12. Juni 2024 – The Swiss Federal Council has published a draft of the Cybersecurity Ordinance

On 22 May 2024, the Swiss Federal Council opened the public consultation procedure on the draft Cybersecurity Ordinance. The consultation procedure will end on 13 September 2024. The draft Cybersecurity Ordinance (dCSO, download available in German, French, and Italian) deals, inter alia, with the obligation to report cyberattacks and exemptions from this obligation. The Swiss Federal Council’s dispatch to the dCSO can be found here in German and French. The obligation to report certain cyberattacks is currently expected to enter into force on 1 January 2025.

Introduction

The future revised version of the Information Security Act (rISA, download of the future revisions available in German, French, and Italian) will, inter alia, introduce an obligation on the part of certain authorities and organisations to report cyberattacks on their information technology resources to the National Centre for Cybersecurity [NCSC] (Article 74a et seq. rISA). In particular, the rISA lists the authorities and organisations that will be subject to the reporting obligations (Article 74b rISA), the cyberattacks that must be reported (Article 74d rISA), the deadline for reporting cyberattacks and the content of the report (Article 74e ISA) as well as the consequences of a violation of the reporting obligation (Article 74g and Article 74h rISA).

The dCSO details and completes certain provisions of the rISA.

Exemptions from the obligation to report cyberattacks

Pursuant to Article 74c rISA, the Swiss Federal Council may exempt authorities and organisations which otherwise would be subject to the obligation to report cyberattacks if the disruption caused by said attacks has only a limited effect on the public order, security, the wellbeing of the population, or the economy.

The Swiss Federal Council now makes use of this power and specifies in Article 16 dCSO the exceptions from the obligation to report cyberattacks.

For various authorities and organisations, limit values and/or other criteria have been set below which exemptions apply and thus no reporting is required. For example, federal, cantonal and communal authorities which are responsible for less than 1,000 permanents residents will in most cases be exempt from the obligations to report cyberattacks (Article 16[1][a]) dCSO). With this threshold, almost 40% of municipalities will be exempt from the obligation to report cyberattacks, covering approximately 430,000 residents. Also, for example, many organisations that employ less than 50 persons in the affected area and whose turnover in the affected area does not exceed CH 10 million will be exempted from the obligation to report cyberattacks (Article 16[2] dCSO).

Cyberattacks to report

According to Article 74d rISA, a cyberattack must be reported if it a) jeopardizes the functionality of the critical infrastructure affected; b) leads to a manipulation or outflow of information; c) remains undetected for an extended period of time, in particular if there are indications that it was carried out in preparation for further cyberattacks; or d) is associated with blackmail, threats or coercion.

Article 18 dCSO further defines what is meant by jeopardizing the functionality of a critical infrastructure, the manipulation or outflow of information, the notion of an extended period of time as well as blackmail, threats or coercion. A cyberattack is deemed to have remained undetected for an extended period of time if it occurred more than 90 days ago (Article 18[3] dCSO). Furthermore, a manipulation or outflow of information occurs if a) business-relevant information is changed or disclosed by authorised persons; or b) there is a breach of data security in accordance with Article 24 of the Data Protection Act of 25 September 2020 (Article 18[2] dCSO).

Deadline and content of report

Cyberattacks must be reported as soon as they are discovered by the authorities and organisations subject to the reporting obligation, but no later than 24 hours after the cyberattack has been detected (Article 74e[1] rISA]. Article 74e(2) to (5) rISA provides further information on the content of the reporting and is complemented by Article 19 dCSO which lays out a detailed listing of the information to be provided. This includes information on the type and execution of the cyberattack (e.g. date and time of the attack, type of attack, information on the attacker, etc.), on the potential existence of blackmail, threat, or coercion in connection with the attack, on the possibility of a criminal complaint, on the consequences of the cyberattack, and on the authority or organisation subject to the obligation to report such attacks.

Article 21 dCSO further details that if not all the necessary information is known within the 24-hour notification period, the Federal Office for Cybersecurity (FOCS) shall grant a period of 14 days to complete the notification and that if not all required information is available by the end of this deadline, the FOCS will ask the authority or organisation concerned to complete it immediately or to confirm that the information is not available.

Conclusion

In short, the dCSO further details and complements the obligation to report cyberattacks as foreseen by the rISA. After the end of the consultation period, the Swiss Federal Council will finalise and adopt the wording of the Cybersecurity Ordinance. It is currently planned that the obligation to report cyberattacks under the rISA and the final version of the Cybersecurity Ordinance will enter into force on 1 January 2025.

From a practical point of view, it must be noted that the future obligation to report cyberattacks to the NCSC is separate from the obligation to notify the Federal Data Protection and Information Commissioner of data security breaches under Article 24 of the Swiss Federal Data Protection Act and that, in particular, deadlines to report incidents are different. An incident may have to be reported as a cyberattack but not as a data security breach and vice versa, or an incident may have to be reported as both.

Authorities as well as organisations that will be subject to the future reporting obligations under the rISA are well advised to operationally and technically prepare and get up to speed now in order to be ready when the reporting obligation enters into force and to ensure compliance with the new requirements.