MilesGuard
DE
ISGReporting ObligationComplianceBACS

ISG Reporting Obligation: What Swiss Companies Need to Know Now

6 April 2026|7 min read

Since April 2025, cyberattacks on critical infrastructure operators must be reported. Since October 2025, violations carry fines of up to CHF 100,000. We explain who is affected, what must be reported and how to prepare.

A ransomware attack shuts down your production. You have 24 hours to report the incident to the BACS (Federal Office for Cybersecurity). Do you know who in your organisation triggers that report? The ISG (Information Security Act) has required mandatory reporting of cyberattacks on critical infrastructure operators since April 2025. Since October 2025, violations are punishable by fines of up to CHF 100,000 against responsible individuals. In the first twelve months since the obligation took effect, over 325 mandatory reports were submitted to the BACS.

Who Is Affected?

The reporting obligation covers 9 sectors with 27 subsectors: energy, drinking water, wastewater, transport, healthcare, banks, insurance, digital infrastructure and public administration. Suppliers and IT service providers working for these sectors can also be indirectly affected. Check against the BACS criteria list whether your company falls under the definition. When in doubt, report.

How the Reporting Process Works

The report must be filed within 24 hours of discovery, via the BACS Cyber Security Hub (security-hub.ncsc.admin.ch) or the general reporting form (report.ncsc.admin.ch). Required information includes the affected system, the type of attack and the immediate response measures taken. A detailed follow-up report with root cause analysis and an action plan must be submitted within 14 days. The report does not replace filing a complaint with the cantonal police.

Preparation: The Reporting Playbook

Prepare now, not after an incident. Create a reporting playbook with clear responsibilities. Define who files the initial report, who provides the technical analysis and who handles internal communications. Test the process in a tabletop exercise. Document your critical systems and their dependencies. This preparation takes one working day. A late report costs considerably more.

How MilesGuard Supports You

MilesGuard helps companies with ISG readiness assessments: we determine whether you are subject to the reporting obligation, create your reporting playbook and run a simulation exercise. This way you are prepared before an incident occurs.

Quellen

  • [1] BACS (ncsc.admin.ch)
  • [2] Cybersecurity Ordinance (CSV)
  • [3] ISG Reporting Obligation
Share:LinkedIn

Weitere Beiträge

nDSG and IT Security: 10 Technical Measures for SMEs

9 March 2026

Cyber Resilience Act: What Swiss Manufacturers Must Do Now

19 January 2026

Ransomware Attack on Your SME: The First 60 Minutes

23 March 2026

Related Services

Security Audits →CISO as a Service →
Miles Strässle

Miles Strässle

Founder, MilesGuard GmbH

Security questions? Talk to us.

Our blog posts are continually updated on the original site. For individual advice, we are available at any time.

Schedule a Consultation