How to Report a Data Breach in Switzerland Online (2026)

Understanding how to report a data breach in Switzerland online has become a core compliance requirement for every business operating in the country. The revised Federal Act on Data Protection (FADP) obliges controllers to notify the Federal Data Protection and Information Commissioner (FDPIC) “as soon as possible” whenever a personal-data breach is likely to pose a high risk to data subjects. In parallel, the Cybersecurity Ordinance, effective since 1 April 2025, with sanctions enforceable from 1 October 2025, requires operators of critical infrastructure to file an initial cyberattack report with the National Cyber Security Centre (NCSC) within 24 hours of discovery.

This guide walks through both reporting routes, explains the decision thresholds, and provides practical checklists so that data protection officers, CISOs and in-house counsel can act decisively when an incident occurs.

Quick Action Checklist, the First 24 Hours After a Data Breach

When a breach is detected, the clock starts immediately. The steps below should be executed in roughly this order, adapting as circumstances demand.

1. Contain the breach. Isolate affected systems, revoke compromised credentials, and block the attack vector. Do not shut down systems if forensic imaging is still required.
2. Activate the incident-response team. Appoint a single incident lead with decision-making authority over communications, legal escalation and technical remediation.
3. Preserve evidence. Secure server logs, firewall records, access-control logs and email headers before any system changes overwrite them. Maintain chain-of-custody documentation.
4. Classify the incident. Determine whether personal data has been compromised and, if so, the categories (health, financial, identification), volume and sensitivity.
5. Assess the “likely high risk” threshold. Apply the FDPIC’s risk-assessment criteria (detailed in a later section) to decide whether FDPIC notification is required.
6. Check NCSC applicability. If the organisation operates critical infrastructure and the incident involves a cyberattack, prepare an NCSC initial report within 24 hours of discovery.
7. Draft regulator notifications. Use the templates provided in this guide to prepare initial filings for the FDPIC and, where applicable, the NCSC.
8. Brief senior management and legal counsel. Confirm the notification plan, approve external communications and instruct external counsel if the breach involves criminal elements, systemic failures or media exposure.

One-sentence regulator summary: “We are writing to notify the [FDPIC / NCSC] of a personal-data breach / cyberattack discovered on [date], affecting approximately [number] data subjects, with containment measures in progress.” Adapt this core statement for press inquiries by adding: “We are cooperating with the relevant authorities and will communicate directly with affected individuals.”

Which Authority Do I Report To? FDPIC vs NCSC

Switzerland’s data breach notification landscape runs through two distinct authorities, each with its own legal basis, scope and deadlines. Choosing the correct reporting route, or recognising that both apply simultaneously, is the first critical decision after classification.

The FDPIC is Switzerland’s data protection authority. Under the revised FADP, a controller must notify the FDPIC when a breach of personal-data security is likely to result in a high risk to the personality or fundamental rights of data subjects. The threshold is “likely high risk,” and the deadline is “as soon as possible.”

The NCSC is the federal cybersecurity centre. Under the Cybersecurity Ordinance effective from 1 April 2025, operators of critical infrastructure must report cyberattacks to the NCSC within 24 hours of discovery. This obligation exists independently of whether personal data is affected; it covers attacks on availability, integrity or confidentiality of critical systems.

Examples of Entities That Must Report to the NCSC

• Energy suppliers, electricity grid operators, gas network operators, major fuel distributors.
• Financial institutions, banks, insurance companies, financial-market infrastructure providers supervised by FINMA.
• Healthcare providers, hospitals, large medical-laboratory networks, cantonal health-data platforms.
• Transport and logistics, rail operators (SBB and regional), airport operators, major logistics hubs.
• Telecommunications, licensed telecommunications providers and internet exchange-point operators.
• Government IT, cantonal and federal IT service providers running critical administrative systems.

When a cyberattack on critical infrastructure also compromises personal data, both the NCSC 24-hour report and a FDPIC breach notification may be required. In that scenario, prioritise the NCSC filing (shorter deadline) and submit the FDPIC notification concurrently or immediately afterwards.

