A. IN A NUTSHELL

5G technology enables greater speed and innovation. Connected mobility, smart homes and IoT are just a few examples of business models and the impact this technology has on our society. At the same time, further interconnectivity and integration of systems also increase the risk of cyberattacks. Telecom providers and suppliers of 5G network components are thus responsible to establish a high level of security to protect users and systems. To ensure a coordinated approach on an adequate security level in the EU, the EU Commission and member states have agreed on the EU Toolbox on 5G Cybersecurity ("EU Toolbox"). The recommendation contains a catalogue of technical and strategic measures. This shall animate local policy makers to supplement the (binding) data protection and sector-specific laws, such as the Network and Information System Security legislation. In the last few years, this approach caused many controversial discussions in the member states about minimum cybersecurity strategies and engagement of suppliers from non-EEA countries. The Austrian legislator took the following approach to safeguard secure use of 5G on the Austrian market and by the Austrian society:

  • Focus on technical criteria;
  • Reporting obligations to the Austrian Telecommunications Regulatory Authority when implementing 5G equipment for critical functions;
  • Restriction of using equipment and services of providers deemed as "high-risk vendor", whereas
    1. the classification of high-risk vendors is done on a case by case-basis;
    2. the crucial aspects are technical and security aspects;
    3. no general restriction of vendors based on their administrative seat or country of origin applies.
  • Supplementing cybersecurity rules (General Data Protection Regulation, Austrian Data Protection Act, Austrian Network and Information System Security Act, Austrian Ordinance on Network and Information System Security, Austrian Telecommunications Network Security Ordinance 2020) apply.

On first glance, this seems to be a well-balanced approach. Might Austria's framework, thus, be employed as a role model for the highly controversial discussion on reasonable cybersecurity strategies and engagement of suppliers from non-EEA countries in the telecoms sector? It is a fact that the Austrian legislators were very careful in the lawmaking process and deliberately obtained and reflected stakeholders input from all relevant market participants right from the very beginning. This might be the key to success to the well balanced approach that we may explain in more details for those interested:

B. COMPARISON CHART: EU 5G TOOLBOX VS AUSTRIAN LEGISLATION

1. Landscape and list of cybersecurity related laws/regulations in Austria

1.1 Background

Already back in 2017, the Austrian federal government set the goal of making Austria a 5G pilot country by the beginning of 2021 securing a top position for Austria among the top three in digitization in the EU and top 10 worldwide. In 2018 a 5G strategy with the goal to accelerate the introduction of 5G mobile technology in Austria by optimizing the framework conditions was issued by the Ministry of Transport, Innovation and Technology. The strategy defines 5G as the infrastructural "key" for the new digital worlds, for Industry 4.0, autonomous mobility, smart cities and smart villages, comprehensive cyber security, state-of-the-art education or the Internet of Things. 5G is identified being advantageous in numerous areas from transport to energy, e-Health, education, and administration. According to Elisabeth Köstinger, the Austrian Minister of Agriculture, Regions and Tourism, the recently published Austrian Infrastructure Report 2022 by the initiative Future Business Austria is a "clear confirmation that the roll-out of broadband and 5G infrastructure is of crucial importance for the future of the location, the economy and society". In April 2021, the Austrian government approved a broadband funding budget of EUR 1.4 billion; by the end of December 2021 another EUR 25 million in funding commitments were released for further expansion of broadband networks.

The rollout of the 5G network is still under construction in Austria, but recent developments show that the Austrian approach (described in more detail below) is a successful concept for making 5G available for the Austrian population.

1.2 Key Players

In the following, we may give you the following overview over the most relevant public agencies responsible for cybersecurity matters in Austria:

The Austrian RTR and the Ministry of Agriculture, Regions and Tourism as well as the Ministry of Interior are the key players shaping Austrian 5G cybersecurity landscape.

Besides, there are a lot more public agencies and institutions engaged with cybersecurity issues:

  • The Cyber Defence Division of the Federal Ministry of Defence (Bundesministerium für Landesverteidigung) sets up cybersecurity strategies, particularly for armed forces.
  • The Cyber Diplomacy of the Federal Ministry for European and International Affairs discusses strategies on EU and international level.
  • CERT.at is the national Computer Emergency Response Team ("CERT") acting as the primary point of contact for national cybersecurity incidents. It is the link between other CERTs and Computer Security Incident Response Teams ("CSIRTs") for critical infrastructures.
  • GovCERT Austria is the Government Computer Emergency Response Team for public administration in Austria. The Federal Chancellery (Bundeskanzleramt) manages GovCERT Austria in cooperation with CERT.at.
  • The Cyber Security Center of the Federal Office for the Protection of the Constitution and Counterterrorism (Bundesamt für Verfassungsschutz und Terrorismusbekämpfung) is responsible for incidents relevant to national defence, in particular the protection of critical infrastructures and constitutional institutions.
  • The Office for Strategic Network and Information System Security is part of Department I/8 in the Federal Chancellery and responsible for matters related to the implementation of the legal obligations under Directive (EU) 2016/1148 ("NIS Directive") and the Network and Information System Security Act (Netz- und Informationssystemsicherheitsgesetz, "NISG").
  • The Austrian Data Protection Authority (Österreichische Datenschutzbehörde, "DSB") is responsible for any notified data breaches according to Art 33 GDPR. Thus, the DSB frequently handles cybersecurity related incidents to the extent personal data is concerned. This is frequently the case as regards phishing, ransomware or DDoS attacks.

To read the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.