Network and Information Systems Security (NIS)

With the passing of the NIS Act (NISG), the Austrian Federal Government requires a high security level of network and information systems in the area of critical infrastructure. As a Qualified Body (QuaSte), SEC Consult is available to all verifiable organizations for the verification and implementation of the requirements listed in the NIS Act. 

Verification and proof by SEC Consult

With the NIS Act (NISG), the Austrian Federal Government requires a high security level of network and information systems, the effectiveness of which has to be proven by qualified bodies in regular intervals of three years. If you have been identified as a organization that is required to provide evidence, SEC Consult experts are available to you as a qualified body for verification and evidence.

Competence confirmed by the Ministry of the Interior

As a Qualified Body (QuaSte), our competence has been tested and confirmed by the Federal Office for the Protection of the Constitution and Counterterrorism (BVT). Our experts enable a competent assessment of your network and information systems and provide information about the current security level.

High acceptance due to standardized safety processes

Our tested, standardized test processes deliver high-quality test results and fully documented test reports. This ensures a high level of acceptance by authorities (obligation to provide evidence).

Peace of mind thanks to expert knowledge

Our SEC Consult experts have experience from countless security audits and are optimally networked. This gives you a high degree of certainty regarding the fulfillment of NIS requirements.

SEC Consult supports you as a Qualified Body (QuaSte) with:


  • Standardized testing processes as QuaSte
  • Competent, BMI-certified and approved NIS examiners
  • Complete documentation of the tests performed

Further information on the function of a Qualified Body (QuaSte)

A Qualified Body is a company authorized by the Federal Office for the Protection of the Constitution and Counterterrorism (BVT) to act as an external auditor of all security measures for the protection of critical infrastructure of operators of essential services, providers of digital services and federal facilities.

The public must be able to rely on the fact that those critical systems that are essential for the functioning of services of general interest and economic life are adequately protected against cyberattacks. Verifying these safeguards is therefore a highly responsible task, the execution of which requires great knowledge, experience and absolute trustworthiness. Proof of being qualified to do so must be provided by companies wishing to become a QuaSte as part of an accreditation process.

In the review, SEC Consult proceeds in five phases - based on ISO 19011. 

First phase
The first phase starts with the initialization of the audit. Here, the initial contact with the company subject to verification is established and the feasibility of the verification is confirmed. 

Second phase
In the second phase, the inspection is prepared and documented in the inspection plan. This is the basis to efficiently handle the later steps and to continuously coordinate with all parties involved. As SEC Consult is also active in the field of standardization, we have first-hand knowledge in defining the relevant test catalogs.

Third phase
In the third phase, the SEC Consult auditors check together with the employees of the company, which is obliged to provide evidence, whether the technical and organizational security measures are appropriate and effective. 

Fourth phase
The results are then documented in the fourth phase in an audit report. In the audit report, we place particular emphasis on the comprehensibility of the presentation of the audited areas and the methodology used. With the assessment of the report by a second, non-involved auditor, SEC Consult ensures an objective view on the fulfillment of the requirements. In the course of this phase also the presentation of results takes place, in which we present the results of the audit and discuss them with the employees of the concerned party or derive possible recommendations for action.

Fifth phase
Post-treatment is the fifth and final phase. In the post-treatment phase, the audited company corrects any security deficiencies. The rectification is then verified by SEC Consult and - if satisfactory - confirmed.

In this case, the experts of SEC Consult do what they usually do when they discover vulnerabilities. They propose appropriate measures that are suitable for closing the vulnerabilities in the long term. Our employees bring in experience from countless security audits and assessments. Equipped with proven analysis tools and always up to date with the latest threats, they are our most important asset in being a reliable partner for our customers.

Talk to one of our experts

If you have any further questions get in touch with one of our specialists.