Close
What would you like to look for?
Site search

Categories: Banking & Finance, Data & Privacy, Information and Communication Technology

Share:
25 March 2025 Scaling the Swiss Information Security Act: Its New Amendment and the Implications for Financial Institutions

As previously reported in our blog post on cyber-security obligations for financial services providers in Switzerland, an amendment to the Swiss Information Security Act ("ISA") (Informationssicherheitsgesetz) ("Amendment") to introduce an obligation for critical infrastructure providers to report certain cyber-attacks and information security weaknesses to the National Cyber Security Centre ("NCSC") has been a recent focus for Swiss legislators. The Amendment was passed by the Swiss parliament in September 2023 and the Amendment entered into force on 1 July 2024. The Swiss Federal Council has now agreed that the reporting obligation will start applying from 1 April 2025.

In this blogpost we provide an overview of the Amendment and compare aspects of it with its European Union ("EU") counterpart in the financial services area, the Digital Operational Resilience Act ("DORA").

Overview of Reporting Obligation to NCSC

Entities identified in Art. 74b para. 1 of the Amendment (including those subject to the Banking Act, the Insurance Supervision Act, and the Financial Infrastructure Act) are required to report certain cyber-attacks to the NCSC. The reporting obligation applies to cyber-attacks, which have an impact on Switzerland even if the affected IT infrastructure is located abroad. According to Art. 74d of the Amendment, cyber-attacks must be reported if they:

  • Jeopardise the functionality of the affected critical infrastructure;
  • Have led to a manipulation or leakage of information;
  • Remained undetected for an extended period of time, especially if there are indications that they were carried out in preparation for further cyber-attacks; or
  • Involved extortion, threats, or coercion.

No report to the NCSC must be made according to Art. 74c of the Amendment when the Federal Council (Bundesrat) has decreed that a cyber-attack on the particular organization would only have a small impact on the functioning of the economy or the welfare of the population[1].

Reports must be made within 24 hours of the discovery of a cyber-attack, although the NCSC may grant the reporting organization an extension of up to 14 days in case where not all relevant information is available in the first 24 hours. Intentional breaches of the reporting obligation are punishable by a fine of up to CHF 100,000. However, fines will only be levied once two deadlines set by the NCSC have been intentionally disregarded. Furthermore, the Federal Council has confirmed that fines will only be imposed from 1 October 2025 onwards. This means that while reporting cyber attacks will be mandatory from 1 April 2025, sanctions for breaches of the Amendment will not be imposed for another first six months.

Reporting Mechanics

The NCSC reporting form will be available on the NCSC's Cyber Security Hub, but those organizations not registered on the platform can submit reports by email. The content of the report is detailed in Art. 15 of the Cybersecurity Ordinance.

The existing reporting obligations to FINMA pursuant to the Guidance 05/2020 will remain in place. In June 2024 FINMA published new guidance, in which it clarified that entities which are also subject to the reporting obligation under the ISA have the option to submit their 24-hour notification via the NCSC reporting tool and opt to forward the report to FINMA, provided this can be done within the deadline.[2] However, the full 72-hour notification must still be submitted via the FINMA web-based tool and application platform EHP.

Freedom of Information

While the Swiss Freedom of Information Act (Öffentlichkeitsgesetz) (the "FoI Act") takes precedence over the ISA, information related to cyber incidents that the NCSC receives from 3rd parties is excluded from the FoI Act. Therefore, the NCSC may not share or publish any information on cyber incidents that allows for reporting or affected parties to be identified, unless their consent has been obtained. However, this rule does not apply in the following circumstances:

  1. Forwarding to the Federal Intelligence Service (Nachrichtendienst des Bundes) if the information is relevant for assessing the threat situation or providing early warning to critical infrastructures; or
  2. Forwarding to the criminal justice authorities if the report contains information on serious criminal offences (this is at the discretion of the head of the NCSC, as NCSC employees are not required to report criminal offences).

Comparison with DORA

As mentioned in our earlier blog post, the EU has been revising its cyber-security legislation over the last few years. While the so-called NIS 2 had to be transposed into national law by 17 October 2024, DORA, which contains an ICT risk management framework specifically for financial entities, entered into force on 17 January 2025. NIS 2 contains a carve out for areas where the provisions of other EU legislation are comparable, in which case it does not apply. In this blogpost we therefore focus on the relevant provisions of DORA only.  

DORA goes beyond the traditional focus of financial resilience and is concerned with financial firms' ICT-related risks. Unlike the Amendment, it also applies to a broader range of financial institutions and covers, amongst others, payment and e-money institutions, crypto-asset service providers, managers of alternative investment funds, institutions for occupational retirement provision, and crowdfunding service providers.

Similar to the Amendment, DORA contains reporting requirements. Art. 19 DORA mandates in-scope entities to report "major" incidents to the appropriate competent authority. "Significant" cyber threats may voluntarily notified if they are deemed a "threat to be of relevance to the financial system, service users or clients." Financial entities may generally outsource the reporting obligations to 3rd parties. However, they remain fully responsible for the fulfilment of the reporting requirements.

Financial entities shall submit the following to the competent authority:

  • An initial notification;
  • An intermediate report once the status or the handling of the incident has changed significantly, followed by notifications each time a relevant status update is available or upon request by the competent authority; and
  • A final report, when the root cause analysis has been completed and when the actual impact figures are available to replace estimates.

Receipt of the initial notification and of each report is acknowledged by the competent authority and feedback, high-level guidance, remedies and ways to minimise adverse impacts are discussed. Having reported an incident does not relieve an entity of the obligation to handle it and it remains fully responsible for an incident's consequences.

DORA provides for a broader range of penalties than the Amendment, including administrative penalties and remedial measures. Competent authorities have all supervisory, investigatory and sanctioning powers necessary to fulfil their duties. This includes access to any document or data considered relevant for the performance of their duties, carrying out on-site inspections or investigations, and requiring corrective and remedial measures.

EU Member States have the right to impose criminal penalties and shall lay down rules establishing appropriate administrative penalties and remedial measures unless infractions are already subject to criminal penalties under national law.

Conclusion

While important distinctions between the Swiss and EU rules in this area remain, including as they pertain to the financial services sector, they both follow the worldwide pattern of strengthening legislative cyber-security posture. Now more than ever, given the growing body of legislation in the area, new and established Swiss financial services providers need to ensure they are ready to prevent, mitigate and report cyber-attacks. We will publish further blogposts in the future to provide updates on financial services and cyber-security.

Authors: Jana Essebier, Stefan Grieder, Maximilian Riegel

 

[1] The Cybersecurity Ordinance (Cybersicherheitsverordnung) contains further details on this point.
[2] You can find a summary of the guidance in our blogpost here.

Authors

Jana Essebier

Jana Essebier

Attorney at Law

  • Partner
Stefan Grieder

Stefan Grieder

Attorney at Law

  • Partner
Maximilian Riegel

Maximilian Riegel

Solicitor (admitted in Ireland (non-practising)) Law Society of Ireland

  • Associate

Related Knowledge

View All

Keeping you up to date…

Opt-in for our regular updates, news, views, insights and more.

Subscribe

Browse