Comparison Table, Data Breach Reporting Requirements Switzerland 2026

How to Report a Data Breach Online via the FDPIC Portal, Step-by-Step

The FDPIC provides a dedicated online data breach reporting portal accessible through its official website. Filing online is the fastest route and produces an automatic reference number for follow-up correspondence. Below is a field-by-field walkthrough based on the portal’s current layout.

1. Access the portal. Navigate to the FDPIC DataBreach reporting page. Select the option to file a new breach notification.
2. Organisation details. Enter the controller’s legal name, registered address, UID (enterprise identification number) and the name and direct contact details of the designated data-protection contact or DPO.
3. Breach description. Provide a concise narrative: what happened, when it was discovered, which systems were involved, and the attack vector or cause (e.g., ransomware, misconfigured server, insider access).
4. Data categories affected. Specify the types of personal data compromised, names, addresses, dates of birth, financial data, health records, biometric data, login credentials or other sensitive categories.
5. Number of affected data subjects. State the exact number if known, or provide a realistic estimate with the basis for that estimate.
6. Risk assessment. Explain why the breach is likely to result in a high risk to data subjects. Reference the sensitivity of data, the volume, the probability of misuse and the foreseeable consequences (identity theft, financial loss, discrimination, reputational harm).
7. Mitigation measures. List the containment and remediation steps already taken and those planned, e.g., password resets, system patches, notification to affected individuals, engagement of forensic specialists.
8. Communication to data subjects. State whether affected individuals have been or will be notified, the planned timing, and the communication channel (email, letter, public announcement).
9. Attachments. Upload supporting documents: forensic summary report, internal incident timeline, sample notification to data subjects, and any relevant log excerpts (redacted as appropriate).
10. Submit and record the reference number. After submission, save the confirmation and reference number. Use this identifier for all subsequent correspondence with the FDPIC.

What “As Soon As Possible” Means in Practice

The FADP does not impose a fixed hour count in the way the EU’s GDPR sets a 72-hour benchmark. Instead, the FDPIC expects controllers to notify “as soon as possible” after establishing that a breach meets the likely high-risk threshold. In operational terms, industry observers expect most Swiss regulators to consider a delay beyond 72 hours as requiring justification. Organisations should aim to complete classification within the first 24 hours and file the initial FDPIC notification within 72 hours. A preliminary report is acceptable, it can be supplemented with additional details once the investigation progresses.

The “Likely High Risk” Test, What Triggers FDPIC Notification

The data breach likely high risk threshold in Switzerland centres on a forward-looking harm assessment. The controller must evaluate whether the breach is likely to result in a high risk to the personality or fundamental rights of affected individuals. This is not a certainty test, a realistic probability of significant harm is sufficient.

Factors that push a breach toward the notification threshold include:

• Sensitive data categories, health records, biometric identifiers, religious beliefs, criminal records, social-assistance data.
• Volume, breaches affecting thousands of data subjects generally carry higher systemic risk.
• Identifiability, if the leaked data can be directly linked to identified individuals (name + address + date of birth), the risk of misuse increases.
• Foreseeable harm, identity theft, financial fraud, discrimination, physical safety risks, or damage to reputation.
• Data accessibility, data published on the open internet or sold on dark-web forums elevates risk compared with a contained internal exposure.

If, after reasonable assessment, the controller concludes that the breach does not meet the likely high-risk threshold, no FDPIC notification is required, but the incident must still be documented internally, including the reasoning for the negative risk assessment.

NCSC Reporting, the 24-Hour Rule for Critical Infrastructure

Under the Cybersecurity Ordinance effective from 1 April 2025, operators of critical infrastructure in Switzerland must notify the NCSC within 24 hours of discovering a cyberattack. This cybersecurity ordinance 24-hour reporting obligation applies regardless of whether the attack was successful in exfiltrating data; attempted intrusions that could compromise critical systems also fall within scope.

What the 24-Hour Window Covers

The clock starts at the moment the organisation becomes aware of the attack, not when the full extent of the damage is understood. The initial report to the NCSC is deliberately designed to be a brief, factual notification. Detailed forensic findings can follow in subsequent updates. The NCSC expects the initial submission to include:

• Name and contact details of the reporting organisation.
• Date and time the attack was discovered.
• Type of attack (ransomware, DDoS, phishing, supply-chain compromise, etc.).
• Systems affected or targeted.
• Immediate containment measures taken.
• Whether personal data may have been compromised (triggering parallel FDPIC obligations).

