In the unanimous judgement of the Supreme Court in the Puttaswamy case in 2017, right to privacy was declared a fundamental right. Going through the meandering preparation, creation of bill, joint parliamentary committee scrutiny etc the legal statute came into being in 2023 titled the Digital Personal Data Protection Act 2023. The agony has still not ended, the draft rules were published in early 2025 and has still to be finally approved. God knows when the wait will get over to enter a functional data protection regime. Thus there is no legal mandate even today for reporting of cyber hacks / attacks.
As the truism goes, getting hacked is the new normal, still the law has allowed it to go unreported by its absence. While reporting is becoming mandatory in one country after another, critical infrastructure needs to be viewed differently for the nature of damage and the debilitating impact it has on the economy. Behind every critical infrastructure, there is critical information infrastructure which broadly runs it. If that is hacked, the consequences can be spiralling depending on what has been attacked and how intense. Switzerland thus has decided to deal with it squarely.
Operators of critical infrastructure will be legally required to report cyber attacks to the country’s authorities. The Cyber reporting mandate was introduced on March 7. It would go in as an amendment to the Information Security Act (ISA) of Sept 2023 and would come into force on April 1, 2025. From this date the critical infrastructure operators in Switzerland will have to report cyber-attacks to the National Cyber Security Centre (NCSC) within 24 hours of its discovery. When will the reporting mandate apply? The accentuating conditions are made crystal clear.
It has to be reported if the cyber-attack threatens the functioning of critical infrastructure, has resulted in the manipulation or leakage of information or involves blackmail, threats and coercion. Its utility and its proactive impact cannot be denied by anybody, given the increasing threat surface. It would help improve the cyber security stance / posture as they would be left with no choice. Initial report of the incident has to be provided within 24 hours and the complete report in 14 days. The operators who fail to report the cyber attack will have to pay fines, though the exact is not specified. Switzerland follows the footsteps of Australia, the EU, Japan, Singapore, South Korea, the UK and the US. Does India not understand its criticality? How long will we have to wait?
CYBER ATTACKS ARE STILL SUPPOSED TO BE OF A DIFFERENT PLANET IN THIS COUNTRY.
Sanjay Sahay
Have a nice evening.