On 30 March 2026, the Swiss National Cyber Security Centre published its semi-annual report covering the second half of 2025. The report is structurally different from all previous editions: for the first time, it incorporates mandatory incident notifications from operators of critical infrastructure alongside the voluntary reports that have formed the basis of Swiss cyber threat intelligence since NCSC's inception. The reporting obligation under the revised Information Security Act entered into force on 1 April 2025. The H2 2025 data represents the first full six-month period in which this obligation was in effect and sanctions for non-reporting were active.
The Mandatory Reporting Data: What the First Full Period Reveals
The six-month results covering April to September 2025 gave an early picture: 164 reports from critical infrastructure operators, with DDoS attacks most frequent (18.1%), followed by hacking (16.1%), ransomware (12.4%), credential theft (11.4%), data leaks (9.8%), and malware (9.3%). The financial sector accounted for 19% of all reports — the highest of any sector — followed by IT at 8.7% and energy at 7.6%.
The H2 2025 report builds on this foundation. Several cases described combined phenomena: ransomware attacks accompanied by simultaneous data leaks, a pattern now described as standard operating procedure by the threat actors responsible. The NCSC explicitly notes that reported ransomware case counts do not reflect damage scale, because attacks are increasingly concentrated on higher-value targets where individual incident costs are substantially larger.
◆ Key Takeaway
The most significant structural change in H2 2025 reporting is not any individual threat category — it is the integration of mandatory critical infrastructure data for the first time. Switzerland now has a legally grounded, systematically collected view of attacks against its most critical systems. The financial sector is the primary target, and the incidents not being voluntarily reported are among the most consequential.
The Voluntary Report Picture: Stable Volume, Rising Sophistication
Across the full year 2025, the NCSC processed 64,733 voluntary incident reports — approximately 2,000 more than 2024. CEO fraud continued its upward trend: 970 reports in 2025, up from 719 in 2024, a 35% increase. Ransomware saw a slight recovery: 104 reports in 2025 versus 92 in 2024. Ransomware attacks are now almost universally coupled with data exfiltration — an organisation that pays the ransom and restores from backup still faces a personal data breach notification obligation under the nDSG if personal data was exfiltrated.
The Geopolitical Dimension
The H2 2025 period coincided with continued escalation in the geopolitical context shaping Switzerland's cyber threat environment. Hacktivist activity linked to pro-Russian and pro-Palestinian groups produced DDoS campaigns against Swiss public infrastructure, including successfully mitigated attacks during the World Economic Forum Annual Meeting and Eurovision Song Contest. Beyond hacktivist activity, the report signals concern about state-aligned threat actors targeting critical infrastructure across European states.
One Year of Mandatory Reporting: The Compliance Picture
By year-end, the NCSC had received 222 total mandatory reports. The sanctions regime took effect on 1 October 2025: operators of critical infrastructure who fail to report face fines of up to CHF 100,000. No enforcement actions have yet been announced, but the NCSC has confirmed it will contact operators where it has evidence that a reportable incident occurred without a corresponding notification. The gap between 222 mandatory reports and the tens of thousands of voluntary reports reflects the narrow legal scope of the mandatory obligation — not a healthy threat landscape.
Operational Implications for Swiss Security and Compliance Teams
- Review your incident classification against the ISA mandatory reporting triggers. Reports must be submitted within 24 hours where an attack threatens critical infrastructure functioning, involves data manipulation or leakage, has remained undetected for an extended period, or involves blackmail. The 24-hour window does not accommodate improvisation.
- Update your ransomware incident response to include nDSG notification assessment. Your incident response plan should include an explicit step assessing whether exfiltrated data constitutes personal data under the nDSG, and whether a notification obligation to the FDPIC is triggered.
- Financial sector organisations: review your geopolitical threat model. With the financial sector accounting for 19% of all mandatory critical infrastructure reports, the H2 2025 data provides empirical grounding for board-level conversations about threat prioritisation.
- Monitor the evolving mandatory reporting scope. The CRA's vulnerability disclosure obligations take effect for EU-facing products on 11 June 2026. Swiss organisations exporting products with digital elements to EU markets are already within scope.
What the H2 2025 Report Signals for H1 2026
The NCSC's characterisation of the threat landscape in H2 2025 — stable in volume, escalating in sophistication and targeting — is consistent with everything observed in the first quarter of 2026. The Interlock ransomware zero-day against Cisco FMC infrastructure, the wave of invoice phishing targeting Swiss companies, the commercial register identity fraud campaign: each represents exactly the kind of precision targeting the H2 2025 report flags as the defining trend.