Risk management is fundamentally different in Switzerland
Note: This is not legal advice. It is a professional opinion intended for foreign risk and compliance management professionals operating in Switzerland. The analysis addresses Switzerland’s evolving response to modern hybrid threats, examined within the framework of, and in conformity with, Article 5a of the Federal Constitution of the Swiss Confederation (the principle of subsidiarity).
From George Lekatis, General Manager, Cyber Risk GmbH (Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341).
What is different in Switzerland?
Article 5a of the Federal Constitution of the Swiss Confederation is brief, but it describes one of the most profound and distinctive features of Swiss constitutional order. In a single sentence, it captures the normative philosophy that defines how public power is distributed, exercised, and justified in the Confederation.
In simple words, according to the principle of subsidiarity, public power must always be exercised at the lowest effective level, closest to the citizen, and must only be elevated to a higher level when local or cantonal action cannot achieve the intended purpose efficiently.
In most countries, risk and compliance management are shaped by centralized authorities and hierarchical regulatory chains. Switzerland operates through layered autonomy. Each canton has its own constitution, parliament, and government. Many administrative responsibilities lie with the cantons.
As a result, the risk and compliance environment in Switzerland is decentralized by design. Governance structures within companies and public institutions often mirror this distribution of authority. Organizations must navigate overlapping regulatory layers (federal, cantonal, and communal) while maintaining internal structures that are both compliant with national law and sensitive to regional autonomy.
For example, a financial institution operating in Zurich, Geneva, and Lugano deals with the same federal regulator, but its operational risks differ depending on cantonal rules, and local enforcement cultures. In sectors outside financial services cantonal competences are more pronounced.
This has produced a Swiss model of risk management that is plural, adaptive, and consensus-based. Risk managers do not rely solely on prescriptive regulation. They build systems of trust, dialogue, and cooperation among multiple authorities and private stakeholders. Compliance is not imposed top-down, it is constructed horizontally through coordination, transparency, and shared understanding.
In peaceful times, with Article 5a, Switzerland has achieved exceptional levels of stability, participation, and legitimacy in modern governance. In social, economic, and political life, individuals and their immediate communities are empowered to act without unnecessary intervention from above. This has prevented the emergence of an overcentralized state. The result is a mature democracy built on competence and proximity. Citizens see the effects of their decisions directly in their local environment, and it makes participation meaningful and accountability tangible.
A higher level of government must justify every expansion of power. Authority in Switzerland is always negotiated, not presumed.
In peacetime, this makes governance slower (through levels of democratic deliberation), but more legitimate. Policies emerge from deliberation among diverse communities.
Today, we live in the age of hybrid threats. The Swiss constitutional strength of subsidiarity can confront the strategic challenges of centralized, totalitarian powers.
Totalitarian and authoritarian actors, with unified command structures, concentrated intelligence capabilities, and coordination between state agencies and non-state proxies, try to exploit the fragmentation inherent in Swiss federalism.
According to the Situation Report of the Swiss Federal Intelligence Service “Switzerland's Security 2025,” foreign threat actors have escalated the use of hybrid warfare. They accept the risk of collateral damage and civilian victims. One example is the sending of incendiary devices by air freight. This posed a threat to civil aviation.
Also, in the report we read that foreign threat actors are “deliberately creating ambiguity and uncertainty for as long as possible, while remaining below the armed conflict threshold, a key method of hybrid warfare.”
What is hybrid risk?
Hybrid risk is the convergence of multiple threat vectors, including cyber threats, information and influence operations, legal and regulatory pressures, financial disruption, operational and supply-chain interference, and physical security challenges.
These vectors are applied in a planned and coordinated campaign. The goal is to generate wide-ranging disruption and strategic pressure while remaining below the thresholds that would trigger armed conflict, or decisive regulatory and legal action, prolonging ambiguity and maximizing leverage.
Hybrid risk is not a new risk category that must be added to a risk register. It involves complex risk interactions, where separate risks combine and amplify one another in ways that traditional risk management often fails to anticipate.