The NCSC reporting portal is accessible via the NCSC’s official website. Organisations that fall within the critical-infrastructure scope should pre-register and familiarise their incident-response teams with the portal well before any incident occurs.

Sanctions and Enforcement

The sanctions regime under the Cybersecurity Ordinance became enforceable from 1 October 2025 for certain obligations. Early indications suggest that the NCSC will focus initial enforcement on clear failures to report rather than on borderline classification questions. Nonetheless, businesses in scope should treat the 24-hour window as a hard deadline and err on the side of filing.

Assessment: Is This “Likely High Risk” to Data Subjects?

Before completing a Switzerland data breach notification to the FDPIC, controllers must work through a structured risk assessment. The table below maps common breach scenarios to the likely regulatory outcome.

When the assessment is genuinely borderline, the safer course is to notify the FDPIC. An unnecessary notification carries no penalty, whereas a failure to notify a reportable breach exposes the controller to regulatory scrutiny and potential sanctions. Consulting qualified legal counsel is strongly recommended whenever doubt exists, particularly for incidents involving sensitive data categories, large data volumes, or media attention.

How to Notify Affected Individuals in Switzerland, Timing and Content

Where a data breach is likely to result in a high risk to data subjects, the controller must also notify affected individuals. The FDPIC’s guidance requires this communication to be clear, non-technical and actionable.

A compliant notification to data subjects should include:

• Nature of the breach. What happened, in plain language.
• Data categories compromised. Specifically which personal data was affected (e.g., names, addresses, health records, financial information).
• Probable consequences. A realistic description of potential harms (identity theft, financial fraud, unwanted contact).
• Protective steps. Concrete actions the individual can take, change passwords, monitor bank statements, activate credit-monitoring services.
• Contact information. A direct email address or phone number for the organisation’s DPO or incident-response team.

Template: Email Notification to Affected Individuals

“Dear [Name], We are writing to inform you of a data-security incident affecting your personal data. On [date], we discovered that [brief description]. The data involved may include [categories]. We have taken steps to contain the incident, including [measures]. We recommend that you [protective actions]. For questions, contact our data-protection team at [email/phone].”

Template: Public Statement (Where Individual Notification Is Not Feasible)

“[Organisation] has identified a data-security incident affecting [approximate number] individuals. The incident involved [brief description]. Affected persons are advised to [protective steps]. We are cooperating with the FDPIC and have taken immediate steps to secure our systems. Further information is available at [URL] or by contacting [email/phone].”

Evidence and Recordkeeping, What to Collect Before Filing

Thorough documentation serves two purposes: it supports the regulator notification and protects the organisation in any subsequent inquiry or enforcement proceeding. The following evidence checklist should be completed before, or concurrently with, the first filing.

• Incident timeline. A minute-by-minute (or hour-by-hour) log from initial detection through containment, classification and notification.
• System logs. Firewall logs, IDS/IPS alerts, authentication logs, VPN access records and database-query logs covering the period of the breach.
• Forensic report summary. If external forensic specialists are engaged, include their preliminary findings and scope of analysis.
• Scope of data. A data-mapping exercise confirming exactly which datasets, tables and fields were accessed or exfiltrated.
• Affected-system inventory. IP addresses, server names, application identifiers and cloud environments involved.
• Mitigation log. Record of every containment and remediation step taken, with timestamps and responsible personnel.
• Chain-of-custody documentation. For any forensic images, hard drives or removable media preserved as evidence.
• Communications log. Copies of all internal escalation emails, regulator notifications, data-subject communications and press statements.

Organisations regulated in multiple jurisdictions, for instance, Swiss businesses that also process data of EU residents, may also need to retain evidence in formats compatible with EU supervisory authority expectations. Consistent, time-stamped documentation is the single most effective protection against allegations of delayed or inadequate reporting.

Cross-Border Issues and Simultaneous Notifications

Many data breaches in Switzerland involve personal data of individuals located in the EU or EEA. Where this is the case, the controller may have parallel obligations under the GDPR, which imposes a 72-hour notification deadline to the relevant EU supervisory authority. Switzerland’s FDPIC notification and the GDPR obligation are separate legal duties; satisfying one does not discharge the other.

