Requirements for companies

Cybersecurity law under review

(Bild: APA/GEORG HOCHMUTH)

In future, there are to be new requirements for companies with 50 or more employees in certain sectors to improve cyber security. The government submitted a corresponding law for review on Wednesday, as announced by Interior Minister Gerhard Karner (ÖVP) and Justice Minister Alma Zadic (Greens) after the Council of Ministers. 

In future, critical infrastructure companies and federal institutions will have to implement certain IT security measures and report IT security incidents.

Austria implements EU directive
The aim is to create uniform cyber security standards. Austria is thus implementing the European Cybersecurity Directive NIS 2. The aim is to increase the network security and resilience of companies and public institutions and to shorten the response time to cyber attacks, said Karner in the press foyer after the government meeting.

Interior Minister Gerhard Karner (ÖVP) and Justice Minister Alma Zadic (Greens)(Bild: APA/GEORG HOCHMUTH)

Minister of the Interior Gerhard Karner (ÖVP)(Bild: APA/GEORG HOCHMUTH)

For the approximately 3,000 to 4,000 companies, local authorities and associations affected, the requirements mean additional work. The aim of the Ministry of the Interior is therefore to prepare and support them in the best possible way, emphasized the Minister. A service center for cyber security has therefore been set up within the Ministry of the Interior.

Requirements should be practicable
Last year, an integration process was also launched with the Federation of Austrian Industries, the Chamber of Commerce and the federal states. The aim was not to write any excessive regulations (so-called "golden plating") into the law in order to make the requirements as practicable as possible, said Karner. The review phase for the Network and Information Security Act will last four weeks. The EU directive must be implemented by October 2024.