Traditional enterprise risk management assumes that individual risks can be identified, assessed and controlled in isolation. Cyber risk in one register, physical risk in another, regulatory risk in another, supply chain risk somewhere else. Hybrid threat actors ensure that these risks do not remain independent. They orchestrate interactions through timing, sequencing, and feedback mechanisms that cross organizational and legal boundaries, and can transform seemingly isolated limited events into a multi-domain crisis.
For example, a moderate cyber intrusion, on its own, can be operationally containable. Viewed strictly as an IT event, it may involve limited data exposure and routine remediation. But if the intrusion is followed by a leak of stolen material that has been altered or mixed with fabricated files, the risk moves beyond a technical security breach. Once the files are released into the public domain, the adversary’s goal is to ensure that the narrative takes on a life of its own. They rarely speak with a single voice. They rely on an ecosystem of groups that appear independent but are controlled, strategically aligned, or can be manipulated to amplify outrage.
Adversaries always control websites and blogs. Some of them specialize in exposing corporate or governmental wrongdoing. These actors will make the leak well known, and they will discuss the findings. Their analysis is then picked up by other websites, blogs, and networks, including adversaries that appear as citizens that care.
At this point, genuine users who believe the leaks, but also inauthentic accounts, bot networks, and paid influencers amplify specific frames such as cover-up, systemic negligence, or corruption.
Effective defense against totalitarian, centralized adversaries requires unified situational awareness, rapid decision making, and integrated response capabilities. The Federal Council can coordinate, but its powers are deliberately limited. The cantons retain sovereignty except where the constitution explicitly delegates competence to the Confederation. This balance was not designed for the domain fusion that hybrid threats bring. But the Swiss constitution can be effective and efficient with hybrid threats too, provided all participants perceive the same level of threat and understand the modus operandi of hybrid actors. There is a problem only where citizens do not understand hybrid threats and become easy victims, and when information sharing between the public and the private sector is constrained.
Risk management must become the connective tissue of subsidiarity, the mechanism that ensures distributed entities operate coherently in crisis despite constitutional fragmentation. What is needed is simple. The persons closest to the problem must hold actionable knowledge.
Knowledge at the edge is a strategic asset. The local actor sees first, reacts fastest, and escalates only what requires higher level intervention. Subsidiarity prevents paralysis by ensuring decisions are not delayed while waiting for centralized approval. In hybrid conflict, the differentiator is the situational awareness and the understanding of the threat, the modus operandi, and the best practices to respond.
Private sector collaboration is essential, as critical infrastructures, from electricity to finance and communications, are owned and operated largely by private entities, making public-private information sharing indispensable.
For Switzerland, the challenge is to prepare for the hybrid age. Systems of risk governance, data sharing, and crisis management that respect cantonal autonomy must be activated quickly when the Confederation is targeted. The principle designed to protect Swiss liberty can protect the country against those who exploit liberty’s openness.
Case Study: When ABC AG in Canton X becomes the target of a multifaceted hybrid campaign
Disclaimer: This case study is a hypothetical scenario created solely for educational purposes. Any resemblance to actual persons, organizations, events, or locations is purely coincidental. There is no connection with any real firm, place, or event.
ABC AG is a manufacturer headquartered in Canton X with two plants in neighboring cantons and a logistics hub near a national border. It manufactures precision thermal systems used in packaging and logistics across the European biotechnology and agri-food sectors.
These systems ensure thermal integrity, maintaining products within specified temperature ranges during packaging, transit, and storage. Such control is mission critical for the biotechnology sector (vaccines, cell cultures, diagnostic reagents) and the agri-food sector (perishable foods, dairy, meat, high-value plant products).
The company operates in a highly regulated industrial environment. It is subject to Swiss and European product safety legislation.
