Good things come to those who wait? Finally, the main implementing regulation

for the Austrian Law on Network and Information System Security (Netz- und

Informationssystemsicherheitsgesetz, "NISG") was published last week. It serves primarily to define which

companies are actually affected by the NISG. Now it is getting serious for the

operators of "essential services". What does that mean?

Good things come to those who wait? Finally, the main implementing regulation

for the Austrian Law on Network and Information System Security (Netz- und

Informationssystemsicherheitsgesetz, "NISG") was published last week. It serves primarily to define which

companies are actually affected by the NISG. Now it is getting serious for the

operators of "essential services". What does that mean?

As a

reminder: Essential services such as health care, payment transactions,

electricity, drinking water supply and distribution as well as public transport

are playing an increasingly important role in today's society and are commonly referred

to as "critical infrastructure".

At the same time, these services became increasingly dependent on network and

information systems. Online banking, digital patient files in the health sector

or digital shopping can hardly be replaced by manual processes. Further, new online

services such as cloud computing, online search engines and online marketplaces

became extremely important in our daily lives. Their functioning and

availability is potentially threatened by cyberattacks and cybercrime rather

than by conventional disturbances.

In our

Clarity Talk held on 2.4.2019 we already informed about the most important

contents and effects of the NISG, the new Austrian cyber security law. New

legal instruments at EU as well as national level serve one purpose above all: IT security. The so-called NIS-Directive

already stipulates at EU level that operators of essential services must take

special appropriate and proportionate technical

and organisational security measures and are subject to specific incident notification obligations. The Directive already regulates which sectors

are affected: As already indicated, areas are concerned that, on one hand, play

an important role in the functioning of society or the maintenance of critical

economic activities and, on the other hand, are increasingly dependent on

network and information systems. This covers for example sectors like energy, transport,

banking, health and digital infrastructure. The aim of EU and national

legislators is to take account of the increasing risks imposed by attacks on network and information

systems as digitalisation progresses. However, all failures and security

incidents within network and information systems are concerned, independent of

the nature of the triggering event. This is why impacts like natural disasters

can also lead to notification obligations pursuant to the NISG.

On

17.7.2019, after a long wait, the Regulation on the determination of security

measures containing more information on the affected sectors and incidents

under the NISG (Network and Information System Security Regulation or Netz- und

Informationssystemsicherheitsverordnung; "NISV"), was published.

The regulation specifies the NISG that was initially published on 28.12.2018

and clarifies who is subject to the obligations under the NISG. The NISV clarifies

which critical infrastructure companies have to comply with the new regulations.

The Regulation itself came rather late, considering that the transposition

deadline for the NIS Directive already ended on 9 May 2018 (!), i.e. more than

a year ago.

The NISV

announced last week now provides for the specific threshold values that are decisive for the classification as an

"operator of essential services"

and thus for the applicability of the obligations under the NISG. The NISV thus

substantiates the scope of application

of the NISG. To give a few examples:

·

The

NISV stipulates that in the banking

sector the operation of systems to provide services enabling cash deposits or

withdrawals is considered an "essential

service". A "security incident" in the banking sector, for

example, is qualified e.g. when there has been public reporting of an incident

or when the incident has a potential financial impact of more than five million

euro or 0,1 % of the bank's Tier 1 capital. Only credit institutions whose

total value of (consolidated) assets exceed EUR 30 billion are eligible as "operators of essential services". By

employing this threshold the legislator has re-used the criteria for the

classification of systemically important

credit institutions.

·

In

the transport sector, more

precisely: in rail transport, within the general area of infrastructure, for example,

the operation of main stations for passengers in Austrian provincial capitals is

regarded as an "essential service";

·

in

the energy sector, more precisely:

the field of electricity generation, e.g. the operation of a generation plant

with a bottleneck capacity of more than 340 MW counts as an "essential service".

For market

participants in the sectors concerned the NISV constitutes the basis to check

whether they are covered by the NISG as a consequence of exceeding thresholds

or fulfilling the specific requirements. In a second step, the existing (IT) safety measures need to be

documented and checked. In addition, the processes for enabling compliance with notification obligations in case of

security incidents must be implemented in order to be able compliance with the short

deadlines (in some cases, an immediate report is required) in the actual event

of an emergency. In order to ensure comprehensive compliance, awareness raising

through training and internal information is necessary, similar to the effort

of the GDPR-implementation.

Finally,

good news for those who would like to know more details: Now that the essential

regulations have been issued, we were able to send the corrected galley proofs

of our NISG commentary to our publisher Manz last week. The publication is

aimed at affected providers and operators and provides practical answers to

public law and IT-specific issues. Planned publication date is end of September

2019

(https://www.manz.at/list.html?isbn=978-3-214-09809-4).

Axel Anderl, Managing Partner at DORDA

Rechtsanwälte GmbH

Bernhard Müller, partner at DORDA

Rechtsanwälte GmbH

Andreas Zahradnik, partner at DORDA

Rechtsanwälte GmbH