The Swiss energy sector is in the midst of digital transformation: electricity grids and gas infrastructure are becoming increasingly interconnected and digitalised. Modern smart grids, remote maintenance systems, and the convergence of IT and OT systems deliver efficiency gains, but also significantly increase vulnerability to cyberattacks. At the same time, the number of reported cyber incidents continues to rise, increasing the overall risk to Switzerland’s energy industry.
These developments were recognised early on, leading to the introduction of federal-level measures such as minimum standards and mandatory incident reporting obligations.
A Shift Towards Mandatory Cybersecurity Measures
Originally, the ICT minimum standard was issued as a recommendation and could be applied voluntarily. This has since changed. For operators of critical energy infrastructure, implementation is now mandatory.
- Electricity supply: Since 1 July 2024, the ICT minimum standard for electricity grid operators has been mandatory. This is based on a revision of the Electricity Supply Ordinance (StromVV), which makes the standard and associated protection levels legally binding.
- Gas supply: Since 1 July 2025, the obligation applies based on the revised Gas Supply Act (GasVG). The Federal Council explicitly defines the ICT minimum standard as a minimum requirement to protect gas networks against cyber risks.
This shift from voluntary recommendations to binding measures underlines the critical importance of energy supply. Regulation makes it clear that basic cybersecurity measures are no longer optional, but a mandatory requirement for every utility operator.
Mandatory Incident Reporting to the National Cyber Security Centre (NCSC)
The National Cyber Security Centre (NCSC) becomes established in 2024 as the central federal authority for all matters relating to cyber defence and cyber resilience. It sits within the Federal Department of Defence, Civil Protection and Sport (DDPS).
NCSC fulfils key roles as the national reporting office for cybersecurity incidents, an analysis and early warning body, and the authority responsible for regulation and prevention, including the ICT minimum standards.
A major new development is the mandatory reporting obligation for cybersecurity incidents affecting critical infrastructure, which entered into force on 1 April 2025. Since then, operators of critical infrastructures — including energy, finance, healthcare, telecommunications, transport, and others — must report significant cyber incidents to NCSC within 24 hours of detection.
The transitional period ended on 1 October 2025. From this point onward, violations may result in sanctions. Operators that fail to meet their reporting obligations risk fines of up to CHF 100,000.
Cybersecurity as a Challenge for Energy Companies
The new security standards and requirements present significant challenges for energy companies. Implementing a comprehensive cybersecurity programme affects organisational structures and processes, requires resources, and demands specialist expertise. In many organisations, this expertise is lacking, and teams quickly reach their limits.
Only a small number of individuals in newly assigned security-related roles have the necessary skills or experience to design and implement the required technical and organisational measures to meet regulatory requirements.
Expertise in Information Security Management and Self-Assessments
Rising cybersecurity requirements demand more than just technology and processes, they require skilled professionals capable of carrying these responsibilities. In particular, IT managers, information security officers, and security leads must continuously update their knowledge and cover a broad spectrum, from technical detail to compliance and regulatory topics.
Internationally recognised certifications serve as a quality seal, demonstrating both professional expertise and the capability to design and implement effective information security management systems.
Every organisation should have at least one person trained and certified in information security.
Skills Development and Certifications for Security Leaders
In the Swiss energy sector, building cybersecurity capability often means expanding the roles of employees from traditional IT or OT backgrounds. Certifications provide a structured learning path in this context. Preparation courses teach best practices, establish a shared professional vocabulary, and are applicable across industries.
Certifications also demonstrate to regulators and business partners that qualified cybersecurity professionals are responsible for security within the organisation.
The Association of Swiss Electricity Companies (VSE), in close collaboration with the Zühlke Engineering Academy, offers courses on information security management and information security auditing.