Because the company exports to EU member states, it must comply with the Mutual Recognition Agreement (MRA) between Switzerland and the European Union, which allows Swiss conformity assessments and technical certificates to be recognized across the single market. In practical terms, this means that the company’s quality and safety systems are inspected periodically by accredited conformity assessment bodies. If a product presents a safety risk or non-conformity, the company must notify the competent Swiss authorities and, where the product is distributed in the EU, cooperate with the responsible market-surveillance authorities under the EU’s Safety Gate rapid alert system.
From an operational standpoint, the company runs its enterprise resource planning (ERP) and manufacturing execution system (MES) on a Swiss-based cloud infrastructure. This ensures compliance with the Federal Act on Data Protection (FADP) and the Ordinance on Data Protection (OFADP), as all industrial data, supplier information, and potentially personal data (such as employee records or customer contact data) remain under Swiss jurisdiction and within a data center governed by Swiss law.
To strengthen its cybersecurity posture, the company outsources its Security Operations Centre (SOC) services to a specialized provider that continuously monitors network traffic, detects anomalies, and manages incident response coordination.
The board of directors retains non-transferable responsibility under the Swiss Code of Obligations (CO) Article 716a(1). This means that the company must conduct due diligence on the SOC provider, verify contractual guarantees for confidentiality and data protection, ensure the provider’s Swiss hosting or equivalently secure jurisdiction, and obtain audit and access rights to demonstrate oversight to regulators or auditors if necessary.
The company’s supply chain depends on two critical third-party relationships.
1. A plastics supplier located in Italy, which fabricates precision polymer components essential to the thermal systems. Because the supply model minimizes inventory, any disruption at this supplier can halt production within days. This cross-border relationship creates exposure to EU customs rules, dual-use export control considerations, and supply chain due diligence obligations.
2. A Swiss cold chain logistics carrier responsible for transporting temperature sensitive goods throughout Switzerland and into the EU. This partner is licensed by the Swiss Agency for Therapeutic Products, and it must maintain validated vehicles, calibrated sensors, and certified handling procedures to ensure the integrity of medical or food products.
The manufacturer, as the contracting principal, remains jointly responsible for verifying the carrier’s compliance, since under Swiss and EU product liability regimes (Swiss Product Liability Act, Directive 85/374/EEC) any defect or spoilage traceable to logistics failures may still expose the producer to liability.
The board has set a risk appetite, and has approved crisis management policies and procedures.
Day 1
Unknown actors compromise a subcontractor’s build pipeline and push a signed update to ABC AG’s gateway for the industrial network.
Note: A build pipeline is the automated system that compiles, tests, and packages software before it is delivered (pushed) to customers. In modern development, suppliers often use continuous integration / continuous deployment (CI/CD) systems that automatically assemble software and sign it digitally before distribution. If attackers compromise such pipeline, they can insert malicious code (malware, backdoors, logic bombs) before the software is officially built, tested, and signed. Because it passes through all the supplier’s automated checks, the malware appears legitimate.
The malware is quiet. It enumerates OPC-UA tags and engineers a future setpoint drift.
Note: The malware is quiet, designed to avoid noisy or obvious symptoms. It does not crash systems or produce visible alarms. It performs reconnaissance and limited actions that blend with normal operations. That stealth reduces the chance of early detection, and it increases the window in which attackers can prepare a damaging event while preserving plausible deniability.
Open Platform Communications-Unified Architecture (OPC-UA) is a widely used industrial communications standard for device and process variables (sensors, actuators, controllers). Values such as current temperature, pressure, alarm thresholds, and metadata are exposed, including which variables exist, where they live, their identifiers, their data types, and what actions (read/write) are permitted.
By learning the tag map, the attacker understands which variables matter (the precise tags for cold room setpoints, the tag that commands a refrigeration control loop, or the tag that reports safety interlocks).
Note: Engineering a future setpoint drift means changing the target values. For example, slowly raising the target temperature over many cycles. The change is engineered to occur later (a scheduled trigger or a conditional trigger) so that when it happens it looks like a gradual equipment fault or human error, not a sabotage. The purpose can be to degrade product quality, cause batch rejection, force shutdowns, and (of course) create grounds for public alarm when coupled with disinformation.
