Good things come to those who wait? Finally, the main implementing regulation
for the Austrian Law on Network and Information System Security (Netz- und
Informationssystemsicherheitsgesetz
, "NISG") was published last week. It serves primarily to define which
companies are actually affected by the NISG. Now it is getting serious for the
operators of "essential services". What does that mean?

Good things come to those who wait? Finally, the main implementing regulation
for the Austrian Law on Network and Information System Security (Netz- und
Informationssystemsicherheitsgesetz
, "NISG") was published last week. It serves primarily to define which
companies are actually affected by the NISG. Now it is getting serious for the
operators of "essential services". What does that mean?

As a
reminder: Essential services such as health care, payment transactions,
electricity, drinking water supply and distribution as well as public transport
are playing an increasingly important role in today's society and are commonly referred
to as "critical infrastructure".
At the same time, these services became increasingly dependent on network and
information systems. Online banking, digital patient files in the health sector
or digital shopping can hardly be replaced by manual processes. Further, new online
services such as cloud computing, online search engines and online marketplaces
became extremely important in our daily lives. Their functioning and
availability is potentially threatened by cyberattacks and cybercrime rather
than by conventional disturbances.

In our
Clarity Talk held on 2.4.2019 we already informed about the most important
contents and effects of the NISG, the new Austrian cyber security law. New
legal instruments at EU as well as national level serve one purpose above all: IT security. The so-called NIS-Directive
already stipulates at EU level that operators of essential services must take
special appropriate and proportionate technical
and organisational security measures
and are subject to specific incident notification obligations. The Directive already regulates which sectors
are affected: As already indicated, areas are concerned that, on one hand, play
an important role in the functioning of society or the maintenance of critical
economic activities and, on the other hand, are increasingly dependent on
network and information systems. This covers for example sectors like energy, transport,
banking, health and digital infrastructure. The aim of EU and national
legislators is to take account of the increasing risks imposed by attacks on network and information
systems as digitalisation progresses. However, all failures and security
incidents within network and information systems are concerned, independent of
the nature of the triggering event. This is why impacts like natural disasters
can also lead to notification obligations pursuant to the NISG.

On
17.7.2019, after a long wait, the Regulation on the determination of security
measures containing more information on the affected sectors and incidents
under the NISG (Network and Information System Security Regulation or Netz- und
Informationssystemsicherheitsverordnung
; "NISV"), was published.
The regulation specifies the NISG that was initially published on 28.12.2018
and clarifies who is subject to the obligations under the NISG. The NISV clarifies
which critical infrastructure companies have to comply with the new regulations.
The Regulation itself came rather late, considering that the transposition
deadline for the NIS Directive already ended on 9 May 2018 (!), i.e. more than
a year ago.

The NISV
announced last week now provides for the specific threshold values that are decisive for the classification as an
"operator of essential services"
and thus for the applicability of the obligations under the NISG. The NISV thus
substantiates the scope of application
of the NISG
. To give a few examples:

·        
The
NISV stipulates that in the banking
sector the operation of systems to provide services enabling cash deposits or
withdrawals is considered an "essential
service
". A "security incident" in the banking sector, for
example, is qualified e.g. when there has been public reporting of an incident
or when the incident has a potential financial impact of more than five million
euro or 0,1 % of the bank's Tier 1 capital. Only credit institutions whose
total value of (consolidated) assets exceed EUR 30 billion are eligible as "operators of essential services". By
employing this threshold the legislator has re-used the criteria for the
classification of systemically important
credit institutions
.

·        
In
the transport sector, more
precisely: in rail transport, within the general area of infrastructure, for example,
the operation of main stations for passengers in Austrian provincial capitals is
regarded as an "essential service";

·        
in
the energy sector, more precisely:
the field of electricity generation, e.g. the operation of a generation plant
with a bottleneck capacity of more than 340 MW counts as an "essential service".

For market
participants in the sectors concerned the NISV constitutes the basis to check
whether they are covered by the NISG as a consequence of exceeding thresholds
or fulfilling the specific requirements. In a second step, the existing (IT) safety measures need to be
documented and checked. In addition, the processes for enabling compliance with notification obligations in case of
security incidents must be implemented in order to be able compliance with the short
deadlines (in some cases, an immediate report is required) in the actual event
of an emergency. In order to ensure comprehensive compliance, awareness raising
through training and internal information is necessary, similar to the effort
of the GDPR-implementation.

Finally,
good news for those who would like to know more details: Now that the essential
regulations have been issued, we were able to send the corrected galley proofs
of our NISG commentary to our publisher Manz last week. The publication is
aimed at affected providers and operators and provides practical answers to
public law and IT-specific issues. Planned publication date is end of September
2019
(https://www.manz.at/list.html?isbn=978-3-214-09809-4
).

Axel Anderl, Managing Partner at DORDA
Rechtsanwälte GmbH

Bernhard Müller, partner at DORDA
Rechtsanwälte GmbH

Andreas Zahradnik, partner at DORDA
Rechtsanwälte GmbH

More from DORDA Rechtsanwälte GmbH