3

Is your company ready
for ISA compliance?

Your challenge

The Swiss regulatory landscape around cybersecurity is changing. The Information Security Act (ISA) requires critical infrastructure operators to report cyberattacks to the NCSC within 24 hours or face hefty fines – a tough challenge for organizations already navigating a turbulent cyberthreat environment and one that can strain resources, particularly for SMEs.

EY’s perspective

The ISA is Switzerland’s response to rising cyberthreats – many state-sponsored – targeting critical sectors such as energy, healthcare, finance, transport and telecommunications. With attacks increasing and geopolitical tensions escalating, the government demands greater transparency and accountability.

Aimed at enabling swift response, improving oversight and preventing wider disruptions, the regulation also adds pressure at a time when companies already face growing cyber risks and overlapping compliance duties. For instance, the revised Swiss Data Protection Act (FADP) already mandates breach reporting.

Aside from the financial risk, non-compliance can damage reputations, trigger regulatory scrutiny and disrupt operations. SMEs are especially at risk, often lacking cybersecurity staff or tested response plans. But with the right strategies, companies can turn regulatory pressure into cyber resilience.

Proactive compliance with ISA can position companies as trustworthy, secure partners in a risk-sensitive market.

Cristian Dumitrescu, Partner, Cybersecurity and Managed Services, EY Switzerland

Our recommendations

Develop and test ISA-aligned incident response plans.
Train employees on cybersecurity best practices and incident reporting procedures.
Establish clear communication channels with NCSC and stay up to date on cross-border cyber regulation, such as EU NIS2.

For more information read our online articles