Adversaries, through the malware, have access to confidential information and documents in ABC AG. This is a great success, as they can now mix them with fabricated ones.
Leaked (real, altered, and fabricated) documents appear in social media accounts, alleging that ABC AG’s components are failing tests, and there is huge risk for consumers. This is amplified by bot accounts in three national languages. Two pseudo-NGOs (not real NGOs, established by citizens, but NGOs established and controlled by adversaries) file consumer safety complaints with a cantonal office and the federal product safety authority, attaching leaked manipulated documents. They are concerned, they ask for information if the leaked documents are real (and some are real). They demand inspections to protect public safety. A blog in a foreign country claims a whistleblower leak, linking to fragments of authentic but contextless internal emails stolen months earlier in a separate credential stuffing incident.
The SOC has seen unusual beaconing from an engineering workstation to a system abroad. They open an incident record and start investigating.
Note: Beaconing means periodic outbound network connections. In legitimate contexts, software uses beacons to check for updates, licensing, or remote management. Unusual beaconing is a strong indicator of malware command-and-control activity. The pattern (regular outbound packets every few seconds or minutes to the same foreign server) suggests that the infected machine is communicating with its operator, either to signal that it is alive (heartbeat), receive instructions, or upload stolen data in small, stealthy fragments.
An engineering workstation is a specialized computer used by plant engineers to configure, program, and maintain industrial control systems. If that system is compromised, attackers have control over operational technology (OT) that drives production.
A system abroad can be a Virtual Private Server (VPS), hosted by a commercial cloud provider outside Switzerland. Threat actors often use such servers because they are inexpensive, and hard to trace. Communication from a plant workstation to such a server is inherently suspicious.
Day 2: Multi-domain pressure and escalation
OT anomalies appear. Cold room temperatures drift by 0.7°C during changeover windows. Several pallets are held at the border on a tip that invoices are inaccurate. The tip email spoofed a supplier’s domain.
Note: OT stands for Operational Technology, the systems that monitor and control physical processes in industrial environments (temperature, humidity, motors, sensors, valves). An OT anomaly means deviation from normal patterns. This is often the first visible sign of a cyber-physical compromise.
Cold-room temperature drift. The company manufactures temperature-sensitive products (biotechnology or food components). Its cold rooms must maintain very stable conditions.
If the drift of 0.7°C continues over time, the products’ quality, stability, or regulatory compliance could be compromised. In this case, the attackers are manipulating the OT system gradually. This is a classic low-noise technique, subtle enough to remain undetected but harmful if sustained.
Under the Swiss Product Safety Act and EU equivalents, the manufacturer must ensure that its products are safe under normal and foreseeable conditions. If data integrity or process control is compromised, the company must investigate whether affected batches remain compliant.
Good Manufacturing Practice (GMP) and Good Distribution Practice (GDP) require validated temperature control and traceable records. Any deviation, even if within thresholds, must be logged and explained. If the deviation invalidates product quality or traceability, recall obligations may arise.
At the logistics hub, several pallets are held at the border on a tip that invoices are inaccurate. This describes a supply chain interference and a disinformation component of the hybrid campaign. The company’s shipments are stopped by customs or border inspection authorities because someone sent them a fraudulent alert alleging that the invoices accompanying those shipments were inaccurate or falsified. The email appears to come from a trusted supplier, but it’s a spoofed domain, meaning attackers forged the sender’s address.
This creates physical disruption (delayed deliveries, contractual penalties, possible product spoilage) and administrative suspicion (border authorities may open a case). It weaponizes regulatory processes, using fraud to trigger legitimate enforcement reactions.
At the same time, complaints are lodged with two cantonal authorities and the FDPIC alleging unlawful monitoring of employees and leaked sensitive personal information. Leaked documents are used as evidence.
Note: Attackers or their proxies (posing as employees or whistleblowers) submit data protection complaints to two cantonal data protection authorities and the Federal Data Protection and Information Commissioner (FDPIC), which oversees the Federal Act on Data Protection. The complaints allege that the company is unlawfully monitoring its employees, for example, through workplace cameras, email tracking, or covert data collection.
