Federal Council Considers Introduction of Cyber Incident Reporting Duty
by Jürg Schneider, Christophe Gosken, Florian Roth
Published: December, 2019
While many countries have introduced far-reaching obligations to report cyber incidents, Switzerland has not yet followed this lead. However, on 13 December 2019 the Federal Council adopted a report which considers key issues with regard to the introduction of a general reporting obligation for operators of critical infrastructure. The report also discusses possible implementation models. A decision is expected by the end of 2020. The press release is available in English, German, French and Italian.
Contrary to international trends, Switzerland has not yet adopted a general obligation to report cyber incidents. The current system is based on voluntary notification and information exchange via the Reporting and Analysis Centre for Information Assurance and, depending on the sector of activity (eg, nuclear, financial or telecoms services), mandatory notification to the supervisory authority. The introduction of a general obligation to report cyber incidents has been one of the objectives of Switzerland's National Strategy to Protect Switzerland Against Cyber Risks (NCS) (for further details please see "Federal Council to create new cybersecurity competence centre"). Based on the newly adopted report, the Federal Council will examine the following four implementation models:
In view of the rapid development of cyber risks, the Federal Council's upcoming decision could have a considerable impact on the compliance obligations of companies in certain industry sectors. It will therefore be necessary to monitor developments in this area.
|