In the future, the Network and Information System Security Act (NISG) and the Network and Information System Security Regulation (NISV) will provide a comprehensive legal framework that is intended to regulate cybersecurity for operators of critical services or critical infrastructure in Austria – a good opportunity to take a closer look at the individual requirements contained therein.
In this context, let’s look in more details at the contents and requirements of the NISG, as well as the related concretizations of the new NISV, from the perspective of information security. In addition to numerous administrative and sector-specific regulations, the appropriate handling of (cyber)security incidents forms a core of the overall content. However, it is often unclear what topics this requirement actually contains, and even less so how the appropriateness is to be seen in this context.
To gain a better understanding of the resulting concrete fields of action, one should first address the following questions:
What are security incidents according to the NISG or NISV?
The NISG or the NISV define security incidents as “… a disruption of the availability, integrity, authenticity or confidentiality of network and information systems, which leads to a restriction of availability or to a failure of the service operated with considerable consequences…”. In other words, NISG / NISV security incidents describe serious cybersecurity incidents affecting critical services.
What security incident management requirements are included?
As stated in the NISG §3 Z 2, the “network and information system security (NIS)” to be achieved is described as “the ability to prevent, detect, ward off and eliminate security incidents”. Affected vendors must, therefore, ensure that they not only prevent cybersecurity incidents but also recognize them, react to them and subsequently eliminate them.
What basic obligations providers have with regard to security incidents?
The following obligations will be imposed on providers of essential services in the future:
- Implementation of appropriate technical and organizational protective measures for their networks and IT systems to prevent security incidents.
- Implementation of appropriate measures for the correct handling of security incidents that occur.
- Reporting security incidents in a timely manner to national or sector-specific emergency teams (e.g. CERT.at, EnergyCERT).
- Regular monitoring of the company’s protective measures and, if necessary, proof of corresponding test reports and findings to the supervisory authorities.
Measures For Appropriate Security Incident Management
One of the most frequently asked questions is that of concrete protective measures which now have to be implemented under the NISG. So far, no explicit answer has been given and any attempt at doing so mostly referred to how other standard works (for example ISO 27001). However, Annex 1 of the NISV now changes this, as it defines concrete requirements for security measures to be implemented on the part of the legislator.
The NISV describes the following three points as requirements when it comes to measuring the management of security incidents:
- The incident reaction. Providers must ensure that processes are established for a rapid and effective response to emerging security incidents.
- The incident report. Incident reporting must ensure that vendors have implemented processes that allow timely reporting of a security incident that has occurred.
- The incident analysis. Providers must ensure that appropriate incident analysis and evaluation processes are in place so that the specific characteristics of a security incident can be quickly identified, and further decisions made on them.
In summary, providers of important services or critical infrastructures will have to ensure that the appropriate framework conditions are created in the company for the detection, analysis, reporting and reaction to occurring cybersecurity incidents. Since this is only possible if the organizational structures such as roles and processes, as well as the technical tools and professional competencies are available in the company, the practical implementation of these aspects represents a challenge.
As a provider of critical services, the first step is a thorough evaluation of the company’s capacities, processes and competencies. From our activities and support in the defense against security incidents, SEC Consult know that they always occur at the worst time and require significantly higher capacity, resources, cybersecurity know-how and manpower than is available in regular operationFor many providers of important services, it makes sense to secure these capacities and manpower in the event of an emergency via provisioning contracts to be able to respond quickly and purposefully
If you find yourself, in particular as a provider of a substantial service, potentially the subject of the NISG or NISV regulations, you will face numerous exciting challenges. All in all, the new framework conditions are an important step in the area of cybersecurity in Austria, especially when it comes to the protection of critical infrastructure.
However, the implementation of the specific contents can be quite a complicated and lengthy undertaking- especially if a company has hardly any experience in this area. The use of and cooperation with external specialists can be a good way to counteract these difficulties. Then you have the advantage of being able to build on existing expertise and a comprehensive knowledge base.
As a long-standing expert in the field of information security and the handling of cybersecurity incidents, SEC Consult is known to be a reliable partner. Through the SEC Defense partnerships we offer, we support as experts for the treatment of security incidents and digital forensics, already numerous enterprises with their successful handling of arising incidents.. We always ensure that we comply with all regulatory requirements – such as the NISG – and can therefore ensure a high level of compliance for our partners right from the start.