Critical Infrastructure in Switzerland: MELANI/NCSC and the Cantonal Maze

Swiss critical infrastructure protection is not a national regime with cantonal annexes. It is a confederation of regimes that occasionally agree on definitions.

That sentence will offend two audiences. It will offend the federal officials in Bern who have spent the last six years consolidating MELANI's reporting reflex into the National Cyber Security Centre and giving it teeth through the revised Information Security Act. It will offend the cantonal authorities who have built credible response capacity inside their own police corps and emergency services and who do not wish to be described as a maze. Both are right to object, and the description still stands. An operator running a water utility in Aargau, a hospital in Ticino, and a data centre in Zug is not dealing with one Swiss critical infrastructure framework. The operator is dealing with federal expectations, three cantonal interpretations of those expectations, the sector-specific positions of FINMA or BAKOM or the Federal Office of Energy, and the parallel orbit of entities that sit inside Switzerland but outside ordinary Swiss law.

This article is written for operators who must function inside that geometry. It does not pretend the Swiss model is broken. It is not. By most measures it works better than the regimes of larger neighbours. It does, however, demand a kind of literacy that is not transferable from EU-NIS2 thinking, and the literacy is rarely written down in one place.

The NCSC is not a regulator, and that matters

The National Cyber Security Centre, which absorbed and expanded the older MELANI reporting and analysis function, occupies a position that has no clean equivalent in Berlin, Paris, or Brussels. It is part of the Federal Department of Finance, it has a federal mandate, and as of the activation of the reporting obligation under the revised Information Security Act it receives mandatory incident notifications from operators of critical infrastructure within twenty-four hours of detection. That sounds like a regulator. It is not one.

The NCSC does not license, does not fine in the sense that FINMA fines, does not conduct binding audits across sectors, and does not own the sectoral rule-making. It coordinates. It publishes guidance that has the weight of expert consensus rather than statutory obligation. It runs GovCERT, which is one of the most respected national CERTs in Europe by reputation if not by headcount. It maintains bilateral channels with CISA, the BSI, ANSSI, the UK NCSC, and the relevant ENISA structures, and it does this without Switzerland being inside the European Union. The work product of those channels lands in Bern faster than the formal exchange of letters would suggest, because the people involved have been talking to each other for fifteen years.

What this means for an operator is that the NCSC is the first call after a serious incident, and that call is not a regulatory submission. It is closer to a clinical consultation. The NCSC will help triage, will pull threat intelligence from partner agencies, will quietly coordinate with FINMA or BAKOM if the sector regulator needs to be looped in, and will not, in the ordinary case, weaponise what the operator says against them. That trust is the institution's most valuable asset and the reason the reporting obligation was extended without the resistance that similar obligations met in Germany. Operators who treat the NCSC as a regulator and lawyer their disclosures accordingly tend to receive less useful help. Operators who treat it as a counterpart and disclose with technical honesty receive analysis that no commercial vendor can match. The framework rewards candour, which is unusual.

The boundary becomes uncomfortable when an incident touches sectors with their own statutory supervisors. A breach at a systemically important bank involves FINMA, a breach at a telecommunications carrier involves BAKOM and the ComCom, a breach at an energy operator involves the Federal Office of Energy and ElCom. The NCSC sits beside these conversations, not above them, and the operator must manage all of them in parallel. This is where the maze metaphor begins to apply.

Federal frame, cantonal execution

Switzerland's federalism is not a decorative feature of its critical infrastructure regime. It is the regime. Policing is cantonal. Emergency response is cantonal. Hospital regulation is cantonal. Water supply is overwhelmingly municipal, organised under cantonal frameworks. Energy distribution is a patchwork of cantonal utilities, intercantonal cooperatives, and a small number of federally relevant transmission operators. When an incident at a water utility in canton Vaud requires physical response, the response is run by Vaudois authorities under Vaudois procedure, and the federal layer learns about it through the channels that the cantonal authorities choose to use.

