While Germany struggles with its KRITIS Umbrella Act and the NIS2 Implementation Act, Switzerland has been operating under its own framework since April 2025: a 24-hour reporting obligation, fines up to CHF 100,000, and nine critical sectors. Yet EU regulation still reaches into Switzerland – through subsidiaries, supply chains, and contractual cascades. A comprehensive overview for Swiss companies that want to know where they really stand in 2026.
The Most Important Clarification First
A “KRITIS Act” in the strict sense does not exist in Switzerland. The term originates in Germany, where the KRITIS Umbrella Act takes effect in spring 2026 and obliges operators of critical facilities to register with the Federal Office for Civil Protection and Disaster Assistance (BBK) by 17 July 2026 at the latest. When people in Switzerland speak of “KRITIS,” they usually mean one of two things: the German law, or – more commonly and more loosely – the regulations for critical infrastructures that in Switzerland are anchored in the Information Security Act (ISG) and its implementing ordinances.
This distinction is not academic. Anyone running a Swiss company who believes they need to align with a German “KRITIS-G” risks planning around a legal reality that does not apply to them. And conversely, anyone who considers the Swiss ISG sufficient overlooks the fact that the EU NIS2 Directive has long reached into Switzerland through supply chain pressure.
What Actually Happened in April 2025
Since 1 April 2025, operators of critical infrastructure in Switzerland have been obliged to report serious cyberattacks to the Federal Office for Cybersecurity (BACS) within 24 hours of discovery. This obligation is enshrined in the revised ISG and specified by the Cybersecurity Ordinance (CSV), which entered into force on the same day.
By February 2026, BACS had received a total of 264 reports of cyberattacks on critical infrastructure under the new mandate. The most affected sectors are public administration, IT and telecommunications companies, and the financial and insurance sectors. Approximately half of all reported incidents involve DDoS attacks, hacking, and ransomware. The technical spectrum mirrors what international threat reports have been showing for years – Switzerland is not experiencing a fundamentally different attack landscape than its neighbours, only one that is now being systematically measured for the first time.
The sanction provisions followed in stages. Articles 74g and 74h ISG, which provide for fines of up to CHF 100,000, only entered into force on 1 October 2025. There is an important nuance here: BACS does not automatically impose a fine for a missed report. Only when the agency issues a formal order and the company fails to comply with that order does the fine become payable. In practice, this means there is an intermediate step during which late reporting is still possible. But systematic non-reporting or concealment will trigger the full sanction.
Who’s Actually Subject to the Reporting Obligation
The ISG defines nine sectors of critical infrastructure, further divided into 27 sub-sectors. The main sectors include energy (electricity, gas, oil), drinking water supply, transport, healthcare (particularly listed hospitals), finance and insurance, public administration at federal, cantonal, and municipal levels, and digital services such as cloud providers and data centres.
What matters in practice are the sector-specific thresholds defined in the CSV. A small local energy supplier typically does not fall under the reporting obligation. An inter-cantonal electricity grid operator does. The detailed regulations are sector-specific and require individual assessment of whether a company is in scope.
Equally important is what is not subject to the reporting obligation. Cyberattacks that have only minor impact on public order, security, the welfare of the population, or the functioning of the economy are explicitly exempted. This “minor incident clause” prevents BACS from being flooded with routine events – but it requires companies to make their own assessment of severity, which can be challenging in the heat of a crisis.
How the Reporting Process Actually Works
Reports are submitted via the Cyber Security Hub (CSH), the BACS online platform, or alternatively by email. The CSH grew to around 1,600 members in 2025 and now serves as the central platform for cross-sector incident exchange in Switzerland. A multilingual reporting procedure has been available since April 2025.
The decisive point for companies that have to execute this in practice: the 24-hour deadline starts from discovery, not from when the attack actually began. This provides some flexibility but requires that “discovery” be cleanly documented – when did who receive what information, and when was that information classified as security-relevant. After the initial report within 24 hours, there is a further 14-day window to submit any missing information.
In practice, this is the most difficult moment. When ransomware strikes, organisations operate in crisis mode. The IT team is trying to understand what is happening, external forensic investigators are being mobilised, leadership needs to be briefed, customers may need to be informed. Preparing a timely and formally correct report to the federal government in the middle of this chaos overwhelms organisations that have not defined their incident response processes clearly in advance. Without a pre-defined escalation path and ready-to-use reporting templates, valuable hours are lost.
There is a second pitfall: the BACS reporting obligation does not replace other reporting duties. Data protection breaches still need to be reported to the Federal Data Protection and Information Commissioner (FDPIC) under the Swiss Data Protection Act. Banks and insurers face additional FINMA reporting obligations. BACS does allow forwarding to FDPIC via the CSH platform, but the responsibility for correct multi-agency reporting lies with the company.
NIS2: Why EU Regulation Still Affects Swiss Companies
Switzerland is not directly bound by the NIS2 Directive. Yet the directive still has an effect in Switzerland, through three distinct channels.
First, the national NIS2 implementation laws apply directly to all subsidiaries of Swiss groups in their respective EU member states. A Swiss parent company with German, Austrian, or Italian operations must ensure those operations comply with local NIS2 implementations.
Second, Swiss companies that provide digital services such as cloud computing, DNS, or managed services within the EU may fall directly under the scope of NIS2, regardless of where they are headquartered. The directive’s territorial reach is determined by where the service is delivered, not by the provider’s location.
