FAQ

The National Test Institute for Cybersecurity NTC contributes to Switzerland's security and digital sovereignty by proactively identifying critical vulnerabilities of digital products and risks of new digital technologies as well as supporting their mitigation.

The NTC carries out cybersecurity assessments of networked components and conducts studies and risk analyses with a focus on maintaining Switzerland's security and digital sovereignty. This includes hardware and software used in Switzerland, regardless of manufacturer and geographical origin. Priority is given to testing mandates related to critical infrastructure, public authorities such as the police and the army, and testing of networked components used in large quantities in the Swiss economy and civil society. The association also includes the expertise of the private sector, research and educational institutions in Switzerland and abroad.

In Switzerland, many urgently needed cybersecurity assessments of connected infrastructure, devices and applications are not being carried out. These tests are essential for the security of society and the functioning of the economy and public authorities. The independent and non-profit association National Test Institute for Cybersecurity NTC closes the critical gap of missing cybersecurity tests. 

• The NTC is a central actor in the implementation of the priority topics of the National Cyberstrategy of the Confederation and the cantons, in particular for the measures M4 "Analysis of trends, risks and dependencies" and M5 “Vulnerability detection and prevention” (available at: https://www.newsd.admin.ch/newsd/message/attachments/76796.pdf).
• With the adoption of the motion «Durchführung dringend notwendiger Cybersicherheitsprüfungen», the Swiss Parliament recognized the existence of critical vulnerabilities in December 2024 (available at https://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20243810 in German, French and Italian).
• The National Cyber Security Centre (NCSC) supports NTC initiative projects: 
  Such security assessments help to provide secure and available digital services and infrastructures, increase cyber resilience in Switzerland and support the implementation of the National Cyberstrategy (NCS) (NCSC, 2025).

The NTC conducts cybersecurity tests for clients (on a mandate basis) and on its own initiative (at its own expense). It offers a range of services to strengthen cybersecurity in Switzerland. These include: 

• Technical cybersecurity assessments: Analysis and assessment of the cybersecurity of connected infrastructure, devices and applications.
• Vulnerability analysis: Identification and assessment of critical vulnerabilities, especially in critical infrastructures and widely used technologies.
• Research and studies: Investigating emerging risks and developing innovative security solutions to promote digital sovereignty.
• Advice and knowledge transfer: Supporting public authorities, companies and organizations with expertise, training and best practices.

Priority is placed on cybersecurity assessments focusing on critical infrastructure, public authorities such as the police and army, and networked components used in large numbers in the Swiss economy and civil society.

No, the NTC is an independent, non-profit association under Swiss law based in Zug.

The activities of the National Test Institute for Cybersecurity NTC are not profit-oriented. It is funded by the public sector, foundations and private contributors, as well as by revenues from cybersecurity testing mandates.

The NTC conducts cybersecurity tests on behalf of critical infrastructure operators and public authorities where strict independence and objectivity are required. Any influence on the security tests by product manufacturers, service providers or political and governmental actors is excluded. On its own initiative, the NTC also tests digital products and applications that are not sufficiently tested in Switzerland, whether due to a lack of incentives or legal obligations.

Yes, the NTC conducts commissioned cybersecurity assessments of critical infrastructure and public authorities to ensure Switzerland's security and independence. The NTC does not test on behalf of product vendors, manufacturers or service providers in the private sector.

In initiative projects, the NTC tests digital products and applications that have not been sufficiently tested in Switzerland, on its own initiative and at its own expense - free of political and economic interests.

No. The NTC prepares test reports for specified test periods and deliberately refrains from issuing labels and certificates, as these are valid for a limited time and create false incentives.

The NTC pursues three objectives with the responsible disclosure of vulnerabilities:

1. Private disclosure to the manufacturer for quick and proper remediation of vulnerabilities.

2. Public disclosure of vulnerability patterns to prevent recurrence.

3. Warning of vulnerabilities so that users can take their own protective measures, especially if patches are late or missing.