This produces three operational realities that an operator must internalise. The first is that a multi-site operator running infrastructure across the linguistic regions will engage with cantonal authorities who differ not merely in language but in administrative culture. Romandie cantons tend toward formalism and written process. The Deutschschweizer cantons vary, with Zurich and Basel-Stadt operating with metropolitan density and the rural cantons operating with the directness of small administrations where the head of the cantonal police knows the operator's security director personally. Ticino operates in a third register entirely, shaped by Italian administrative habits and proximity to Lombard supply chains. None of this is in the legal text. All of it is in the room when the incident occurs.

The second reality is that information flow upward from cantonal to federal level is not automatic. The NCSC receives what the operator reports under federal obligation and what the cantonal authorities choose to share. The cantonal authorities are not statutorily compelled to brief the federal centre on every incident they handle, and the operator who assumes that one call covers both audiences will find that the federal partner is missing context that the cantonal partner held back. The practical answer, for any operator above a certain size, is to brief both deliberately and to keep the briefings consistent. Discrepancies between what the canton learns and what Bern learns will be discovered, and the discovery damages the operator more than either audience.

The third reality is that the cantonal layer is where physical and cyber convergence actually happens. The fire service that responds to a transformer station incident is cantonal. The forensic preservation of compromised industrial control systems, when it requires physical seizure, runs through cantonal police. ISO 27001 control families and IEC 62443 zone definitions are useful vocabulary inside the operator's documentation, but the people who arrive in marked vehicles speak the language of cantonal procedure, and the operator's incident plan must speak it back. The framework that BOSWAU + KNAUER describes in BOSWAU + KNAUER. From Building to Security Technology, where physical and digital protection are designed as one architecture rather than two adjacent ones, fits this Swiss reality more cleanly than it fits the EU model, because the Swiss model never separated them institutionally in the first place.

SNB, FINMA, and the financial perimeter

The Swiss National Bank occupies a position inside the critical infrastructure conversation that is structurally different from any other operator in the country. The SNB is not supervised by FINMA in the ordinary sense. It is a special-status institution under its own legal foundation, accountable to the Federal Assembly, with operational autonomy that extends to its information security posture. The NCSC engages with the SNB as a peer institution, not as a supervised entity. The SNB's own CISO function operates with resources and access to sovereign threat intelligence that commercial banks do not match.

This creates a layered financial perimeter that operators outside the sector frequently misread. At the top sits the SNB, with the payment systems it operates, including the SIC system that clears Swiss franc payments and that constitutes critical infrastructure by any plausible definition. Beside it sits SIX Group, which operates the Swiss exchange and central counterparty and post-trade infrastructure, supervised by FINMA and the SNB jointly under the Financial Market Infrastructure Act. Below them sit the systemically important banks, designated by the SNB under the Banking Act, with their own enhanced requirements. Below them sit the ordinary FINMA-supervised institutions, with cyber expectations codified in FINMA circulars that draw on NIST CSF 2.0 vocabulary and ISO 27001 controls without binding the institutions to a single framework.

For an operator that interacts with this stack, the practical question is which counterpart sets the cyber expectation that flows back into the operator's own architecture. A payment service provider feeding SIC will inherit SNB-shaped expectations through its sponsor bank. A custodian connecting to SIX will inherit SIX-shaped expectations through its participation agreement. A fintech licensed under FINMA's lighter regimes will inherit FINMA-shaped expectations directly. These are not identical, and the differences matter at the level of incident reporting timelines, third-party risk documentation, and the depth of penetration testing that the counterpart will require. An operator who designs to the strictest of these and offers the documentation upward tends to satisfy all of them. An operator who designs to the lightest and waits to be told otherwise tends to be told otherwise at the least convenient moment.

