Cybersicherheit Briefing
Ein Betreiber in Warnweste sucht seine Branche im Sektorenkatalog von Art. 74b ISG, dahinter eine Uhr auf 24 Stunden.

Are you in the catalogue? Art. 74b, not the incident, determines the ISG reporting obligation

The 24-hour reporting obligation under the revised ISG is in force and has carried criminal sanctions since October 2025. For most companies, however, an earlier question remains open: does the sector catalogue in Art. 74b ISG even cover them — a self-assessment that few non-financial businesses have ever conducted formally.

Dr. iur. Servatius von Tatzenberg

Since 1 April 2025, operators of critical infrastructure have been required to report notifiable cyber-attacks to the Federal Office for Cybersecurity (BACS) within 24 hours of detection. The deadline is set out in Art. 74e of the Information Security Act (ISG); the fine of up to CHF 100,000 has applied since 1 October 2025 under Art. 74h ISG. We have covered the mechanics of reporting and who faces the sanction in an earlier piece. The question most companies have yet to answer is the threshold one: does Art. 74b ISG even bring them within the class of organisations subject to the reporting obligation?

Art. 74b ISG defines scope through a sector catalogue. Anyone who reads “finance” as the filter misreads the provision. The catalogue maps broadly onto the nine critical-infrastructure sectors and their roughly 27 sub-sectors: energy, water supply and waste management, transport, health, finance and insurance, public administration and security, digital services including cloud and data-centre operators, food supply, and others. A regional energy supplier falls within it, as does a logistics company, a hospital group, a cantonal utility. None of them is a bank, and none has the reflex to look for themselves in the ISG.

Being in a sector is not enough, however. Art. 12 of the Cybersecurity Ordinance (CSV) sets qualitative criteria and quantitative thresholds that vary by sector. Pharmaceutical companies with fewer than 50 employees and annual turnover or a balance-sheet total below ten million francs are exempt — other sectors apply different criteria (Bratschi on Art. 12 CSV). For banks, insurers, and financial market infrastructures, Art. 12 CSV provides no such exemption; they report without a threshold. Self-assessment therefore has two steps: sector under Art. 74b ISG, then threshold under Art. 12 CSV.

Why the assessment “we are probably out” is not enough is illustrated by the penalty provision itself. Art. 74h ISG does not penalise a late report as such, but rather ignoring BACS after it has set a deadline twice (Art. 74g ISG). Scope is therefore ultimately determined by the authority, not the operator. An operator who considers itself exempt and is viewed differently by BACS will find out when the first deadline arrives — and “we assumed we were out” is a weak answer at that point. There is a further consideration: Art. 74h ISG directs the fine at the responsible natural person.

The task for Monday, then: conduct and document the self-assessment formally. Map your activities against the nine sectors and the thresholds under Art. 12 CSV, record the outcome — including a reasoned “not subject to reporting” — and, if you are covered, register in BACS’s Cyber Security Hub. What remains open is how broadly BACS will read the catalogue at the margins: the SaaS provider that is not a conventional cloud operator, the supplier embedded in a critical supply chain. That will be settled by practice, not by the text — by the first deadlines that BACS issues under Art. 74g ISG against operators who believed they were exempt. Until then, a documented self-assessment is the only defensible position.