The Network and Information Systems Security Act – Obligations of Operators of Essential Services
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive) has the aim of achieving a high level of security in networks and information systems EU-wide.
In Austria, the NIS Directive was transposed into national law by means of the Federal Act to Ensure a High Level of Security of Network and Information Systems (Network and Information Systems Security Act, NIS Act / Bundesgesetz zur Gewährleistung eines hohen Sicherheitsniveaus von Netz- und Informationssystemen, NISG) which came into force on 29 December 2018. Individual duties under the NIS Act were laid down in the Ordinance by the Federal Minister for the EU, Arts, Culture and Media laying down security measures and detailed provisions for the sectors and for security incidents under the Network and Information Systems Security Act (Network and Information Systems Security Ordinance – NIS Ordinance / Verordnung des Bundesministers für EU, Kunst, Kultur und Medien zur Festlegung von Sicherheitsvorkehrungen und näheren Regelungen zu den Sektoren sowie zu Sicherheitsvorfällen nach dem Netz- und Informationssystemsicherheitsgesetz (Netz- und Informationssystemsicherheitsverordnung – NISV).
The NIS Act, in addition to regulating competences, coordination structures and a national strategy, also lays down, among other things, the obligations of so-called operators of essential services. Under the NIS Act, operators of essential services are institutions in Austria that provide an essential service. Essential services are defined as services provided in the sectors specified in the NIS Act (energy, transport, banking, financial market infrastructure, health, drinking water supply and digital infrastructure) that have an important significance for the maintenance of public life and are dependent upon network and information systems.
The legislation specifies that institutions in Austria are not themselves required to determine whether they are “operators of essential services” within the meaning of the NIS Act; rather, the types of entities identified as operators of essential services are determined by an administrative decision of the Federal Chancellor. The administrative decision thus has a constitutive effect for an institution’s capacity as an operator of essential services; upon service of the administrative decision, the NIS Act is applicable to the respective operator and the respective services specified in the administrative decision.
The NIS Act specifies comprehensive obligations for operators of essential services. Each operator of an essential service is required to establish and give notification of a point of contact and to ensure that the operator can be contacted through this point of contact at least during the period in which the operator provides the essential service. Usually this will be 24 hours, seven days a week.
In addition, the operators “must take appropriate and proportionate technical and organisational security measures to ensure the security of network and information systems which they use” in the context of providing the essential service. Security incidents have to be prevented or, if they occur, have to be detected, resisted and eliminated. The NIS Ordinance (esp. Annex 1) contains detailed rules and specifications on security measures. Moreover, the Federal Chancellery has set up a point of contact for the NIS Act matters (Anlaufstelle NISG) and prepared so-called NIS Fact Sheets containing further explanations (https://www.nis.gv.at/).
The NIS Act additionally obligates operators of essential services to notify the computer security incident response team (CSIRT) immediately of any security incident, i.e. “any disturbance of the availability, integrity, authenticity or confidentiality of network and information systems which has resulted in a restriction of continuity or a failure of the service operated with significant impact”. The determination of whether the impact of a disturbance is significant enough to be considered a security incident is regulated in the NIS Ordinance.
Institutions identified by administrative decision as operators of essential services would be well advised to obtain legal and technical support for the implementation of measures to fulfil their obligations under the NIS Act, given that infringements of the Act are sanctioned with serious penalties of up to EUR 50,000 or, in the case of a repeat offence, up to EUR 100,000.
Please note: This blog merely provides general information and does not constitute legal advice of any kind from Binder Grösswang Rechtsanwälte GmbH. The blog cannot replace individual legal consultation. Binder Grösswang Rechtsanwälte GmbH assumes no liability whatsoever for the content and correctness of the blog.