These complaints are filed to consume resources, trigger inspections, and damage reputation. They exploit legitimate legal channels to overwhelm the company’s functions, a lawfare tactic within hybrid operations.
An FDPIC investigation is under way. The Commissioner must examine whether there is prima facie evidence of a violation. Even unfounded complaints can lead to official requests for information and audits, forcing the company to produce policies, logs, and data processing records.
Since Switzerland has both federal and cantonal data protection authorities, overlapping inquiries may require parallel responses. This consumes significant internal legal resources.
The existence of official complaints, even if later dismissed, may leak to media or activist channels amplifying the disinformation narrative that the company is unethical, or violating privacy.
From a compliance standpoint, this is a weaponized regulatory overload, the attacker uses the transparency and accountability obligations to cause reputational and administrative harm.
All these events occur simultaneously. Together, they create operational chaos (interrupted production and logistics challenges), information confusion (uncertainty about what’s real or fabricated), resource saturation (compliance and management forced to respond to multiple fronts), and reputational erosion (narratives of unsafe, non-compliant, and unethical company).
This is the defining characteristic of a hybrid campaign, coordinated, multi-domain pressure designed to erode trust and paralyze decision making.
So, what is next? Only imagination is the limit. We could continue the escalation until day 7, but there is no reason. What has happened in these two days gives us a good understanding of the need for hybrid risk management, the systematic identification, assessment, mitigation, and governance of interconnected and cross-domain threats that combine cyber, information, geopolitical, economic, technological, and unconventional vectors, to protect critical assets, maintain resilience, and ensure regulatory compliance.
Hybrid risk leads to non-linear loss. Impact does not increase in a straight, predictable line. A set of moderate risks can generate losses far greater than the sum of their individual risk assessments.
For boards, these dynamics cause governance stress and decision latency. Boards know how to review discrete reports on defined categories, but usually do not have experience in integrating ambiguous, fast-moving information across legal, technical, operational and financial domains. They wait for facts to be forensically verified, and hesitate to act without clear attribution. This hesitation (even hours) can worsen exposure, and can allow adversaries to shape the narrative.
We recommend Hybrid Stress Testing, the methodology to evaluate the resilience of an organization under combined financial, operational, cyber, legal, regulatory, technological, and geopolitical stress conditions.
It includes the design, execution, and evaluation of multi-domain and cross-sectoral scenarios that reflect the convergence of traditional and non-traditional threats, including but not limited to:
1. Cyber and information security events, disruptions, or breaches, including large-scale disruptions.
2. Legal, compliance, and reputational challenges arising from regulatory actions, litigation, or data breaches.
3. Geopolitical threats, including disinformation campaigns, supply chain disruptions, economic coercion, and the weaponization of strategic interdependencies.
4. Environmental, social, and governance (ESG) factors, where relevant to operational continuity.
5. Macroeconomic and financial stressors, including liquidity, solvency, and contagion effects.
6. Technological and digital transformation risks, including dependencies on critical third-party service providers, artificial intelligence systems, and cloud infrastructures.
7. Operational and organizational risks, including internal control failures, insider threats, and deficiencies in governance or crisis management structures.
8. Physical and infrastructure risks, including disruptions of critical energy, telecommunications, or transportation systems essential to business continuity.
Is there any obligation to report cyber or hybrid incidents to the municipality?
There is no explicit legal obligation for a private company to report cyber incidents, hybrid campaigns, or operational disruptions to its municipality.
Municipalities in Switzerland have autonomous administrative competences, but these relate primarily to local governance, services, and civil protection, not to cybersecurity or hybrid-threat management.
But when a hybrid threat has potential civil protection consequences, the legal landscape shifts, because the nature of the threat activates a different legal regime under public safety and population protection law.
