⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could ⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could
← Back to articles
Analysis 23 March 2026 8 min read

NCSC Annual Report 2025: Key Takeaways for Swiss Security Teams

Nearly 65,000 incident reports and a significant shift in fraud sophistication.

MS

Marco Scarito

23 March 2026

8 min read

On 16 February 2026, the Swiss National Cyber Security Centre (NCSC) published its Annual Report for 2025. The document offers the most comprehensive public picture of Switzerland's cyber threat landscape and the state of the country's defences. For security teams, CISOs, and compliance officers, it is essential reading — not for the headline numbers alone, but for the patterns those numbers reveal.

The Headline Figures

In 2025, the NCSC processed 64,733 voluntary reports of cyber incidents — approximately 2,000 more than in 2024. While the year-on-year growth rate has moderated compared to previous years, the absolute volume confirms that cyber incident reporting in Switzerland has stabilised at a structurally elevated level. The ratio of reports from the general public versus organisations remained steady at roughly 90% to 10%.

The Critical Infrastructure Reporting Obligation: First Results

One of the most significant structural developments of 2025 was the introduction of a mandatory reporting obligation for operators of critical infrastructure under the Information Security Act (ISA), effective 1 April 2025. By year-end, the NCSC had received 222 reports under this obligation — a number that will grow substantially as awareness increases and enforcement matures. Penalties for non-reporting of up to CHF 100,000 apply from October 2025.

◆ Key Takeaway

If your organisation operates critical infrastructure and has not yet integrated the NCSC's mandatory reporting workflow into your incident response plan, this is a compliance gap with financial and reputational consequences. The 24-hour reporting window under the ISA requires pre-built processes — not improvisation at the time of an incident.

Operational Implications for Security Teams

  • Incident response plans must include NCSC mandatory reporting workflows for any organisation that may qualify as critical infrastructure under the ISA — including cantonal administrations, financial institutions, energy providers, and healthcare organisations.
  • Investment fraud awareness should be added to security awareness programmes targeting employees likely to handle client funds or execute financial transactions.
  • TWINT as an attack surface requires explicit coverage in phishing awareness training — particularly for customer-facing staff at banks and payment service providers.
  • Vulnerability disclosure programmes are increasingly expected: the 41% growth in ethical hacking reports suggests the Swiss security research community is active and engaged.
  • Engage the FS-CSC if you operate in the financial sector — its threat intelligence sharing and joint protective measures represent a force multiplier that no individual institution can replicate independently.