Cybersecurity NIS Directive in Austria

Directive (EU) 2016/1148 ("NIS Directive"), which entered into force in 2016, is the first EU-wide legal act on cybersecurity. Its aim is to ensure a common high level of security of network and information systems across the EU, while setting out measures to improve cybersecurity and the functioning of the internal market. It was implemented in Austria at the end of 2018 by the Federal Act for Network and Information System Security (Netz- und Informationssystemsicherheitsgesetz – "NISG").

2. The NISG

The main aspects of the NISG are:

• Determination of national competent bodies and authorities.
• Adoption of a national strategy on the security of network and information systems.
• Obligations of effected entities to take appropriate safety measures and notification requirements.

The NISG applies to (i) operators of essential services, (ii) digital service providers, and (iii) public administration institutions, and lays down certain obligations for these entities.

Responsibility for enforcing is divided between the Federal Chancellor and the Federal Minister of Internal Affairs.

3. Operators of essential services

Operators of essential services are public or private entities with an establishment in the EU active in the following sectors:

1. Energy (electricity, oil, gas);
2. Transport (air, rail, water, road);
3. Banking (credit institutions);
4. Financial market infrastructures (operator of trading venues, central counterparties);
5. Health sector (health care settings, including hospitals and private clinics);
6. Drinking water supply and distribution (suppliers and distributors of water intended for human consumption); and
7. Digital infrastructure (Internet Exchange Points, DNS-service providers, TLD-name registries);

which meet the following criteria:

• provision of a service which is essential for the maintenance of critical societal and/or economic activities;
• the provision of that service depends on network and information systems; and
• a security incident would cause a significant disruption in the availability of that service.

The operators of essential services are determined by administrative decision (Bescheid) and must announce or set up a contact point for NIS communication within two weeks upon delivery of the decision. Operators of essential services must provide proof of appropriate security precautions for their network and information systems at least every three years, whereby the Federal Minister of Internal Affairs may inspect compliance with the requirements at any time one year after delivery. These safety precautions need to be appropriate, must take into account current technologies  and be proportionate to the risks involved.

4. Digital service providers

Digital service providers are legal entities or registered partnerships that offer one of the following digital services within the meaning of Section 3 (1) of the Austrian E-Commerce Act:

• online marketplace¹;
• online search engine ²; or
• cloud-computing services³;

and have their head office in Austria or the EU or have nominated a representative.

Small enterprises with fewer than 50 employees and an annual turnover or balance sheet total of less than EUR 10 million are excluded.

Digital service providers must take appropriate and proportionate technical and organisational security measures with regard to the network and information systems used to provide their digital services. Such security measures must take into account the risks involved and current technologies  as well as the following aspects:

• security of systems and facilities;
• incident handling;
• business continuity management;
• monitoring, auditing and testing;
• compliance with international standards.

Digital service providers are basically free to choose the security precautions they wish to take, provided that the requirements under the NISG are met and an appropriate level of security is guaranteed.

5. Public administration institutions

The NISG further stipulates obligations to take appropriate safety measures and notification requirements for public administration institutions.

6. Single point of contact (SPOC)

A single point of contact for the security of network and information systems (Zentrale Anlaufstelle) will be set up with the Federal Minister of Internal Affairs to enable cross-border cooperation with other EU Member States.

The single point of contact shall (i) forward incoming reports directly to the competent bodies if necessary and (ii) upon request, inform the single points of contact in other Member States when a security incident affects one or more Member States.

7. Incident notification

Incident notifications are regulated individually for (i) operators of essential services, (ii) digital service providers, and (iii) public administration institutions. In the event of a security incident, these entities must immediately report it to the appropriate computer emergency team.  

7.1 Incident notification for operators of essential services

Operators of essential services must immediately report security incidents affecting an essential service to their sector-specific computer emergency team. If no such emergency team has been set up, it must be reported to the state reporting office, GovCERT⁴. The report is then forwarded to the Federal Ministry of Internal Affairs. The report must be transmitted in a standardised electronic format, stating all information relevant to the security incident and the technical framework conditions.

7.2 Incident notification for digital service providers

Digital service providers must immediately report a security incident affecting the digital service they provide to the national computer emergency team. If no national computer emergency team has been set up, the incident must be reported to GovCERT.

8. Administrative penalties and other consequences for companies

Violations of the NISG (e.g. reporting obligation, safety precautions or duties to cooperate) are subject to administrative penalties of up to EUR 50,000 and in the event of repeated violations up to EUR 100,000. The competent authority is the district administrative authority (Bezirksverwaltungsbehörde) at the registered office in Austria, or in the absence thereof, at the registered office of the representative.

In addition to administrative sanctions, the company's reputation may also be affected if the public learns about the security incident. The Federal Minister of Internal Affairs may ask digital services providers to inform the public of a security incident.

9. Conclusion

The NIS Directive and the NISG aim to improve cybersecurity. They stipulate obligations to set up safety measures and incident notification requirements for a wide range of service providers, especially in digital markets and public administration institutions.

Footnotes:

1. An online marketplace allows consumers and traders to conclude online sales or service contracts with traders and is the final destination for the conclusion of those contracts. It should not cover online services that serve only as an intermediary to third-party services through which a contract can ultimately be concluded.
2. An online search engine allows the user to perform searches of, in principle, all websites based on a query on any subject. It may alternatively be focused on websites in a particular language.
3. Cloud-computing services cover services that allow access to a scalable and elastic pool of shareable computing resources.
4. Computer emergency team of the public administration.

authors: Maximilian Nutz and Nina Zafoschnig