Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Switzerland: Federal Council opens consultation on Cybersecurity Ordinance
On May 22, 2024, the Federal Data Protection and Information Commissioner (FDPIC) announced that the Swiss Federal Council opened a consultation on the new Cybersecurity Ordinance (the Ordinance).
What are the main aspects of the Ordinance?
The FDPIC noted that in 2023, the Parliament adopted amendments to the Information Security Act (ISA), introducing an obligation to report cyberattacks to critical infrastructures. The Ordinance aims to set out how the reporting obligation will be implemented.
In particular, the Ordinance regulates:
- the scope of the reporting obligation for authorities and organizations;
- the types of cyberattacks;
- the content of the report; and
- deadlines.
What are the exemptions to the reporting obligation?
The Ordinance provides for exemptions applicable to authorities and companies suffering a cyberattack that has no direct impact on the functioning of the economy or the well-being of the population. For specific sectors, the Ordinance establishes thresholds below which organizations are not required to report an attack. Moreover, a general exemption applies to companies with fewer than 50 employees, an annual turnover of less than CHF 10 million (approx. $11 million), and authorities that are responsible for fewer than 1,000 individuals.
National cybersecurity strategy
Furthermore, the Ordinance regulates the national cybersecurity strategy and its responsible Committee, as well as the tasks of the National Cyber Security Centre (NCSC) in relation to cyberattacks.
Consultation deadline
The consultation ends on September 13, 2024.
You can read the Federal Council's announcement here and the draft Cybersecurity Ordinance here, both only available in French, and the press release here.