The SNB's own incident posture is, by deliberate choice, not public in detail. What is visible is that the bank maintains continuous engagement with the NCSC, with the Bank for International Settlements cyber resilience coordination, and with peer central banks on threat indicators that touch the franc payment system. Operators downstream of the SNB will not see this work, but they benefit from it, and they should design their own architectures on the assumption that the threats the SNB sees first will arrive at the commercial layer within months.

CERN, international organisations, and the extraterritorial cases

CERN is not Swiss critical infrastructure in the legal sense, and it is also unavoidably part of any honest description of critical infrastructure in Switzerland. The organisation operates under an international convention, its premises enjoy a degree of inviolability comparable to diplomatic premises, and Swiss law applies to it in a constrained and negotiated way. The NCSC does not supervise CERN. Swiss police do not enter CERN sites at will. Incident response at CERN is run by CERN's own computer security team, which is one of the most technically deep in Europe by any measure, and which cooperates with the NCSC and with peer organisations on its own terms.

The same pattern applies, with variations, to the United Nations bodies in Geneva, the World Trade Organisation, the World Health Organisation, the Bank for International Settlements in Basel, and the dozens of smaller international organisations that have made Switzerland their seat. Each of these sits inside Swiss territory and outside ordinary Swiss law. Each of them runs critical functions whose disruption would have consequences far beyond Switzerland. None of them is captured by the federal critical infrastructure framework in the way a Swiss utility is captured.

For an operator who provides services to these organisations, this matters in two ways. The first is contractual. The international organisation will impose its own security requirements, often drawn from a hybrid of ISO 27001, NIST 800-53, and the organisation's own historical practice. These requirements will frequently exceed what Swiss law would demand and will be enforced through contract rather than through regulation. The operator who treats the contract as the binding instrument and the Swiss legal framework as the floor will avoid surprises. The operator who reverses that priority will discover that the international organisation does not care what FINMA or the NCSC said.

The second way it matters is in incident coordination. A cyber incident at an international organisation in Geneva does not flow into the NCSC's situational picture the way an incident at a Swiss bank does. The organisation may inform the NCSC, may inform its host-state counterparts in the Department of Foreign Affairs, may coordinate with peer organisations through channels that bypass Switzerland entirely, or may handle the incident without external notification. An operator who serves multiple such clients should not assume that the federal Swiss picture and the international organisation picture are connected. They are adjacent, sometimes cooperating, and structurally separate.

What the EU connection actually changes

Switzerland is not a member of the European Union and is not bound by NIS2, the Cyber Resilience Act, DORA, or the related instruments. Swiss operators are nonetheless affected by all of them, because Swiss operators have customers, suppliers, and parent companies inside the EU, because the EU instruments reach extraterritorially through supply chain obligations, and because Swiss law has historically followed EU regulatory developments with a lag and with adaptation rather than ignoring them.

The revised Swiss Information Security Act and the cyber reporting obligation that came into force under it draw conceptually from NIS2 without copying it. The thresholds, the sectors in scope, and the reporting timelines differ, and the differences are not always intuitive. A Swiss operator that is in scope for NIS2 reporting through an EU subsidiary will not be automatically in scope for the Swiss reporting obligation, and vice versa. A Swiss financial institution will face DORA expectations through its EU clients regardless of whether DORA applies to it directly. A Swiss manufacturer of products with digital elements will face Cyber Resilience Act conformity expectations the moment its products are placed on the EU market, irrespective of where they were manufactured.

The practical posture that works is to treat the EU instruments as the upper bound and the Swiss instruments as the binding domestic floor. Operators who design to the EU upper bound find that the Swiss obligations are satisfied as a subset, and that their cross-border supply chain documentation is reusable. Operators who design only to Swiss requirements find themselves rebuilding documentation for EU counterparts at the moment when contract renewal pressure is highest. The cost asymmetry is significant. The architectural cost of designing once to the higher standard is roughly the same as designing once to the lower standard. The cost of designing twice, in sequence, is roughly double.

