⚠ NCSC: Week 24: Phishing in the letterbox – Fake QR codes on collection notices 🔴 CVE: Critical vulnerabilities tracked — CVSS ≥ 9.0 📰 New article: NCSC Mandatory Cyber Reporting: Swiss ISA Enforcement 2026 ⚠ NCSC: Week 24: Phishing in the letterbox – Fake QR codes on collection notices 🔴 CVE: Critical vulnerabilities tracked — CVSS ≥ 9.0 📰 New article: NCSC Mandatory Cyber Reporting: Swiss ISA Enforcement 2026
← Back to articles
Regulation 21 June 2026 8 min read

NCSC Mandatory Cyber Reporting: Swiss ISA Enforcement 2026

Switzerland's transitional period for mandatory cyber-incident reporting under the revised ISA ends mid-2026 — the NCSC is moving from tolerance to enforcement, and FINMA-supervised entities must validate their dual-reporting pipelines before an incident tests them.

MS

Marco Scarito

21 June 2026

8 min read

Switzerland's mandatory cyber-incident reporting obligation — introduced under the revised Federal Act on Information Security (ISA) and the Cybersecurity Ordinance that entered into force in April 2025 — is exiting its transitional period at mid-2026. The transitional phase gave critical infrastructure operators time to build notification capabilities and establish reporting processes before enforcement began in earnest. That accommodation is ending. The NCSC (National Cyber Security Centre, operating under the BACS brand) is expected to apply a more demanding supervisory posture to delayed reports, incomplete notifications, and repeat infringement following the close of the transitional period. For FINMA-supervised institutions, the ISA obligation runs in parallel to — and is entirely independent of — FINMA's own incident reporting requirements under FINMA Supervisory Guidance 03/2024: a single cyber incident may trigger simultaneous, independent notification obligations to two authorities, with different clocks, different content requirements, and different consequences for non-compliance.

What the ISA Reporting Obligation Requires

The ISA's cyber-incident reporting obligation applies to operators of critical infrastructure in Switzerland across the sectors defined in the Cybersecurity Ordinance: financial market infrastructure, energy, transport, healthcare, water supply, and digital infrastructure. The reporting timeline is 24 hours from the moment an organisation becomes aware of a reportable incident. A reportable incident is one that has or could have significant impact on critical functions, the confidentiality, integrity or availability of systems, or public security.

The notification submitted within 24 hours is an initial notification — a summary of what is known at the time of reporting. A full incident report follows within 14 days, providing a complete account of the incident, its scope, and the response taken. The NCSC uses these notifications to build a national cyber threat picture and may share anonymised information across sectors to improve collective situational awareness. Organisations that fail to notify, notify late, or submit materially incomplete notifications face supervisory consequences defined in the ordinance, with the possibility of referral to cantonal or federal prosecution authorities for deliberate or grossly negligent non-compliance.

The FINMA Parallel Track

FINMA-supervised entities — banks, insurers, securities dealers, and their directly supervised subsidiaries — carry a dual notification obligation that operates independently of the ISA track. Under FINMA Supervisory Guidance 03/2024, FINMA requires notification of cyber incidents meeting its own materiality thresholds: incidents involving data exfiltration, significant operational impact, third-party compromise, or reputational risk must be reported to FINMA within 24 hours of discovery via the FINMA SuperWeb portal.

The FINMA clock and the NCSC clock run independently from the same triggering event. A ransomware attack on a FINMA-supervised bank triggers two simultaneous 24-hour notification windows to two different supervisory authorities, with partially overlapping but not identical content requirements. FINMA-supervised entities must ensure their incident response runbooks contain explicit dual-notification procedures — not a single workflow that assumes one report satisfies both authorities. The assumption that FINMA notification implicitly satisfies the ISA obligation, or vice versa, is incorrect and creates enforcement exposure at both regulators simultaneously.

Enforcement Posture After the Transitional Period

The end of the transitional period represents a deliberate shift in NCSC supervisory philosophy from capacity-building to accountability. Several patterns will define the harder enforcement line. Organisations that self-report only after media coverage of an incident will attract disproportionate scrutiny compared to those that notified within the 24-hour window — the supervisory record will distinguish between proactive reporters and reactive ones. Organisations with a history of multiple late or incomplete notifications will be assessed for supervisory intervention. And organisations in sectors where the NCSC has concentrated supervisory resources — financial infrastructure, healthcare, energy — should expect more proactive follow-up on the quality and completeness of notifications, not merely their timeliness.

The NCSC is also expected to coordinate with FINMA on incidents affecting dually supervised entities, building a cross-authority picture of institutions that are systematically late or deficient in their reporting obligations. An institution that notifies FINMA promptly but delays its ISA notification — or notifies NCSC with incomplete information while providing a comprehensive report to FINMA — creates an inconsistency that supervisory coordination will surface.

◆ Key Takeaway

The transitional period provided time to build the notification capability. Its end means that capability is now expected to be operational, tested, and exercised. Swiss critical infrastructure operators that have not yet run a timed end-to-end exercise of their 24-hour notification pipeline — from incident discovery through initial NCSC report submission — are operating a supervised process without proof it works. The first real test will be under time pressure, with a regulator that has explicitly signalled it is moving from tolerance to enforcement.

  • Conduct an end-to-end timed test of your ISA notification workflow before the close of the transitional period. Run a tabletop exercise that begins with a simulated incident discovery and ends with a completed initial notification submitted to the NCSC reporting portal — measuring actual elapsed time against the 24-hour window and identifying every bottleneck in the chain.
  • Confirm who holds the notification authority and ensure they are reachable out of hours. The 24-hour window runs regardless of time zone, weekends, and public holidays. The designated individual must be identified, trained, have portal access credentials, and be reachable at 3am on a Saturday.
  • For FINMA-supervised entities, build a dual-notification checklist into your incident response runbook as a distinct procedural step. The FINMA SuperWeb report and the ISA NCSC notification are separate submissions with separate requirements. Completing one does not satisfy the other; treat them as parallel obligations with a shared start time.
  • Verify what constitutes a reportable incident under your sector's Cybersecurity Ordinance definition. The threshold — significant impact on critical functions — requires an active determination in the first hours of an incident. Your incident triage team needs documented criteria for making this call quickly, not a reference to the regulation text.
  • Brief your board and executive leadership on the enforcement posture change. The end of the transitional period is a material regulatory risk event. Board members who approved the incident response framework should know that the supervisory expectations have shifted and that the consequences of late reporting are now enforceable.
  • Review the 14-day full report requirements with NCSC's published guidance. The initial 24-hour notification is followed by a comprehensive incident report. Ensure your forensic, legal, and communications teams understand what the full report requires and can deliver it within 14 days of the initial report — not 14 days after the incident is resolved.
  • Document notification testing as evidence for supervisory assessments. A record of completed tabletop exercises, measured notification timelines, and identified process improvements demonstrates compliance maturity. This record is an asset if the NCSC or FINMA asks about your reporting readiness — and a liability if it does not exist.

The end of the transitional period is not a new obligation — the ISA reporting requirement has applied since April 2025. What changes is the supervisory consequence of failing to meet it. Swiss organisations that have built functional notification pipelines and exercised them will find the transition from tolerance to enforcement straightforward. Those that have treated mandatory reporting as a documentation exercise rather than an operational capability will face their first real test at the moment of an incident — under time pressure, with a supervisory authority that has moved from patient to accountable. That is not the moment to discover the 24-hour pipeline does not work.