Article

NIS-2 – Taking cybercrime resistance to the next level

Protecting critical facilities and boosting their resilience to cybercrime is also a priority for the EU. In order to promote said protection and related standardizations, an EU-wide cybersecurity regulation in the form of the “NIS Directive” was issued in 2016 on the basis of the 2013 cybersecurity strategy. It focuses on providing the highest possible level of security for network and information systems.

Recent successful cyberattacks at home and abroad in particular show how dependent our society is on critical services facilities and how important it is to protect them against cybercrime attacks. The result of attacks ranges from shutdowns of gas pipelines, to hospitals with a limited capacity to act, through to the shutdown of large-scale dairy factories.

Network and information security: What does it involve?

The NIS Directive on network and information security focuses primarily on the capability to prevent security incidents, detect them as such when they occur, fend them off and remedy their results. It is thus also closely associated with the concerns of data protection legislation or the GDPR for the protection of personal data.

Its main objectives are

  • strengthening cooperation between member states in order to establish national authorities and national computer emergency response teams to assist affected parties in the event of an incident,
  • obligating certain private and public providers essential for the common good to take appropriate security measures, and
  • the obligation to immediately report significant incidents.

The directive applies to major companies in the energy, transport, banking, financial market infrastructure, healthcare, drinking water supply and digital infrastructure sectors.

The NIS Act (NISG) of 2018 as well as the associated NIS Ordinance (2019) and industry standards form the basis for national implementation of the directive in Austria.

Those affected include

  1. Operators of essential services.

These are private or public entities that provide a service essential to maintaining critical activities and for whom a security incident causes a significant disruption in the provision of said service.

About 150 companies are affected throughout Austria on the basis of a defined catalog of criteria or the attainment of various threshold values. They were informed by notice from the Office of the Federal Chancellor that they have to take certain minimum security measures based on (inter-) national ICT security standards and cybersecurity best practices (summarized in a “mapping table”). Every 3 years, they have to provide defined documentation in the form of certifications of implemented security precautions for their network and information systems or pass audits by qualified bodies. The Federal Ministry of the Interior (BMI) has the authority to conduct the relevant audits and make recommendations at any time.

Affected facilities are obliged to immediately report security incidents to the responsible computer emergency response team (in Austria: CERT).

  • Providers of digital services in the following categories: online marketplace, online search engine and cloud computing services with more than 50 employees and over EUR 10 million in annual revenues.

Although they are not issued notices from the authorities ordering them to take relevant measures, they must independently take suitable and reasonable technical and organizational measures (TOM) or implement security precautions. The BMI is only carries out an audit if required and can make recommendations.

Digital service providers are obliged to immediately report any case of access to information needed to assess the impact of a security incident.

Risks or incidents can also be reported on a voluntary basis.

Sanctions of up to EUR 50,000 shall be levied in the event of non-compliance with reporting obligations, safety precautions or cooperation obligations.

Please note: “Security incident” refers to a disruption to the availability, integrity, authenticity, or confidentiality of NIS that results in the failure or reduced availability of the relevant service with considerable effects (affected users, duration, geographic spread, economic/societal impact).

NIS-2: the continuation

The new NIS-2 Directive published by the EU in December 2020 is intended to replace the current NIS Directive based on a new cybersecurity strategy (which also supports European industry in developing its own cybersecurity solutions and is thus intended to reduce dependence on non-European providers). Building on experiences gained with the current NIS Directive, it includes the contents of the latter while aiming to further boost the resilience of critical infrastructures.

The following sectors are affected: energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructures, public administration and aerospace.

Compared to the existing NIS Directive, the current draft constitutes a significant expansion of the scope of application, placing higher security requirements on companies while addressing the security of supply chains and relationships between providers. The draft provides for more rigorous or detailed reporting requirements in some cases as well as stricter supervisory measures and enforcement regulations.

In its current form, the new directive would have significant consequences for Austria, as the number of companies and facilities affected and their obligations (e.g. with regard to risk management measures, notifications, certifications, etc.) would dramatically increase and, due to the associated expenditure, would have significant economic consequences, in particular for small and micro-enterprises.

The draft of the NIS-2 Directive is currently being intensively discussed and coordinated with the member states. Based on feedback received to date, it is expected that the final directive will be “toned down” somewhat with respect to the draft. It is nevertheless also evident that it will in any case considerably expand the content of the current NIS Directive.

What should companies do now?

This is why we strongly recommend even companies that are not (yet) affected by the NIS Directive to address the security of their network and information systems! A risk analysis, especially with regard to the priorities mentioned in the existing NIS Ordinance, provides a good basis for taking further measures. Companies that have done a good job of taking care of these issues are already well positioned for any future requirements.

The security measures intended to ensure network and information security specified in the already existing NIS Ordinance of 2019 include technical and organizational measures in the following areas

  1. Governance and risk management
  2. Interactions with service providers, suppliers and third parties
  3. Security architecture
  4. System administration
  5. Identity and access management
  6. System maintenance and operation
  7. Physical security
  8. Incident detection
  9. Incident management
  10. Operational continuity
  11. Crisis management

The results of the risk analysis to be carried out as part of risk management (Point 1) constitute the basis for the measures to be taken.

ResultONE has extensive expertise as well as plenty of experience in the aforementioned priority topics and can provide you excellent support with the aforementioned areas of responsibility. In cooperation with our highly competent partners from the academic environment, we can also provide extensive, in-depth and highly topical specialized knowledge on a wide range of subjects!

Get in touch with us today!

Questions?

Call us: +43 676 3456 340 or +43 676 3456 342.