Practical steps for cross-border incidents include:

• Identify all jurisdictions where affected data subjects reside.
• Determine which EU supervisory authority has lead jurisdiction (usually the authority in the country of the controller’s EU establishment, or where the most data subjects are located).
• Coordinate the timing of notifications so that no authority learns of the breach first through media coverage rather than a formal report.
• Engage local counsel in each relevant jurisdiction to confirm specific procedural requirements. For organisations with cross-border data transfer structures, this step is especially important.

Industry observers expect Swiss and EU authorities to increase cooperation on cross-border breach investigations during 2026, making consistent and simultaneous filings a practical necessity rather than merely a legal one.

After Filing, Regulator Expectations and Follow-Up

Once a notification is submitted, neither the FDPIC nor the NCSC treats the matter as closed. Both authorities may follow up with requests for additional information, on-site inspections or meetings with the organisation’s data-protection and IT-security teams.

From the FDPIC, expect:

• An acknowledgement of receipt, typically within a few business days.
• Follow-up questions about the scope of the breach, the adequacy of mitigation measures and the content of notifications sent to affected individuals.
• In serious cases, a formal investigation that may result in recommendations, orders to modify data-processing practices, or public statements.

From the NCSC, expect:

• A request for a detailed follow-up report once the initial 24-hour submission has been filed.
• Technical assistance or information-sharing where the attack pattern matches known threat-actor campaigns.
• Potential escalation to federal prosecution if the breach involves criminal activity.

Maintaining a cooperative, transparent posture with both authorities significantly reduces the risk of adverse enforcement outcomes. Organisations that proactively update regulators with new findings, rather than waiting for inquiries, are generally viewed more favourably.

When to Call Legal Counsel, Practical Triggers

Not every data breach requires external legal support, but several triggers should prompt immediate engagement of qualified data-privacy counsel:

• Sensitive data categories are involved, health records, biometric identifiers, criminal records or children’s data.
• The breach affects a large number of data subjects, thresholds vary, but incidents affecting more than a few hundred individuals warrant legal input.
• Criminal elements are suspected, ransomware demands, extortion threats, insider theft or evidence of organised cybercrime.
• The breach has cross-border dimensions, triggering notification obligations in multiple jurisdictions simultaneously.
• Media coverage is likely or has already started, controlling the narrative requires coordinated legal and communications strategy.
• Systemic failures are involved, if the breach reveals fundamental weaknesses in the organisation’s data-protection framework, remediation planning benefits from legal oversight.
• Sanctions exposure exists, particularly for critical-infrastructure operators subject to the Cybersecurity Ordinance enforcement provisions effective from 1 October 2025.

Businesses operating in regulated sectors such as financial services, healthcare and telecommunications, many of which also hold SRO licences or equivalent authorisations, should consider embedding legal counsel in their incident-response protocols by default, rather than treating legal involvement as an escalation step.

Conclusion

Knowing how to report a data breach in Switzerland online is no longer optional knowledge, it is a baseline compliance capability. The dual-track system of FDPIC notification for personal-data breaches and NCSC reporting for cyberattacks on critical infrastructure demands that organisations maintain clear internal procedures, pre-tested templates and trained incident-response teams. With the sanctions regime under the Cybersecurity Ordinance now enforceable and the FDPIC actively monitoring breach-notification practices, early and thorough reporting is both a legal obligation and a reputational safeguard. Businesses that are uncertain about their data breach reporting requirements in Switzerland in 2026 should seek qualified legal advice before an incident occurs, not during one.

Sources

1. Federal Data Protection and Information Commissioner (FDPIC), DataBreach
2. FDPIC, Reporting Portals
3. National Cyber Security Centre (NCSC), Reporting Obligation Info
4. Walder Wyss, Cyber Incident Response & Data Breach Notification (Switzerland)
5. Bär & Karrer, Data Protection & Cybersecurity in Switzerland (2026 Guide)
6. Infopro, Guideline: Data Breach Notification
7. Privacylegal, Swiss Data Protection: Data Breach, What Now?