NIS-2 Business Breakfast: Everyone needs ISMS
Vienna (OTS) – The Austrian Computer Society (OCG) invited in cooperation Crypts and Sophos on April 8, 2024 in the OCG premises in the 1st district of Vienna Business Breakfast NIS-2 a. The focus and legal aspects of the EU Cybersecurity Directive were highlighted and specific industry problems and best practice examples for implementation were presented.
Under expert moderation by Wolfgang Prentnercivil engineer and head of the OCG certification committee (ISO/IEC 27001), the speakers gave the interested expert audience insight into current developments: Arno Spiegel (BKA, NIS office), Stefan Eder (Benn-Ibler Rechtsanwälte GmbH), Thomas Pfeiffer (Linz network), Stefan Bumerl (CRYPT), Markus Groller (SOPHOS), Nina Thomann (NCC-AT) and Wolfgang Resch (OCG). The presentation slides from the previous speakers are on the CRYPTAS Website available for download.
Not a harassment, but an important measure
“It’s about making the domestic market safer”
says Arno Spiegel from the NIS Office of the Federal Chancellery, who points out that the Network and Information System Security Act 2024 – NISG 2024 (NIS-2) was reviewed on April 3rd and will be reviewed until May 1st opinion can be submitted for this purpose. The law requires a 2/3 majority in the Austrian National Council and the plenary session is expected to meet at the beginning of July to pass a resolution.
Seek advice in a timely manner
“Regardless of whether the national NIS 2 law is passed in time before October 18, 2024, no company will be spared from implementing the EU directive. Consultants, certifying and auditing bodies have limited resources to carry out NIS audits.”
, emphasizes Wolfgang Resch, head of the OCG testing and certification center. In general, all those affected by NIS-1 will also be affected by NIS-2. As new industries and areas are added and the threshold values in the areas affected by NIS 1 are generally replaced by SME limits, the number of affected institutions increases massively.
Management Penalties and Liability
“Fear is a bad advisor – but sometimes it helps to raise awareness of impending cyber attacks and subsequently take important measures to increase IT security. It’s high time to take action!”
said Wolfgang Resch.
The lawyer and computer scientist Stefan Eder from Benn-Ibler Rechtsanwälte GmbH spoke about the duty of care and liability of the management bodies. “The EU legislator has made management bodies responsible for cybersecurity in companies, although NIS-2 is by no means the only measure in this area”
emphasizes Eder. “Ignorance does not protect against punishment – this also applies to cybersecurity.”
. Companies have to ask themselves where the risk lies, because an incident or damage can be diverse. In addition to economic damage, there can also be (serious) personal damage, e.g. B. if a supply system in a hospital fails or a pacemaker malfunctions.
It can be assumed that liability and training obligations of top management will be an additional lever to help the new policy to be implemented quickly and appropriately. It is therefore essential for companies to inform themselves in good time and take action.
Cybersecurity Policy
The EU’s European Cybersecurity Strategy was developed to achieve a higher level of security of network and information systems across the EU. With its cybersecurity directive NIS-2, which will come into force at the end of 2022, the EU expects more resilience for the entire infrastructure as a basis for the functioning of the EU internal market. The national implementation deadline ends on October 18, 2024, then an amendment to the Austrian NISG and the accompanying regulations must come into force. The Network and Information System Security Act 2024 – NISG 2024 (NIS-2) has been under review since April 3, 2024 and can do so until May 1 opinion be delivered.
Funding for SMEs
Die Funding call for Cyber Security Check 2023 was extended, “There is still funding from the FFG”
emphasized Nina Thomann from NCC-AT. Until April 15th can still be submitted, the submission is uncomplicated and the NCC-AT office is happy to answer any questions.
Testing and certification offers from OCG
As a qualified body according to the NIS Act, the OCG offers ISO/IEC 27001 certification also in combination with an NISG test. Combination audits cover large parts of a company’s organizational measures. The OCG also offers gap analyzes and pre-audits.
Questions & Contact:
Austrian Computer Society (OCG)
Wolfgang Resch
+43 1 512 02 35-13
wresh@ocg.at
www.ocg.at