Examples of hybrid threats with potential or actual consequences for local safety, infrastructure, or essential services, include:
a. Manipulation of industrial control systems that causes chemical or thermal instability in a plant near a residential zone.
b. Logistics disruption that endangers refrigerated medical supplies.
c. Disinformation that triggers panic, protests, or public disorder.
At that moment, the legal nature of the incident changes, it relates to population protection.
Under Article 57 of the Federal Constitution:
1 The Confederation and the Cantons shall within the scope of their powers ensure the security of the country and the protection of the population.
2 They shall coordinate their efforts in the area of internal security.
This creates a shared security responsibility, not exclusive federal competence.
Under Article 61 of the Federal Constitution:
1 The legislation on the civil defence of persons and property against the effects of armed conflicts is the responsibility of the Confederation.
2 The Confederation shall legislate on the deployment of civil defence units in the event of disasters and emergencies.
3 It may declare civil defence service to be compulsory for men. For women, such service is voluntary.
4 The Confederation shall legislate on fair compensation for loss of income.
5 Persons who suffer damage to their health or lose their lives while doing civil defence service are entitled to appropriate support from the Confederation, whether for themselves or for their next of kin.
Article 61 defines the legislative competence of the Confederation for civil defence. It covers the protection of people and property in the event of armed conflicts, disasters, or emergencies.
Paragraph 1 and 2 grant the Confederation exclusive competence to legislate on civil defence and the deployment of civil defence units.
Execution and implementation remain decentralised, delegated to the cantons and, operationally, to the municipalities.
When a hybrid or cyber attack has no public safety implications, there is no legal obligation for a private company to inform the municipality. As long as the incident remains technical or economic, communication with the municipality is voluntary, not required by law.
Is there any obligation to report cyber or hybrid incidents to the canton?
Swiss law does not create a horizontal duty for private companies to notify cantonal authorities of every cyber or hybrid incident. But the canton must be informed when the incident’s character involves criminal enforcement or civil protection (population protection) functions that the Constitution assigns to the cantons.
Article 57 of the Federal Constitution establishes shared responsibility: “The Confederation and the Cantons shall within the scope of their powers ensure the security of the country and the protection of the population.”
The primary cyber reporting obligation involves the Confederation (NCSC), not the canton. If your entity is designated as critical infrastructure, your legal duty is to notify the NCSC within the statutory deadlines.
Private companies must remember the two legal gateways that frequently engage cantonal authorities.
1. Criminal enforcement competence (cantonal police / prosecutor).
Many cyber offences (unauthorised access, data damage, extortion, fraud) are prosecuted under the Swiss Criminal Code by cantonal law enforcement authorities. While Swiss law does not generally oblige victims to file a criminal complaint, incident characteristics (extortion, threat to life) may make prompt reporting to the cantonal police necessary and prudent.
In our opinion, reporting to the cantonal police cyber unit is important as part of a defensible incident response record, especially if you later need force majeure or mitigation clauses, or seek prosecutorial preservation measures. Reporting is strategically advantageous, for several reasons:
a. Creates a verifiable incident-response record (evidence of diligence). By documenting that you notified the competent authority, typically the cantonal police cybercrime unit, which coordinates with the NCSC/GovCERT, you create evidence of responsible and timely action.
This is important because Swiss law and international standards emphasize timeliness and traceability in incident response. Regulators and courts assess not only what you did, but how quickly and how transparently you acted. Best practice: Submit a timestamped written notification (email or portal submission), not only a phone call.
b. Supports future reliance on force majeure or mitigation clauses. Commercial contracts often include provisions such as force majeure (unforeseeable event beyond control), best efforts / reasonable measures obligations, or mitigation of damage requirements. If litigation or contractual disputes arise, the question will be: Did the company take all reasonable steps to mitigate the damage as soon as the incident became known?
