Reporting cyber incidents in Switzerland: a guide for individuals and businesses

In Switzerland, a cyber incident is reported roughly every eight minutes, and most of these alerts come from ordinary individuals. Fake texts, hacked accounts, investment scams: no one is safe. Faced with this threat, the Federal Office for Cybersecurity (OFCS) acts as a central point of contact, both for the individual affected and for the business targeted by an attack. The rules, however, are not the same for everyone. For most of us, reporting remains a voluntary act; for certain strategic companies, it is a legal obligation with strict deadlines. This article distinguishes the two situations and explains, in each case, when and how to report.

Key points

  • Single point of contact: the Federal Office for Cybersecurity (OFCS), through its online form.
  • Individuals: voluntary reporting, free of charge, possible anonymously. No obligation.
  • SMEs and ordinary businesses: no obligation to report to the OFCS (the ISA does not cover them), so reporting is voluntary on that basis. However, any company, regardless of size, must notify the Federal Data Protection and Information Commissioner (FDPIC) of a personal data breach that entails a high risk to the persons concerned (art. 24 para. 1 FADP). This obligation exists independently of the ISA.
  • Critical infrastructure only (banks, energy, water, hospital care, telecoms, transport, cloud, public authorities): reporting to the OFCS is mandatory within 24 hours (art. 74e ISA), with the option to complete it within 14 days. The FDPIC obligation applies on top if personal data is affected.
  • Penalty: up to CHF 100,000, but only after an ignored formal notice, and applicable since 1 October 2025. It targets the natural person responsible.
  • Reporting ≠ filing a complaint: the OFCS is not a criminal prosecution authority. For an offence, file a complaint with the police (a police station or the Suisse ePolice portal for certain online offences).
  • Personal data affected: a separate notification to the Commissioner (FDPIC) may be required (art. 24 FADP).

For individuals: a simple, free reflex

If you are the victim of an online scam, an account hack or a suspicious message, you can report it to the Federal Office for Cybersecurity (OFCS). This report is entirely voluntary, free of charge, and can even be anonymous. The law indeed provides that reports may be made without revealing one’s identity (art. 73b para. 1 ISA). Note, however, that leaving a means of contact allows the OFCS to get back to you and follow up on your case.

Reporting is done online, in a few minutes, through a dedicated form. You immediately receive an initial assessment, generated automatically, which points you toward the steps to take. You can then forward the case to the OFCS, where it is handled in greater depth by its teams.

Why do it, when nothing requires you to? Because every report helps the OFCS spot new forms of scams and warn the public before they reach more people. Your report therefore protects others as well. The figures show the scale of the phenomenon: in 2025, the OFCS received 64,733 voluntary reports, 90% of them from the public. More than half concerned attempted fraud, and nearly a fifth phishing. It is thanks to these reports that the authorities were able to identify the dominant trends: fake calls from authorities, increasingly personalised phishing, and fraud through online classified ads.

It is important to understand that reporting an incident to the OFCS is not the same as filing a criminal complaint. The OFCS is not a criminal prosecution authority. If you have suffered an offence (scam, blackmail, data theft, etc.), you must also file a complaint with the police: at a police station or online via the Suisse ePolice portal (https://www.suisse-epolice.ch/home) for certain offences. The two steps are complementary.

For businesses: voluntary for most, mandatory for some

This is where the most common confusion lies: believing that any company hit by a cyberattack risks a fine if it fails to report it. In reality, everything depends on the nature of your business.

Most businesses: voluntary reporting

If you run an SME, a shop, a practice or a self-employed activity, you are not subject to the ISA reporting obligation: it covers only critical infrastructure. On that basis, reporting a cyberattack to the OFCS works for you as it does for an individual: it is voluntary, but strongly encouraged.

Beware, however, of a separate obligation that may indeed concern you. The Federal Act on Data Protection (FADP) requires every company, regardless of size, to notify the Federal Data Protection and Information Commissioner (FDPIC) of data security breaches that entail a high risk to the persons concerned (art. 24 para. 1 FADP). Concretely: if a cyberattack exposes or compromises data of clients, patients or employees, notifying the FDPIC may be mandatory, even for a small organisation.

Not all breaches are covered, only those crossing this risk threshold. “High risk” is assessed by weighing the severity of the possible harm against the likelihood that it occurs. Sensitive data (health, financial situation, login credentials), a large number of people affected, or a danger of identity theft raise this risk. The notification must then be made as soon as possible, through the FDPIC’s online form. This flexible deadline differs from the strict 72 hours of the European GDPR. In addition, where it is necessary to protect the people affected, the company must also inform them directly of the breach, and not merely notify the authority.

The value of voluntary reporting to the OFCS, for its part, goes beyond civic duty. By reporting, you can benefit from OFCS advice and contribute to a national mapping of threats that ultimately benefits everyone. Cybercriminals are, moreover, increasingly targeting mid-sized organisations holding sensitive data, precisely because they are often less well protected than large groups.

