The first complete reporting cycle under Switzerland’s new mandatory disclosure law is not an alarm it is an X-ray, exposing structural details that were invisible until someone was finally required to look.
A Window That Used to Be Shut
Until 1 April 2025, Switzerland knew about the state of its critical infrastructure in cyberspace mainly what affected organisations chose to share. The revised Information Security Act (ISG – the federal law governing information security for critical sectors and government bodies) changed that by introducing a 24 hour mandatory reporting obligation for significant cyber incidents. The Federal Office for Cybersecurity, known by its German acronym BACS (formerly the National CyberSecurity Centre, NCSC), became the designated recipient. On 30 March 2026, BACS published its BACS semi-annual report covering the second half of 2025 – the first complete six-month period under the new regime. The numbers deserve careful reading, because they tell two stories at once: one about the visible threat landscape, and one about blind spots that only became detectable because organisations are now compelled to report.
Since the obligation took effect, BACS registered 325 mandatory incident reports through the end of December 2025, of which 145 fell within the second half – the period covered by the latest BACS report. Alongside these, 29,006 voluntary reports arrived during the same six months, bringing the 2025 full-year voluntary total to 64,733. BACS itself describes the situation as “relatively stable” and Swiss cyber resilience as “largely robust.” That assessment is not wrong. But it is not reassuring either, once the aggregate numbers are unpacked.
What the Mandatory Reports Show – and What They Do Not
The 325 reports do not represent a random sample of all cyberattacks against Swiss infrastructure. They capture what operators of critical infrastructure across nine ISG-defined sectors judged severe enough to trigger the 24-hour deadline. Everything below that threshold – the ISG explicitly excludes incidents with minor impact on public order, safety, or economic function – stays in the dark. The 325 reports are, in other words, the upper segment of the incident spectrum, not its entirety.
Attack types break down as follows: hacking incidents lead at 20 percent, followed by DDoS at 16 percent and credential theft at 12 percent. Malware and data exfiltration each account for 10 percent, with ransomware at 9 percent. That ransomware ranks only sixth in the mandatory channel is not a sign of relief – ransomware cases are frequently reported through the voluntary track as well and appear with significantly higher numbers in BACS’s dedicated ransomware statistics. The mandatory channel captures a broader spectrum, and that is precisely its value. It reveals that hacking and credential theft are at least as pervasive in the daily reality of critical infrastructure as the more headline-grabbing extortion cases.
The Sector Distribution Contains the Real Story
The breakdown by reporting sector holds the most operationally significant finding. Public administration accounts for 25 percent of all mandatory reports, IT and telecommunications for 18 percent, and banking and insurance for 15.7 percent. That government leads the table surprises at first glance. In the initial interim assessment covering 164 incidents through autumn 2025, the financial sector had still topped the list. The shift has several explanations.
Public administration – federal, cantonal, and municipal – is broadly exposed. Every municipality offering digital services is a potential target, and many municipal IT operations run with thinner security budgets than large banks. Government entities also tend to report more diligently because the political visibility of a missed disclosure is higher than in the private sector. Third, 28 incidents within the federal administration alone demonstrate that even the central infrastructure of the Swiss state faces regular attack pressure. For cantons and municipalities, which often operate smaller IT teams and share security resources, the numbers should directly inform investment decisions.
That IT and telecommunications companies hold second place is less surprising than it is consequential. Organisations that run the digital infrastructure of others – cloud services, data centres, managed services – act as multipliers. A successful attack on a telecom provider or cloud operator affects not just that company but potentially hundreds of downstream organisations. The BACS report underlines this chain logic explicitly: cyberattacks propagate along digital dependencies and cross organisational, sectoral, and national borders.
Akira Dominates the Swiss Ransomware Landscape
The ransomware picture for H2/2025 is dominated by one group: Akira. Out of 57 ransomware incidents reported to BACS in the period, 26 are attributed to Akira – a sharp jump from just 7 attacks in the first half of 2025. Qilin, DragonForce, and LockBit follow far behind with 5 to 6 documented cases each.
Akira’s success in Switzerland has a concrete technical reason that the report names openly: the systematic exploitation of vulnerabilities in SonicWall appliances. A security flaw from 2024, for which the vendor had long provided patches, remained unpatched at numerous organisations. Akira operators scanned specifically for vulnerable SonicWall devices and used the access as their entry point. The pattern is instructive because it shows how little sophistication ransomware groups need when fundamentals are neglected. No zero-day, no AI-driven evasion – a known vulnerability, an available patch, and an organisation that failed to apply it were sufficient.
Beyond the SonicWall issue, the BACS report highlights the mass exploitation of a SharePoint vulnerability used by both state-sponsored and criminal actors as an initial access vector. The overlap of attacker types on the same technical weakness reflects a trend observed internationally for two years: the boundaries between cybercrime and state espionage blur at the tactical level, even when strategic objectives differ.
