Cyber Attack Reporting Switzerland

Reporting Obligations After Cyber Attacks in Switzerland — An Overview

Switzerland has significantly tightened its regulatory framework for dealing with cyber attacks and data protection violations. Two central regulations determine what companies must report after a cyber incident:

The new Federal Act on Data Protection (nFADP) — in force since 1 September 2023 — requires notification of data protection violations to the FDPIC (Federal Data Protection and Information Commissioner) within 72 hours.
The BACS reporting obligation — in force since 1 April 2025 — requires operators of critical infrastructure to report cyber attacks to the Federal Office for Cybersecurity (BACS) within 24 hours.

Additionally, there are sector-specific reporting obligations (FINMA for financial institutions, Swissmedic for pharmaceuticals, etc.) and the obligation to file a criminal complaint.

Violations risk fines of up to CHF 250,000 (personal liability!) and potentially existentially threatening reputational damage.

Key Deadlines at a Glance

Reporting obligation	To whom?	Deadline	Since when?	Who is affected?
nFADP Art. 24	FDPIC	72 hours	1.9.2023	All companies processing personal data
BACS obligation	BACS	24 hours	1.4.2025	Operators of critical infrastructure
FINMA	FINMA	Immediately (typically 24–72h)	Since 2008 (tightened 2023)	Banks, insurers, financial market infrastructure
Criminal complaint	Cantonal police	No fixed deadline	—	Recommended for all victims

The nFADP — Reporting Obligation Since 1.9.2023

The revised Federal Act on Data Protection (FADP, commonly nFADP) entered into force on 1 September 2023. Key requirements:

Report to the FDPIC within 72 hours when a data security breach likely poses a high risk to affected persons
Personal fines of up to CHF 250,000 for responsible individuals (CEO, CTO, CISO)
Fines target natural persons, not the company — a fundamental difference from the EU GDPR

Since September 2023, the FDPIC has received over 1,800 data breach reports. Around 35% relate to cyber attacks. The average reporting time is 4.2 days — many companies fail to meet the 72-hour deadline.

The BACS Reporting Obligation for Critical Infrastructure — Since 1.4.2025

Operators of critical infrastructure in sectors including energy, water, transport, healthcare, finance, telecommunications, government, food supply, universities and IT service providers must report within 24 hours. The reporting follows a three-phase model:

Phase	Deadline	Content
Initial report	24 hours after discovery	Basic information: type of attack, affected systems, initial assessment
Supplementary report	14 days	Detailed information: cause, extent, measures taken
Final report	After completion of response	Complete report: root cause, damage, lessons learned

Penalties for non-compliance: fines up to CHF 100,000.

What to Do After a Cyber Attack — The 10-Step Emergency Plan

Stay calm and activate crisis team (Minute 0–15) — Call the 24/7 cyber insurance hotline immediately
Isolate systems, do NOT shut down (Minute 15–60) — Volatile data in RAM is essential for forensics
Assess scope and document (Hour 1–4) — Determine if personal data is affected
Initiate IT forensics (Hour 2–6) — Costs: CHF 5,000–300,000+ (covered by cyber insurance)
Check and comply with reporting obligations (Hour 4–24)
File criminal complaint (Hour 6–48)
Start crisis communication (Hour 6–48) — PR costs: CHF 10,000–60,000 (covered)
Restore systems (Day 2–30+) — Only after forensic clearance
Notify affected persons (Week 1–4) — Costs: CHF 8–15 per person (covered)
Lessons learned and improvements (Week 4–12)

How Cyber Insurance Helps with Reporting Obligations

Immediate Legal Advice (24/7)

The cyber insurer provides specialised data protection lawyers within 2–4 hours who check reporting obligations, draft reports to authorities on time, and minimise the risk of fines.

Coverage of Compliance Costs

Cost item	Typical amount	Covered?
Specialised data protection lawyers	CHF 15,000–80,000	Yes
Notification of affected persons	CHF 8–15 per person	Yes
Call centre for affected persons	CHF 10,000–50,000	Yes
Fines (where insurable)	Up to CHF 250,000	Varies by canton
Typical total compliance cost	CHF 50,000–500,000	Largely covered

Consequences of Non-Compliance

Violation	Possible consequence
Late nFADP report to FDPIC	Fine up to CHF 250,000 (personal)
No nFADP report	Fine + criminal proceedings
Late BACS report	Fine up to CHF 100,000 + regulatory order
No notification of affected persons	Fine + civil lawsuits

Personal Liability — An Often Underestimated Risk

The nFADP directs fines primarily at natural persons. This means CEO, CTO, CISO or data protection officers can be personally fined up to CHF 250,000 from their own assets.

FAQ

Must I report every cyber attack to the FDPIC?

No. Only when personal data is affected AND there is a high risk to the affected persons. When in doubt, it is better to report.

What if I miss the 72-hour deadline?

Report as quickly as possible anyway and explain the delay. A late report is always better than no report.

As a small SME, am I subject to the BACS reporting obligation?

Only if you operate critical infrastructure or provide IT services for critical infrastructure operators. The nFADP obligation applies to all companies processing personal data.

Conclusion: Preparation Is the Best Protection

nFADP: 72 hours — report to FDPIC for data breaches with high risk
BACS: 24 hours — report for cyber attacks on critical infrastructure
Fines up to CHF 250,000 — personal liability of responsible individuals
The 10-step emergency plan provides clear guidance for the emergency
Cyber insurance is your most important ally — for legal advice, forensics, reports and cost coverage

Your next step: Contact BTAG Versicherungsbroker AG for a free analysis of your insurance coverage regarding reporting obligations, compliance and emergency management. Request a consultation now

Reporting Obligations After Cyber Attacks in Switzerland: nFADP, BACS & the 10-Step Emergency Plan