A written, time-stamped report to the cantonal police cyber unit demonstrates prompt action, cooperation with competent authorities, and effort to prevent escalation. This strengthens the legal argument that the company acted defensibly and in good faith.
c. Enables prosecutorial preservation measures (data seizure, evidence freezing). Reporting to the police early means you did your best to preserve evidence. Data freezing orders before forensic evidence is overwritten and tracing of fraudulent transactions make a difference in all investigations. Once evidence is lost, police may be unable to act. Authorities will not freeze evidence or compel third parties unless there is an official report.
d. Supports later regulatory or insurance reporting. If the incident later escalates into a data breach under the Swiss FADP, a critical infrastructure incident, or a cross-border breach involving the EU (GDPR), your early police report becomes the first documentary point in your chain of reporting. Insurance carriers (cyber risk policies) increasingly require proof of timely notification to law enforcement.
e. Reputation protection and signaling to threat actors. Swiss authorities take cyber attacks seriously. An early police report signals to the threat actor that you are not alone.
Establish a good relationship with the cantonal police cyber unit before an incident occurs. When a crisis occurs, trust matters. Organizations that already have personal contact with their cantonal cyber unit have effective collaboration when decisions must be made under pressure.
Law enforcement takes into account the track record of the reporting company. When you already know each other, there is less friction. You already know how they want evidence packaged. You are not a stranger asking them to drop everything and deal with your problem. Relationships grow during calm, not during crisis.
2. Civil-protection (population-protection) consequences.
Where a hybrid incident endangers life, health, essential services, or the environment (for example, OT manipulation that could trigger a hazardous event), the priority shifts from cyber to population protection. The Federal Act on Civil Protection and Civil Defence assigns responsibility for implementation to the cantons, which in turn delegate operational execution to the municipal authorities. In such cases, private entities must cooperate and inform the competent civil protection services without delay so that cantonal command can activate local response.
Is there any obligation to report cyber or hybrid incidents to the NCSC?
The Swiss National Cyber Security Centre is the federal government's competence centre for cybersecurity and the first point of contact for businesses, public services, educational institutions and the population when it comes to cyber challenges. It is responsible for the coordinated implementation of the national cyberstrategy (NCS).
The NCSC's main task is to make Switzerland more secure in cyberspace. To this end, it raises awareness and warns the public about cyberthreats and cyberattacks. The NCSC receives reports of cyberincidents and supports operators of critical infrastructures, in particular, in dealing with them. It produces technical analyses to assess and prevent cyberincidents and cyberthreats, and to identify and eliminate weaknesses in Switzerland's protection against cyberthreats.
On 2 December 2022, the Federal Council decided to transform the National Cyber Security Centre (NCSC) into a federal office (with effect from 1 January 2024), and to relocate it to the Federal Department of Defence, Civil Protection and Sport (DDPS).
In 2021, the Federal Council decided to establish the legal basis for the introduction of a reporting obligation. It arises from an amendment to the Information Security Act (ISA / Informationssicherheitsgesetz (ISG), SR 128) and the associated Cybersecurity Ordinance (CSO), which implement the reporting framework.
On 7 March 2025, the Federal Council brought the amendments to the ISG into force on 1 April 2025.
On 7 March 2025 the Federal Council has also adopted the Cybersecurity Ordinance (CSO), which entered into force on 1 April 2025. The CSO contains the implementing provisions for the reporting obligation and, in particular, regulates the exceptions.
The National Cybersecurity Centre (Nationale Zentrum für Cybersicherheit): https://www.ncsc.admin.ch
Mandatory notification. Critical infrastructures must report categories of cyber incidents to the NCSC.
https://www.report.ncsc.admin.ch/en/
In Switzerland, operators of critical infrastructure are required to report cyberattacks to the National Cyber Security Centre (NCSC) within 24 hours of discovery. After submitting the initial report within 24 hours of discovering the incident, they have 14 days to complete their report.
Switzerland’s reporting is harmonized with the European Union’s NIS 2 Directive (Directive (EU) 2022/2555), particularly in the structure, timing, and rationale of incident-notification obligations.
Both accept that the initial report may be incomplete, emphasizing speed over perfection. They recognize the need for threat intelligence sharing and central coordination. Both extend coverage beyond the public sector to private entities performing critical functions.