ASIS International guidance on enterprise security risk management, NIST CSF 2.0 as a structuring vocabulary, and IEC 62443 for any operator with operational technology in the perimeter together form a portable language that satisfies Swiss expectations, EU expectations, and the contractual expectations of international organisations and large counterparts. Building inside this vocabulary is the cheapest path through the maze, even though no single Swiss authority requires it explicitly.

What holds

The Swiss critical infrastructure framework is not a maze because it is poorly designed. It is a maze because it reflects a country in which sovereignty is distributed by deliberate choice, in which institutional trust is high enough to substitute for centralised authority, and in which the seams between federal, cantonal, sectoral, and international jurisdictions are negotiated case by case rather than legislated comprehensively. This produces a system that an outsider finds opaque and that an insider finds workable.

What it asks of an operator is literacy. Not legal mastery, which would require a team of specialists per sector, but the ability to read which counterpart is speaking in which register and to respond in the same register. The NCSC speaks the language of technical cooperation. FINMA speaks the language of supervised risk. Cantonal authorities speak the language of administrative practice that varies by canton. International organisations speak the language of contract and their own internal policy. The operator who can move between these registers without confusion is the operator who functions well in Switzerland. The one who cannot will be functional only as long as nothing breaks.

For operators arriving at this geometry without the years of accumulated relationship that established Swiss players have, the entry point is a structured conversation, not a procurement decision. Path I in the BOSWAU + KNAUER model, the sixty-minute confidential exchange, exists for precisely this kind of opening. It does not commit the operator to anything. It produces an assessment that the operator did not have before, and from there the choice of whether to proceed to a three-to-five-day audit or to leave matters there belongs to the operator alone.

Frequently asked questions

What is NCSC Switzerland?

The National Cyber Security Centre is the federal coordination body for cybersecurity in Switzerland, sitting within the Federal Department of Finance and absorbing the functions of the older MELANI reporting and analysis unit. It runs GovCERT, receives mandatory incident notifications from critical infrastructure operators under the revised Information Security Act, and maintains bilateral channels with CISA, BSI, ANSSI, ENISA, and the UK NCSC. It is not a regulator in the FINMA or BAKOM sense. It coordinates, advises, and shares threat intelligence, and its institutional trust depends on being treated as a counterpart rather than a supervisor.

How do cantons fit?

Cantons execute. Policing, emergency response, hospital regulation, water supply oversight, and most physical incident handling sit at the cantonal level. The federal frame defines obligations and coordination; cantonal authorities apply them with significant variation by region and administrative culture. A multi-site operator across Romandie, Deutschschweiz, and Ticino will engage with three different administrative registers in practice. Information does not automatically flow from cantonal to federal level, which means an operator should brief both audiences deliberately and keep the briefings consistent to avoid discrepancies that damage credibility later.

Is SNB regulated?

Not in the ordinary sense. The Swiss National Bank operates under its own statutory foundation, is accountable to the Federal Assembly, and is not supervised by FINMA. It is a peer institution to the NCSC rather than a supervised entity. The SNB designates systemically important banks under the Banking Act and jointly supervises financial market infrastructures such as SIX with FINMA under the Financial Market Infrastructure Act. Operators that connect to SNB-operated systems such as SIC inherit the bank's cyber expectations through participation agreements rather than through direct regulation, and those expectations exceed ordinary FINMA requirements.

How does CERN work?

CERN operates under an international convention with premises that enjoy a degree of inviolability comparable to diplomatic premises. The NCSC does not supervise CERN. Swiss police do not enter CERN sites at will. CERN's own computer security team handles incident response, cooperating with the NCSC and peer organisations on negotiated terms. The same structural pattern applies to UN bodies in Geneva, the WTO, WHO, and the BIS in Basel. Operators serving these clients face contractual security requirements that frequently exceed Swiss law and that are enforced through contract rather than regulation, with incident coordination running on separate channels from the federal Swiss picture.