The Austrian Cyber Security Strategy (Österreichische Strategie für Cyber Sicherheit / ÖSCS) was launched in 2013 as a comprehensive and proactive concept for protecting cyber space and the people in virtual space while guaranteeing human rights.
It is designed to enhance the security and resilience of Austrian infrastructures and services in cyber space. Most importantly, it builds awareness and confidence in the Austrian society.
The strategy identifies 7 objectives related actions and measures:
Obj. 1 - Structures and processes: Establishing a Cyber Security Steering Group (2012), responsible for coordinating measures relating to cybersecurity at a political-strategic level, monitoring and supporting the implementation of the ACSS, preparing an annual Cyber Security Report and advising the federal government in all matters relating to cyber security. Creating a structure for coordination at operational level, including analyis of the periodic incident-related cybersecurity landscape. Establishing a Cyber Crisis Management. Strengthening existing cyber structures: Computer Emergency Response Teams (CERTs).
Obj. 2 - Governance: Establishing a modern regulatory framework. Defining minimum standards. Preparing an annual report on cybersecurity.
Obj. 3 - Co-operation between the government, economy and society: Establishing a Cyber Security Platform. Strengthening support for SMEs. Preparing a Cyber Security Communication Strategy.
Obj. 4 - Protection of critical infrastructures: Improving the resilience of critical infrastructures.
Obj. 5 - Awareness raising and training: Strengthening a cyber security culture. Incorporating cyber security and media competence into all levels of education and training.
Obj. 6 - Research and development: Strengthening Austria’s research in the area of cyber security.
Obj. 7 - International Co-operation: Effective collaboration on cyber security in Europe and worldwide.
NATIONAL CYBERSECURITY STRATEGY - NIS Capacities
|Year of adoption||2013|
|Updates and revisions||
Austria is expected to implement a cyber security team in spring 2018. The act will tighten the requirements for cyber security for all critical infrastructure operators.
In view of this, the Bundeskanzleramt (corresponding to the National Government Offices) has established a strategic cooperation with the authorities of Sweden during the annual Austrian-Swedish Cyber Security Program. The program links together leading Swedish and Austrian operators of critical infrastructure in telecom, finance, energy and transportation with selected cutting edge technology providers with solutions to meet future cyber security needs. The network includes Raiffeisen Bank Group, Erste Bank Group, A1 Austria Telecom Group, Drei Hutchinson, Vienna Airport, Energy Company EVN, Energie AG, Wiener Energie, Post and Telecom Regulator RTI, Ministry of the Interior, Ministry of Defense, IAEA & UNOD.
Legislation/policy requiring the establishment of a written information security plan: the 2013 strategy calls for a review of legislation and policy, which does not yet seem implemented.
Legislation/policy requiring security practices/requirements to be mapped to risk levels: The Information Security Ordinance 2003 <www.ris.bka.gv.at/Dokumente/Bundesnormen/NOR30003326/NOR30003326.pdf> maps security practices to assigned classification levels. These levels are set out in the Information Security Act 2002 <www.ris.bka.gv.at/GeltendeFassung/Bundesnormen/20001740/InfoSiG%2c%20Fas... and are assigned according to the level of risk involved in disclosing the classified information.
Legislation/policy requiring (at least) an annual cybersecurity audit: The Information Security Ordinance 2003 <www.ris.bka.gv.at/Dokumente/Bundesnormen/NOR30003326/NOR30003326.pdf> requires the information security officer appointed to each ministry to perform a yearly review of the information security arrangements in their ministry. There is not a specific focus on cybersecurity.
International accreditation or certification schemes are required for public and private procurement of cybersecurity products.
There is no mandatory obligation to report a cyber incident.
There is no policy/legislation requiring the establishment of a Chief Information Officer (CIO) or Chief Security Officer (CSO).
Business and Public Private Partnerships
Co-operation with private operators of critical infrastructures and other economic sectors is considered a crucial part of the 2013 national strategy.
In 2015, the Cyber Security Platform (CSP; German) https://www.digitales.oesterreich.gv.at/cyber-sicherheit-plattform was set up with more than 100 stakeholders from business, science and administration. The CSP guarantees a periodic exchange of information on fundamental issues of cyber security, ensures the initiation of cooperation between the participating partners and forms an umbrella for already existing forms of cooperation (Austrian Trust Circle, Kuratorium Sicheres Österreich Cyber Sicherheit Forum, Centre for Secure Information Technology Austria, Cyber Security Austria). In addition, the platform of Cyber Security Platform Steering Group is available to provide assistance in an advisory capacity.
SMEs: sector-specific information platforms such as the Austrian Trust Circles should develop sector-specific cyber risk management plans; regulatory authorities and interest representations will be involved in this dialogue. These risk management plans will be coordinated with governmental crisis and continuity management plans. Cross-sectoral cyber exercises for SMEs will be organised and held at periodic intervals. Specific sectors of SMEs should be allowed to participate in governmental cross-sectoral cyber exercises upon request.
|Other capacity-building measures||
The 2013 strategy underscores the importance of research and educational programmes though no concrete actions seem to have been implemented.
|Overall assessment/best practices||
Austria's computer emergency response team, CERT.at, has a broad and well-defined scope.
Austrian public-private partnerships on cybersecurity include the Centre for Secure Information Technology Austria (A-SIT) and Kuratorium Sicheres Österreich.
The Austrian Trust Circles facilitates sector-specific information exchanges on critical infrastructures and SMEs, supporting risk management plans. The Austrian Trust Circles are an initiative of CERT.at and the Austrian Federal Chancellery.
|Implementation & monitoring||
The implementation of measures of the ACSS are coordinated by the Cyber Security Steering Group. Based on the ACSS, the competent ministries develop sub-strategies for their sphere of responsibilities. The ministries represented in the Cyber Security Steering Group submit an Implementation Report to the federal government every two years.
Austria’s Cyber Crisis Management consists of representatives of the state and of operators of critical infrastructures. As far as its composition and work procedures are concerned, it is modelled on the Governmental Crisis and Civil Protection Management (Krisen- und Katastrophenmanagement/SKKM).
Crisis management and continuity plans are prepared and updated regularly on the basis of risk analyses for sector-specific and cross-sectoral cyber threats in cooperation with public institutions and the operators of critical infrastructures.
As a basis of operational capabilities for the prevention of cyber attacks, MilCERT (set up within the Federal Ministry of Defence and Sports) is commissioned to protect networks and to further develop the Cyber Security Survey.
|Latest WISER updates||July 2017|
GDPR and NIS Directive Compliance and Notification
|Notification obligations in the event of a cyber-attack/data breach||
NIS Directive (operators of essential services and digital service providers): actual, adverse and significant impact on the continuity of essential services. Actual, adverse and substantial impact on the provision of enumerated digital services.
GDPR (any organisation dealing with the data of EU citizens): accidental or unlawful destruction, loss, altercation, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
National Computer Security Information Response Team (CSIRT)
Computer Emergency Response Team (CERT)
|Guidance and Updates||
The most detailed and up-to-date website on cybersecurity in Austria is the Cyber Security Platform (CSP; German) https://www.digitales.oesterreich.gv.at/cyber-sicherheit-plattform, which provides information also on upcoming events and training.
|Languages||German and English|
|Last WISER update||November 2017|