Interview: New Swiss FS-CSC guidance provides practical guidance on the reporting obligation

The guidance on the reporting obligation for cyber attacks published today by the Swiss FS-CSC is intended to provide financial institutions with guidance and support them in its practical implementation. In this interview, Corinna Eschbach, Legal Counsel & Association Manager at Swiss FS-CSC, and Sandra Dobler, Legal Advisor for IT Law at Banque Lombard Odier & Cie SA, who head the Regulation & Compliance Chapter, provide insights into the creation of the guide and the collaboration within the chapter.

What inspired the creation of a guide on reporting obligations?

Corinna Eschbach: The catalyst was the introduction of the reporting obligation under the Cybersecurity Ordinance in April 2025. This has led to new requirements for financial institutions in Switzerland that must be implemented in a very concrete manner in practice. Given the variety of reporting obligations, it was important to us to support our members and provide guidance.

Sandra Dobler: Exactly. Due to the various reporting obligations to NCSC, the FDPIC and FINMA, many institutions were faced with similar questions: What exactly is subject of reporting? What information must be provided? How does the process work? The guide is intended to provide greater clarity and a well-arranged outline of the processes.

What was your approach to developing the guide?

Sandra Dobler: We discussed the topic in the Regulation & Compliance chapter, before delving deeper into it in a smaller working group. We considered it important to incorporate different perspectives from the financial sector.

Corinna Eschbach: The process was iterative. First, the relevant legal and regulatory requirements were compiled systematically, and then presented in a structured format. A key objective was to translate this complexity into a practical format – particularly in the form of a summary table and a checklist to serve as a practical working aids.

What were the biggest challenges during the drafting process?

Corinna Eschbach: A key challenge was striking a balance between providing a clear, practical presentation and ensuring the necessary accuracy, particularly given the varying legal and regulatory requirements. The guide is intended to provide guidance without establishing self-regulation. Rather, the aim is to present the existing legal and regulatory practice regarding reporting obligations in Switzerland in a transparent and structured manner.

Sandra Dobler: On top of this, standardization was an issue: the member institutions of Swiss FS-CSC are organised differently and work with various processes. Therefore, developing a guide that offers added value for everyone was a demanding task. The challenge was to devise a balanced and practical presentation.

What is the overarching aim of the guide?

Sandra Dobler: Our aim is to provide greater guidance and comparability. This should make the various requirements more transparent and easier to manage in practice.

Corinna Eschbach: It’s also about efficiency: particularly when it comes to reporting, distinct structures are crucial to ensuring the reporting obligations are met efficiently.

What was your experience of working together in the chapter and the working group?

Corinna Eschbach: Very constructive and committed. The members are highly knowledgeable and willing to share their expertise. This is a major strength of the Swiss FS-CSC.

Sandra Dobler: I found the work to be very practical. The discussions were concrete and closely focused on real-world issues. This is precisely what makes such formats valuable – together we arrive at actionable results more quickly.

About the Regulation & Compliance Chapter

The Regulation & Compliance chapter is an interdisciplinary group of experts, including legal experts and cybersecurity specialists, who monitor and assess relevant cyber regulations in both national and international contexts.