New Cyber Law Passed by National Council

With a broad majority, the Network and Information Security Act was passed in the National Council on Friday. The law, which implements the EU directive "NIS-2" with a delay, is intended to prepare system-relevant institutions and companies for potential cyberattacks. The votes for the necessary two-thirds majority were provided by the government factions along with the Greens. The FPÖ rejected the law and warned of a "burden avalanche" for 4,000 companies.

Cybersecurity Law Brings Stricter Requirements for Companies

The law imposes comprehensive requirements for security measures on system-relevant institutions and companies - including energy suppliers and the food trade. In case of violations, fines of up to 10 million euros or 2 percent of the worldwide annual turnover are foreseen. A Federal Office for Cybersecurity will be established as a central contact point within the Ministry of the Interior.

EU Directive Should Have Been Implemented by 2024

Actually, the EU directive to strengthen IT security should have been implemented by October 2024, which is why a contractual procedure is ongoing against Austria. A similar legislative proposal by the turquoise-green government failed due to the necessary two-thirds majority, as FPÖ, SPÖ, and NEOS refused their approval. The new law largely follows the legislative proposal from 2024 but includes adaptations in reporting obligations, transition periods, and the institutional design of the cybersecurity authority.

This also explained the current approval by SPÖ and NEOS. Now there is a separate cybersecurity authority as a central contact point, said SPÖ security spokesperson Maximilian Köllner. Although it is located in the Ministry of the Interior, it is outside the Directorate General for Public Security. If there are directives, they must be issued in writing and reported to Parliament. Since last year, many statements have been incorporated, thus dispelling concerns, emphasized NEOS representative Ines Holzegger. The authority is now independent and no longer directly subordinate to the Minister of the Interior.

Greens Welcome Late Decision

The authority to issue directives is necessary because the member of the government must also take responsibility, said Interior Minister Gerhard Karner (ÖVP). The approach of the law is "advice instead of punishment," which is important to achieve the necessary acceptance and effectiveness. The affected companies and institutions have been intensively involved. SPÖ State Secretary Jörg Leichtfried thanked the Greens for the constructive negotiations. They were pleased that it was finally possible to pass "one of the most important European cybersecurity laws." The text of the law is almost identical to the draft rejected by SPÖ and NEOS, but given the importance of the law, he did not want to make political capital, said Green security spokesperson Süleyman Zorba.

Only the Freedom Party opposed the law. FPÖ security spokesperson Gernot Darmann spoke of a "burden avalanche" for 4,000 Austrian companies, which would be burdened with their supply chains "with new bureaucracy, new inefficiencies, and ultimately cost-driving." He criticized that the Ministry of the Interior would have authority over the new federal office, but it could not protect itself during the cyberattack this year, said Darmann.

(APA/Red)

This article has been automatically translated, read the original article here.