The "Internet of Things" is already a reality; by 2020, dozens of billions of networked digital devices are expected in the EU. Security incidents such as technical malfunctions and viruses can seriously affect today's IT systems. Such security-related network and information security incidents (NIS incidents) are becoming more common and increasingly difficult to control. In addition, the cost of cyberattacks for the global economy is estimated to be around 490 billion Euro a year.
To tackle the growing threat of cyber-attacks and seize the opportunities of the new digital age, the European Union wants to strengthen its cybersecurity regulations. The European Council therefore decided at its meeting on 19th and 20th October 2017, following the proposal for a European Commission reform package in September, to call for the adoption of a common approach to cybersecurity in the EU.
This reform is based on the Network and Information Security (NIS) Directive as part of the EU cybersecurity strategy.
Among the new initiatives foreseen in the proposal are:
- the establishment of a stronger EU cybersecurity agency,
- the introduction of an EU-wide cybersecurity certification system,
- the rapid implementation of the NIS Directive.
Cybersecurity reform is seen by EU leaders as one of the key points on the way to completing the EU Digital Single Market.
During Austria's EU Council Presidency in the second half of 2018, cyber security had a priority. Austria would implement the NIS Directive in its own cybersecurity law (working title: Network and Information System Security Act - NISG), which also incorporates elements from the Austrian Strategy for Cybersecurity (ÖSCS) and results from various working meetings with representatives of industry and science.
Key points of the NISG are:
- Defining/implementing a national strategy for the security of network and information systems
- Security requirements and reporting requirements for operators of essential services and digital service providers
- Establishment of national organisational and coordination structures
- Tasks and requirements for emergency computer teams
- Creation of legal bases for the processing of personal data, in particular in the context of processing a security incident (for example IP addresses)
Further information on the cyber security strategy in Austria: