Skip to content
NeoGuard

BACS (Federal Office for Cybersecurity)

Switzerland's federal cybersecurity authority (Bundesamt für Cybersicherheit), responsible for national cyber threat monitoring, incident coordination, and the mandatory 24-hour reporting requirement for critical infrastructure.

The BACS (Bundesamt für Cybersicherheit, formerly NCSC) is Switzerland’s federal authority for cybersecurity. It coordinates the national response to cyber threats, publishes threat intelligence, and since April 2025 enforces mandatory incident reporting for critical infrastructure operators.

What the BACS Does

  • Threat monitoring: Tracks cyber threats affecting Switzerland and publishes regular situation reports.
  • Incident coordination: Supports organizations during active cyberattacks, particularly ransomware incidents and data breaches.
  • Vulnerability disclosure: Operates a coordinated vulnerability disclosure program for Swiss organizations.
  • Public awareness: Runs campaigns to improve cybersecurity awareness among businesses and individuals.
  • Reporting portal: Provides the official platform for mandatory and voluntary incident reports.

The 24-Hour Reporting Requirement

Since April 2025, operators of critical infrastructure in Switzerland must report cyberattacks to the BACS within 24 hours. This applies to:

  • Energy, water, and transport providers
  • Financial institutions (alongside FINMA requirements)
  • Healthcare organizations
  • Telecommunications providers
  • Federal and cantonal administrations

A ransomware attack, exploitation of a zero-day vulnerability, or any incident that threatens essential services triggers this obligation.

BACS vs. nDSG Reporting

The BACS reporting requirement (based on the ISG/ISA, Informationssicherheitsgesetz) is separate from the nDSG breach notification to the EDÖB. They cover different triggers:

  • BACS: Cyberattacks on critical infrastructure (24-hour deadline)
  • EDÖB under nDSG: Data breaches involving personal data (report “as soon as possible”)

An incident can trigger both obligations simultaneously: a ransomware attack on a hospital that exposes patient data requires notification to both the BACS (infrastructure attack) and the EDÖB (personal data breach).

Why Non-Critical Businesses Should Care

Even if your organization isn’t classified as critical infrastructure, the BACS is a valuable resource:

  • Their weekly threat reports highlight active campaigns targeting Swiss organizations
  • They publish recommended security configurations and best practices
  • Voluntary incident reports help build the national threat picture
  • If your business is part of a critical infrastructure supply chain, your security posture affects your clients’ compliance

Related Terms

nDSG (New Data Protection Act)RansomwareZero-Day