Third – and this is the channel that affects most Swiss SMEs – NIS2 reaches Switzerland through the supply chain. EU companies must ensure the cybersecurity of their entire supply chain and pass NIS2 requirements down to their Swiss suppliers via contract clauses, audit rights, and incident notification obligations. The result: NIS2 is de facto exported into Switzerland through commercial contracts.
A Swiss machinery manufacturer supplying a German automotive corporation will, with high probability, be required to demonstrate an ISO 27001 certified information security management system (ISMS), document its incident response processes, and provide regular penetration testing evidence. Companies that cannot meet these requirements lose contracts to competitors who can.
The German experience illustrates how seriously the matter is being taken. The NIS2 registration deadline in Germany expired on 6 March 2026. Of an estimated 30,000 entities required to register, only around 11,500 had done so by the deadline – approximately one-third. Over 18,000 were missing. The German BSI has announced that the actual consequences are only just beginning.
The Sanction Gap: Switzerland Versus the EU
Here lies one of the sharpest differences between Swiss and EU law. The Swiss ISG provides for fines up to a maximum of CHF 100,000. The EU NIS2 Directive imposes fines of up to EUR 10 million or 2 percent of global annual turnover for essential entities, whichever is higher. For important entities, the upper limit is EUR 7 million or 1.4 percent of turnover. On top of this comes personal liability for executive board members and the possibility for supervisory authorities to temporarily prohibit managing directors from exercising their leadership functions.
For a Swiss company, the implication is straightforward: if a German subsidiary violates NIS2, the sanctions hit the consolidated group revenue, not the Swiss ISG benchmark. Swiss compliance strategy must account for this asymmetry.
Additional Layer for Swiss Financial Services
Swiss banks and insurers are subject not only to the ISG but also to FINMA requirements on operational resilience. FINMA has systematically expanded its requirements in recent years, with increasing focus on third-party risk management and ICT resilience. Swiss banks operating EU subsidiaries or providing cross-border services face additional NIS2 pressure.
The practical consequence: Swiss financial institutions with EU exposure need a triple compliance stack – FINMA circulars, ISG and CSV, plus NIS2 via EU subsidiaries or supply relationships. An integrated ISMS approach based on ISO 27001 is no longer a nice-to-have but the only efficient way to address all three frameworks in parallel.
What Swiss Companies Should Do Now
First, clarify scope. Do not assume. Many companies underestimate or overestimate their obligations. Anyone unable to clearly assess whether their business falls under the ISG reporting obligation, whether NIS2 applies through subsidiaries, or whether supply chain clauses are active should conduct a systematic scope analysis – ideally with legal support, because the threshold definitions in the CSV and in national NIS2 implementation laws require interpretation.
Second, define incident response processes before the crisis. The 24-hour BACS deadline and the 72-hour NIS2 detailed reporting deadline cannot be met in the moment of crisis if processes are not documented in advance. Concretely: pre-defined escalation paths, named responsible individuals, ready-to-use reporting templates for CSH and any additional reports to FDPIC or FINMA, and rehearsed coordination with external forensic providers.
Third, implement or update an ISMS. An ISO 27001 ISMS is the common foundation that addresses both ISG compliance and NIS2 requirements. Companies without one should begin building one now – the lead time for a certification-ready system typically ranges from six to twelve months. The IKT minimum standard recommended by BACS provides a pragmatic entry point for SMEs that have not yet committed to an ISO pathway.
Fourth, engage leadership. Both ISG and NIS2 explicitly shift responsibility for cybersecurity to the executive level. In the EU with personal liability, in Switzerland at least with clear expectations regarding cybersecurity governance. Companies that continue to treat cybersecurity as a pure IT issue ignore the regulatory reality.
Fifth, systematically audit the supply chain. Which EU customers require NIS2 evidence? Which subsidiaries are directly subject to registration? Which contracts already contain cybersecurity clauses that are stricter than Swiss minimum law? This inventory is the prerequisite for any sensible compliance strategy.
The Strategic Reading
In 2026, Swiss companies are caught between two regulatory frameworks: the national ISG focused on critical infrastructure and federal authorities, and the EU NIS2 Directive that reaches into Switzerland through subsidiaries and supply chains. Anyone who only watches one loses sight of the other.
The good news: both frameworks rest on the same foundation. A structured information security management system, clearly defined incident response processes, and an executive leadership that understands cybersecurity as a corporate duty. Companies that have this foundation are prepared for both worlds. Those that do not should not wait further in 2026.
The bad news: regulatory density will not decrease. With DORA for the financial sector, the EU Cyber Resilience Act for hardware and software manufacturers, and the ongoing federal evaluation of the ISG, additional requirements are on the horizon. Cybersecurity will become systematically more expensive in the coming years – but also systematically more important as a competitive factor.
Sources for this article: Federal Office for Cybersecurity (BACS), Federal Department of Defence, Civil Protection and Sport (DDPS), Swiss Information Security Act (ISG) and Cybersecurity Ordinance (CSV), Federal Council message on the ISG revision, EU Directive 2022/2555 (NIS2), national implementation laws in Germany, Austria and other EU member states, German BSI publications on NIS2 registration as of March 2026, NCSC annual report 2025.