One category of company, by contrast, does have a genuine legal obligation to report. Since 1 April 2025, operators of critical infrastructure must report any serious cyberattack to the OFCS within 24 hours of detecting it (art. 74e para. 1 ISA). This obligation was introduced by the revision of the Information Security Act (art. 73 et seq. ISA) and detailed by the Cybersecurity Ordinance (CSO), both in force since that date. For its first partial year of application, 222 reports were received on this basis, mainly from public administration, the information and communication sector, and financial players.

Those covered notably include (full list in art. 74b ISA): banks, insurers and financial market infrastructures; energy and water supply companies; hospitals and certain healthcare players; telecommunications operators; certain transport (rail, aviation, shipping); cloud service providers established in Switzerland; as well as public authorities and universities.

Not all organisations in these sectors are subject to the obligation, however. The ordinance exempts certain small structures (art. 12 CSO): for example universities with fewer than 2,000 students, or, in several sectors, organisations employing fewer than 50 people and whose annual turnover or balance sheet total does not exceed 10 million francs in the relevant field. When in doubt about its own status, an organisation can ask the OFCS to decide (art. 74a para. 2 ISA).

The obligation is triggered only for serious attacks (art. 74d ISA): those that jeopardise the functioning of the infrastructure, that lead to a manipulation or leak of data, that went undetected for an extended period, or that are accompanied by blackmail or threats. If not all information is known within 24 hours, the OFCS grants a 14-day period to complete the report (art. 16 para. 1 CSO; the ISA, in its art. 74e para. 3, sets out the principle of completion, while the ordinance fixes the deadline).

In the event of non-compliance, the company is not penalised automatically. The OFCS first issues a reminder and sets a deadline (art. 74g ISA). Only if the organisation ignores this formal notice can a fine, of up to 100,000 francs, be imposed. This fine targets the natural person responsible for reporting (art. 74h ISA). These penalties have been fully applicable since 1 October 2025.

Reporting is not only a constraint: by reporting an attack, the organisation concerned is entitled to OFCS support in handling the incident (art. 74 para. 3 ISA). This support, which is optional, can range from technical recommendations to direct assistance where the functioning of the infrastructure is at risk and equivalent help is not quickly available on the market.

Finally, the OFCS form makes life easier for companies subject to several obligations: by ticking boxes, it allows the report to be forwarded simultaneously to other relevant authorities, such as the financial market supervisory authority or the Data Protection Commissioner.

Reporting, a requirement that extends beyond Switzerland

The Swiss obligation is not a local quirk. Incident reporting has become a cross-cutting pillar of cybersecurity, present in laws as much as in professional standards. To navigate it, two families must be distinguished, often confused.

On one side, the legal obligations, which are binding and whose breach is sanctioned:

  • in Switzerland, the Information Security Act (art. 73 et seq. ISA) requires reporting to the OFCS for critical infrastructure, and the Data Protection Act requires every data controller to notify the Federal Commissioner (FDPIC), as soon as possible, of data breaches likely to entail a high risk to the persons concerned (art. 24 para. 1 FADP);
  • in the European Union, the GDPR requires notification of a data breach within 72 hours, the NIS2 directive a multi-stage report of significant incidents (early warning within 24 hours, notification within 72 hours, final report within one month) with personal liability for executives, and the DORA regulation a three-stage report for the financial sector.

On the other side, the voluntary standards, which an organisation adopts to structure its security or obtain certification:

  • the ISO/IEC 27001 standard includes incident management and reporting among its controls, and often serves as the foundation for other frameworks;
  • the NIST Cybersecurity Framework 2.0 places reporting within its “Respond” function, among its six functions (Govern, Identify, Protect, Detect, Respond, Recover).

A key point for a Swiss company: NIS2 and DORA fall under European law and do not apply simply because a company is established in Switzerland. They may, however, concern a Swiss company active in the EU market. As for the ISO and NIST standards, they impose nothing in themselves: they provide the method to properly meet legal obligations, which explains why so many organisations adopt them as the backbone of their compliance.

In summary

IndividualsSMEs and ordinary businessesCritical infrastructure
Reporting to the OFCS (ISA)VoluntaryVoluntaryMandatory
Deadline (ISA)NoneNone24 hours
Notification to the FDPIC (FADP)Not applicableMandatory if a high-risk data breachMandatory if a high-risk data breach
Deadline (FADP)Not applicableAs soon as possibleAs soon as possible
Anonymous possible (OFCS report)YesNot relevantNo
Risk of a fineNonePossible under the FADPYes (ISA, after an ignored notice) and FADP

Whatever your profile, the entry point for reporting to the OFCS is the same: its online form. If personal data is affected, remember the separate notification to the FDPIC. And in all cases, if a criminal offence is involved, reporting does not replace a complaint to the police (police station or Suisse ePolice portal).

Sources

Reporting and OFCS portal

2025 statistics

Swiss legal framework

International frameworks cited

  • GDPR, NIS2 directive and DORA regulation (European Union)
  • ISO/IEC 27001 and NIST Cybersecurity Framework 2.0 standards

Links verified at the time of writing. The content of the OFCS portal and the form may change; check the version in force before taking any official steps.