Switzerland’s Office of the Attorney General has been running a criminal investigation since April 2024 into multiple ransomware attacks on Swiss companies between May 2023 and September 2025. Whether the investigation covers Akira-linked cases is not publicly known, but the timeframes overlap.
New Attack Vectors: SMS Blasters, ORB Networks, Deepfake Fraud
Three developments in the report deserve particular attention because they represent qualitatively new threat patterns for Switzerland.
SMS blasters are portable, backpack-sized devices that simulate a mobile antenna and send malicious text messages directly to phones within a radius of up to one kilometre – bypassing the filtering systems of telecom providers. Since summer 2025, such devices have been deployed in Swiss cities. The economic logic is straightforward: Swiss telecoms have become increasingly effective at filtering SMS phishing, so criminals shift to physical proximity. For organisations, this means that SMS-based authentication – already considered the weakest second factor – loses further reliability.
ORB networks (Operational Relay Boxes) consist of compromised IoT devices, routers, and servers that attackers use as relay stations, sometimes renting them out to third parties. BACS observes a continuously growing number of such devices on Swiss networks. ORB networks obscure attack origins and make attribution significantly harder. For security teams monitoring network perimeters, an attack apparently originating from a Swiss IP address may be controlled from anywhere in the world.
Online investment fraud has multiplied fivefold. In the first half of 2025 alone, BACS recorded 3,485 reports in the “advertising for online investment fraud” category, up from 729 in the same period the previous year. The method combines classic social engineering with deepfake technology: fabricated news interviews featuring well-known public figures lend credibility to fraudulent investment platforms. This matters for enterprises because CEO fraud – 970 reports in full-year 2025, up from 719 the year before – relies on the same deepfake tooling and increasingly targets executive teams.
What “Stable” Actually Means
BACS chooses its language deliberately when calling the situation “relatively stable.” Voluntary reports rose only slightly, from 62,954 in 2024 to 64,733 in 2025. Fraudulent threatening phone calls – the single largest category in prior years – declined markedly. On the surface, this looks like stabilisation.
Below the surface, the balance is shifting. Attacks are becoming more individualised, partly through AI. Real-time phishing targets banking applications by intercepting credentials before they expire – a direct assault on multi-factor authentication. “Double phishing” exploits a freshly successful phishing incident to victimise the target a second time by phone. Supply chains face more systematic attack: criminals compromise widely used open-source components because a single manipulated package can infect thousands of downstream applications.
Stability amid rising attacker complexity and professionalism is not the same as security. It means defences have kept pace so far – but with shrinking margin. Anyone who has read the NIS2/ISG analysis of the regulatory requirements facing Swiss organisations knows that compliance density is rising in parallel with the threat. The BACS report provides the empirical foundation for both trends.
What Follows for Decision-Makers
Three operational conclusions emerge from the report for CISOs, boards, and compliance leaders.
First: Patch management is not a hygiene topic but a strategic priority. Akira’s success in Switzerland rests on a known, patched vulnerability. Twenty-six successful attacks by a single group over six months because patches were not applied is a finding that belongs at board level. Organisations that leave responsibility for patch cycles entirely within operational IT, without defined escalation mechanisms for critical vulnerabilities, accept a risk that is now quantifiable.
Second: The mandatory reporting obligation is not a bureaucratic exercise but an early-warning system that works only if internal processes are in place. The ISG’s 24-hour deadline requires that organisations know, before a crisis hits, who reports, through which channel, and with what minimum content. Since October 2025, sanction provisions are in force: fines of up to CHF 100,000 for non-compliance with a BACS directive. The 325 reports demonstrate that the system is functioning. They do not reveal how many incidents went unreported.
Third: SMS-based authentication and static security assumptions about communication channels need reassessment. SMS blasters, real-time phishing, and double phishing attack mechanisms that many organisations still consider “good enough.” Attackers have disproved that assumption.
A Baseline, Not an All-Clear
The BACS report for the second half of 2025 is the first complete X-ray of Swiss cyber resilience under mandatory disclosure. It depicts a country whose digital infrastructure works but contains gaps that are only now becoming visible – because until this reporting cycle, no one was systematically required to look. The 325 mandatory reports are not a siren. They are a baseline against which future developments will be measured.
Whether the next assessment improves or deteriorates depends on what organisations and government bodies do with these data. The numbers are on the table. The decisions that should follow are not.
Sources: Federal Office for Cybersecurity (BACS), Semi-Annual Report 2025/2, published 30 March 2026; Swiss Information Security Act (ISG) and Cybersecurity Ordinance (CSV); BACS press release, 30 March 2026; Office of the Attorney General of Switzerland, media release on ransomware criminal proceedings.
