Good things come to those who wait? Finally, the main implementing regulation for the Austrian Law on Network and Information System Security (Netz- und Informationssystemsicherheitsgesetz, "NISG") was published last week. It serves primarily to define which companies are actually affected by the NISG. Now it is getting serious for the operators of "essential services". What does that mean?
As a reminder: Essential services such as health care, payment transactions, electricity, drinking water supply and distribution as well as public transport are playing an increasingly important role in today's society and are commonly referred to as "critical infrastructure". At the same time, these services became increasingly dependent on network and information systems. Online banking, digital patient files in the health sector or digital shopping can hardly be replaced by manual processes. Further, new online services such as cloud computing, online search engines and online marketplaces became extremely important in our daily lives. Their functioning and availability is potentially threatened by cyberattacks and cybercrime rather than by conventional disturbances.
In our Clarity Talk held on 2.4.2019 we already informed about the most important contents and effects of the NISG, the new Austrian cyber security law. New legal instruments at EU as well as national level serve one purpose above all: IT security. The so-called NIS-Directive already stipulates at EU level that operators of essential services must take special appropriate and proportionate technical and organisational security measures and are subject to specific incident notification obligations. The Directive already regulates which sectors are affected: As already indicated, areas are concerned that, on one hand, play an important role in the functioning of society or the maintenance of critical economic activities and, on the other hand, are increasingly dependent on network and information systems. This covers for example sectors like energy, transport, banking, health and digital infrastructure. The aim of EU and national legislators is to take account of the increasing risks imposed by attacks on network and information systems as digitalisation progresses. However, all failures and security incidents within network and information systems are concerned, independent of the nature of the triggering event. This is why impacts like natural disasters can also lead to notification obligations pursuant to the NISG.
On 17.7.2019, after a long wait, the Regulation on the determination of security measures containing more information on the affected sectors and incidents under the NISG (Network and Information System Security Regulation or Netz- und Informationssystemsicherheitsverordnung; "NISV"), was published. The regulation specifies the NISG that was initially published on 28.12.2018 and clarifies who is subject to the obligations under the NISG. The NISV clarifies which critical infrastructure companies have to comply with the new regulations. The Regulation itself came rather late, considering that the transposition deadline for the NIS Directive already ended on 9 May 2018 (!), i.e. more than a year ago.
The NISV announced last week now provides for the specific threshold values that are decisive for the classification as an "operator of essential services" and thus for the applicability of the obligations under the NISG. The NISV thus substantiates the scope of application of the NISG. To give a few examples:
- The NISV stipulates that in the banking sector the operation of systems to provide services enabling cash deposits or withdrawals is considered an "essential service". A "security incident" in the banking sector, for example, is qualified e.g. when there has been public reporting of an incident or when the incident has a potential financial impact of more than five million euro or 0,1 % of the bank's Tier 1 capital. Only credit institutions whose total value of (consolidated) assets exceed EUR 30 billion are eligible as "operators of essential services". By employing this threshold the legislator has re-used the criteria for the classification of systemically important credit institutions.
- In the transport sector, more precisely: in rail transport, within the general area of infrastructure, for example, the operation of main stations for passengers in Austrian provincial capitals is regarded as an "essential service";
- in the energy sector, more precisely: the field of electricity generation, e.g. the operation of a generation plant with a bottleneck capacity of more than 340 MW counts as an "essential service".
For market participants in the sectors concerned the NISV constitutes the basis to check whether they are covered by the NISG as a consequence of exceeding thresholds or fulfilling the specific requirements. In a second step, the existing (IT) safety measures need to be documented and checked. In addition, the processes for enabling compliance with notification obligations in case of security incidents must be implemented in order to be able compliance with the short deadlines (in some cases, an immediate report is required) in the actual event of an emergency. In order to ensure comprehensive compliance, awareness raising through training and internal information is necessary, similar to the effort of the GDPR-implementation.
Finally, good news for those who would like to know more details: Now that the essential regulations have been issued, we were able to send the corrected galley proofs of our NISG commentary to our publisher Manz last week. The publication is aimed at affected providers and operators and provides practical answers to public law and IT-specific issues. Planned publication date is end of September 2019 (https://www.manz.at/list.html?isbn=978-3-214-09809-4).