The EU's NIS Directive from 2016 was implemented in Austria in 2018 in the form of the NIS Act on Critical Infrastructure Protection. This means that, for the first time, there are comprehensive regulations in the area of cyber security at european and national level to ensure a high level of security for network and information systems. The regulation derived from the NIS Act now governs the measures that operators of essential services as well as providers of digital services and public administration institutions must take to protect against cyberattacks.
SEC Consult is now also Qualified Body (QuaSte) for Verification of Compliance with the NIS Actnews
The Federal Chancellery (BKA) informs by notice those companies or also entities that have been identified as so-called "operators of essential services". This covers the sectors of energy, transport, banking, financial market infrastructures, healthcare, drinking water supply and digital infrastructures. In addition, so-called "digital service providers" are also affected, i.e., companies that provide digital services in the categories of online marketplace, online search engine or cloud computing services.
The security measures applied to date must be reviewed internally to determine whether they meet the NIS requirements, plus the evaluation and establishment of additional resources and other necessary steps. Operators are required to demonstrate the effectiveness of the technical and organizational security measures taken for their network and information systems at least every three years to the Federal Ministry of the Interior (BMI) and to report critical incidents without delay.
This is where the Qualified Body 1) (QuaSte) comes in, which checks all measures for their appropriateness and reliability. What a QuaSte is, how to become a QuaSte and what our QuaSte auditors do to support our customers in securing their systems is briefly summarized here.
1) Website only available in German.
What exactly is a Qualified Body (QuaSte)?
A Qualified Body is a company authorized by the Federal Office for the Protection of the Constitution and Counterterrorism 1) (BVT) to act as an external auditor of all security measures for the protection of critical infrastructure of operators of essential services.
Why can’t any service provider take on this task?
The public must be able to rely on the fact that those critical systems, that are essential for the functioning of services of general interest and economic life, are adequately protected against cyberattacks. Verifying these safeguards is therefore a highly responsible task, the execution of which requires great knowledge, experience and absolute trustworthiness. Proof of being qualified to do so must be provided by companies wishing to become a QuaSte as part of an accreditation process.
How does the accreditation process work?
After submitting the application, the company receives a unique identifier that must be used in the future when transmitting the evidence. This uniquely identifies the QuaSte and prevents possible misuse. Then, among other things, the company must prove that its own network and information systems are technically and organizationally secure, indicate which tools it uses, and describe the future verification process in detail and in a meaningful way. Once the evidence has been securely submitted to the BMI, the information is checked and, if successful, the company receives the positive news that it can act as a QuaSte via notification.
Which requirements must the auditors of a QuaSte fulfill?
Every auditor must undergo a security check. In this process, his/her trustworthiness is assessed on the basis of personal data that provide information on whether there are any indications that he/she would carry out cyberattacks him/herself. In addition, proof of technical knowledge and relevant professional experience (e.g. through references) as well as any additional training or certifications must be provided.
What happens when safety deficiencies are discovered?
In this case, the experts of SEC Consult do what they usually do when they discover vulnerabilities. They propose appropriate measures that are suitable to close the vulnerabilities sustainably. Our employees bring experience from countless security audits and assessments. Equipped with proven analysis tools and always up to date with the latest threats, they are our most important asset to be a reliable partner for our customers.
Many organizations, without being legally obligated, also want to prove to their customers on their own initiative that they are trustworthy partners when it comes to cybersecurity - and this applies to otganizations of all sizes. What can organizations do who want to voluntarily commit themselves to documenting their diligence and sense of responsibility?
Of course, we at SEC Consult do not only stand by our customers when acute danger or sanctions are imminent. Our security experts continuously support organizations in their efforts to make their networks and systems more secure. A seal of approval that shows that essential minimum security measures for cyber security have been implemented and that the topic has a corresponding priority in the respective organization can offer a decisive competitive advantage.
1) Website only available in German.
How does a review by SEC Consult work?
During the inspection, SEC Consult proceeds in five phases - based on ISO 19011. Everything starts with the initialization of the inspection. Here, the initial contact with the operator is established and the feasibility of the audit is confirmed. For example, we make sure that we receive sufficient information to perform the audit and that the scope is defined.
In the second phase, the inspection is prepared and documented in the inspection plan. An exact test plan is the basis to be able to handle the later steps efficiently and to coordinate with all parties involved on an ongoing basis. Since SEC Consult is also active in the field of standardization, we have first-hand knowledge in defining the corresponding test catalogs.
In the third phase, the SEC Consult auditors check together with the operator's employees whether the technical and organizational security measures are appropriate and effective.
The results are then documented in a test report in the fourth phase. In the audit report, we focus primarily on the comprehensibility of the presentation of the audited areas and the methodology used. With the assessment of the report by a second, non-involved auditor, SEC Consult ensures an objective view on the fulfillment of the requirements. This final report is sent to the audited organization and has to be forwarded to the BMI. In the course of this phase, the presentation of results takes place, in which we present and discuss them with the employees of the operator or derive possible recommendations for action.
The fifth and final phase is post-treatment. In the post-treatment phase, the operator remedies any safety deficiencies. The rectification is subsequently verified and - if satisfactory - confirmed by SEC Consult.
New Label „Cyber Trust Austria“
With the new label "Cyber Trust Austria" 1), there is an instrument in Austria that evaluates certain security measures taken and offers companies a cost-effective and low-threshold signposting option to visibly document their trustworthiness as well. The Cyber Trust Label, which is renewed annually, is based on the cyber risk rating scheme developed by the Kuratorium Sicheres Österreich (KSÖ) in cooperation with KSV1870.
There are two levels, with the basic label also suitable for smaller companies and organizations. The 14 basic security criteria can be implemented by any company with a manageable amount of effort. Compliance with the requirements is assessed on the basis of a validated self-declaration verified by independent experts.
The advanced gold label is aimed at companies and organizations that need or want to meet a higher level of security, such as suppliers of operators of essential services in accordance with §16 of the NIS Act in more critical areas. They can use the quality label to strengthen their position on the market. In addition to the 14 basic requirements mentioned above, there are 11 further criteria to be implemented, which require more intensive preparation. Since the evaluation is carried out by an external audit, this process takes a little more time. The audit must be performed by a qualified auditor with "QuaSte" accreditation. This means that we can also support those companies that are not themselves covered by the NIS Act but have business relationships with operators of essential services.
1) Website only available in German.