For private entities that are not designated as operators of critical infrastructure, there is generally no unconditional statutory duty to report every cyber incident to the NCSC. In our opinion, you must use the NCSC voluntary reporting channels and explain significant incidents to improve national situational awareness and protect other organizations. Many non critical organisations report voluntarily (or do so because of contractual, sectoral, or insurance requirements).
What triggers mandatory reporting?
Two elements trigger a reporting obligation to the NCSC:
a. The legal designation as an operator of critical infrastructure, or the legal designation as an entity covered by an applicable reporting statute or ordinance.
b. The material impact of the incident on the availability, integrity or confidentiality of services that are essential for the public (like energy, health, transport, banking, telecommunications).
Even where a cyber or hybrid incident triggers the mandatory reporting duty to the National Cyber Security Centre (NCSC), this does not replace other legal obligations.
a. Criminal Elements. Report to the Cantonal Police and the Prosecutor (Staatsanwaltschaft) incidents like intrusion, unauthorized access, data breach, coercion, extortion, espionage, and threats. Where criminal behavior is suspected, notification to the cantonal police cyber unit and the prosecutor should occur promptly, in parallel to notifying the NCSC.
This protects the company from claims that evidence was lost or that the organization failed to enable prosecution.
b. Personal Data Impact. Report to the FDPIC (Federal Data Protection and Information Commissioner). Where a cyber incident involves personal data and creates a risk to the data subjects, the data controller must notify the FDPIC “as soon as possible.”
Typical triggers include compromised HR data, lost customer records, and ransomware exfiltration. The FDPIC notification is a separate legal obligation with a different legal purpose.
The duty for the Board of Directors of any entity of the private sector is to ensure:
(a) There is clarity on whether the organisation is within the NCSC’s mandatory reporting scope.
(b) There are tested incident response procedures that meet reporting timelines.
(c) There are pre-established channels for coordinated reporting to the NCSC, cantonal police, and sector regulators.
A breakdown of how reporting obligations would unfold in the hybrid threat scenario we previously developed.
If ABC AG qualifies as a critical infrastructure operator, an initial report to the NCSC must be submitted within 24 hours of discovery of unauthorized network communications and data access.
As soon as forensics confirm that a supplier’s compromised update infected ABC AG and communications with a VPS abroad are identified, there are legal triggers like intrusion, sabotage, and fraud. These indicators justify a criminal complaint to the cantonal prosecutor via the cantonal police.
ABC AG must send a follow-up notification to the NCSC, updating its initial 24-hour report.
If personal data of employees or clients were affected, the company must notify the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible.
Federal Data Protection and Information Commissioner (FDPIC)
The municipality remains uninvolved, as there is no threat to local public order.
As soon as there is evidence that some affected components were exported to the EU, and the incident affects product conformity or safety, ABC AG must inform the Swiss State Secretariat for Economic Affairs (SECO), which acts as Switzerland’s notifying authority to the EU.
SECO (in our opinion the manufacturer too) must inform the EU’s Safety Gate mechanism if product safety risks arise. Because the threat now transcends borders, competence shifts upward to federal level international reporting.
As soon as ABC AG realizes it is target of a hybrid campaign, the Federal Intelligence Service (Nachrichtendienst des Bundes, NDB) may be contacted. Under the Intelligence Service Act (Nachrichtendienstgesetz, NDG), the NDB collects and analyses hybrid threats against Swiss critical industries. This is an option, not an obligation.
The cantonal police may transmit relevant information to the NDB. The company itself has no legal duty to contact the NDB directly, but, in our opinion, a direct channel and the opportunity to answer all questions directly accelerates the process and provides evidence that ABC AG did everything possible to minimize damage.
There is still no reporting duty to the municipality. If ABC AG voluntarily informs the municipal authorities, it does so under corporate social responsibility, not law.
To learn more about hybrid risk management:
1. Hybrid Risk
Cyber Risk GmbH, some of our clients
