is little dependence on IT resources
failures or malfunctions of the infrastructure would only have a minor impact (number of persons, substitutability, minor economic importance)
there is little dependence on IT resources
failures or malfunctions of the infrastructure would only have a minor impact (number of persons, substitutability, minor economic importance)
Which attacks must be reported (Art. 74d)?
A cyber attack must be reported if it:
jeopardizes the functionality of the affected critical infrastructure;
has led to a manipulation or leakage of information;
remained undetected for an extended period of time, especially if there are indications that it was carried out in preparation for further cyberattacks; or
Involved extortion, threats or coercion.
jeopardizes the functionality of the affected critical infrastructure;
has led to a manipulation or leakage of information;
remained undetected for an extended period of time, especially if there are indications that it was carried out in preparation for further cyberattacks; or
Involved extortion, threats or coercion.
Content and deadline of the report (Art. 74e)
The report must be made within 24 hours of the discovery of the cyberattack.
It must contain information on the authority or organization required to report, the nature and execution of the cyberattack, its effects, measures taken and, if known, the planned further course of action.
If not all of the required information is known at the time of the report, the reporting authority or organization shall supplement the report as soon as it has new information.
It must contain information on the authority or organization required to report, the nature and execution of the cyberattack, its effects, measures taken and, if known, the planned further course of action.
If not all of the required information is known at the time of the report, the reporting authority or organization shall supplement the report as soon as it has new information.
Sanctions
Multi-step process:
The NCSC must notify the critical infrastructure of the omission.
If the operator fails to comply with its obligation despite this information, the NCSC issues an order on the obligations to be implemented.
If the order is ignored, the NCSC files a criminal complaint. Fines of up to CHF 100,000 are possible.
The NCSC must notify the critical infrastructure of the omission.
If the operator fails to comply with its obligation despite this information, the NCSC issues an order on the obligations to be implemented.
If the order is ignored, the NCSC files a criminal complaint. Fines of up to CHF 100,000 are possible.
Support of critical infrastructures by the NCSC
Prevention
Information sharing: the NCSC shares information on cyber attacks and threats directly with critical infrastructures. It recommends countermeasures and can also provide technical tools.
The NCSC promotes and enables more secure information sharing among critical infrastructure operators.
Incident Response
The NCSC provides subsidiary support to affected parties in dealing with a cyber incident in the sense of providing first aid to restore functionality.
Information sharing: the NCSC shares information on cyber attacks and threats directly with critical infrastructures. It recommends countermeasures and can also provide technical tools.
The NCSC promotes and enables more secure information sharing among critical infrastructure operators.
Incident Response
The NCSC provides subsidiary support to affected parties in dealing with a cyber incident in the sense of providing first aid to restore functionality.