Vulnerabilities are usually published on the NTC Vulnerability Hub:

• https://hub.ntc.swiss

Relevant vulnerabilities can also be published in other publications such as short reports, press releases or newsletters. Most of these publications can be found on the NTC website:

• https://en.ntc.swiss 

In compliance with the legal framework, vulnerabilities and the resulting risks are communicated as follows:

a. Reporting to the responsible party: Identified vulnerabilities are initially reported only to the responsible party (e.g. manufacturer or contractor) with a proof-of-concept exploit ("responsible disclosure"). If the contractor is not responsible, only serious vulnerabilities are disclosed to the contractor without technical details. Disclosure to third parties is made without naming the contractor.

b. Optional publication: In consultation with the contractor, the NTC may publish vulnerabilities with an appropriate level of detail (e.g. on https://hub.ntc.swiss/), but without naming the contractor.

c. Reporting to public authorities: Particularly serious vulnerabilities are reported to the National Cyber Security Centre (NCSC) or the Federal Data Protection and Information Commissioner (FDPIC) - also in anonymized form.

d. Test report: Upon completion of the testing assignment, the contractor will be provided with a complete overview of all identified vulnerabilities.

In compliance with the legal framework, vulnerabilities and the resulting risks are communicated as follows:

a. Reporting to the responsible party: Identified vulnerabilities are initially reported only to the responsible party (e.g. manufacturer or test partner) with a proof-of-concept exploit ("responsible disclosure"). If the test partner is not responsible, the test partner will only be informed of the existence of severe vulnerabilities without disclosing technical details. Disclosure to third parties is made without naming the test partner.

b. Deadline for rectification: Upon submission of the notification by the NTC, the manufacturer is granted 90 days from the time of reporting to fix the vulnerability. If affected third parties are required to take any action to protect themselves, the NTC may grant an additional 30 days upon availability of remediation measures.

c. Publication of vulnerabilities:

• Fixed vulnerabilities: Public disclosure is made with an extended level of details upon agreement from the manufacturer (e.g. on hub.ntc.swiss). In the absence of such an agreement, the NTC will publish vulnerability information with a reduced level of detail.
• Vulnerabilities without remediation: Can be published with an appropriate level of detail, but always without naming the test partner.

d. Reporting to public authorities: Particularly severe vulnerabilities may also be reported directly to the Swiss National Cybersecurity Centre (NCSC) and the Swiss Federal Data Protection and Information Commissioner (FDPIC).

e. Test report: Upon completion of the cybersecurity tests, the test partner receives a complete overview of all identified vulnerabilities.

If no vulnerabilities are found, no disclosure is made to avoid sending a false signal of security. Vendors who do not receive a vulnerability report should continue to invest in cybersecurity, as the absence of a finding does not mean that vulnerabilities do not exist.

Ideally, the NTC is involved in the patch development process. The NTC encourages manufacturers to include the NTC in the process to ensure that patches are correct and complete. Often a source code patch will be proposed that fixes the vulnerability. In cases where a patch is incomplete or incorrect, the NTC will work with the manufacturer to make a correction. In addition, the NTC provides recommendations for code hardening, attack surface reduction, and design improvements, often resulting in structural improvements beyond individual bug fixes.

The NTC recommends that organizations establish a Vulnerability Disclosure Policy (VDP) that provides a secure framework for reporting vulnerabilities without legal consequences. For example, according to: Vulnerability Disclosure - OWASP Cheat Sheet Series

A useful measure is the "/.well-known/security.txt" file on the website, which facilitates finding the appropriate security contact. Enter the contact details of your security officer according to: Security.txt - Enter your security contact details on your website

When conducting vulnerability assessments, several questions arise with regard to possible criminal liability under Swiss criminal law. Nevertheless, the current National Cyberstrategy (NCS) of the Confederation and the cantons aims to institutionalize ethical hacking.

Within the legal framework, the NTC does not perform security tests on operational systems without a declaration of consent. 

The competence network is a pool of cybersecurity specialists from Switzerland and abroad. The network is contacted by the NTC when additional expertise is required. This ensures that the necessary skills are available and that requests can be processed to the required quality.