Amir Noy & Dan Or-Hof
The New Israeli Temporary Law applies new statutory obligations on suppliers of digital, IT, cloud or other data-related services. The law enables authorized cyber security governmental agencies to request and receive any data from the regulated suppliers’ systems, in accordance with the law’s provisions.
Summary of the main statutory obligations under the new temporary law:
- Reporting a severe cyberattack to the cyber security governmental agencies;
- Follow instructions by cyber security governmental agencies, and take any required action related to cyber defense;
- Submit information and documents to the cyber security governmental agencies, at their request.
On December 25, 2023, the Knesset (the Israeli parliament) passed the ‘Temporary Law on Handling Severe Cyberattacks in the Digital and Storage Services Sector (‘Iron Swords’), 5774-2023’. This temporary law replaces the recently enacted cyber security emergency regulations.
The temporary law facilitates supervision and intervention mechanisms, meant to allow managers in the Israeli National Cyber Directorate, the Israeli Security Service (Shin Bet), and the Director of Security of the Defense Establishment (Malmab) in the Ministry of Defense, to detect, prevent, or handle severe cyberattacks against regulated suppliers.
Regulated suppliers are defined as suppliers that:
- provide storage or digital services, that maintain either a permanent or periodic (physical or logical) connection to their customers’ computer systems, or frequent data transfers between their computer systems and those of their customers; or
- provide maintenance or management to storage or digital services.
This temporary law establishes the statutory abilities of cyber security governmental agencies to inform a regulated supplier of their concern of an imminent severe cyberattack.
Severe cyberattacks are actual or potential actions that are meant to unlawfully compromise computer systems or any data located on computer systems and are determined by governmental agencies to have a ‘significant impact’, meaning that the effect of the action:
- is not limited to the regulated supplier; and
- could compromise national security, public safety, or provision of essential services.
If a government agency has real concerns of a severe cyberattack against a regulated supplier, it may actively supervise the regulated supplier. If necessary for the purpose of detecting, preventing, or countering the cyberattack, the agency may also instruct the regulated supplier to provide specific information or perform certain actions.
The main statutory requirements applicable to regulated suppliers under the temporary law are as follows:
Reporting. Regulated suppliers must, upon the governmental agency’s request, either:
- provide a report detailing all actions taken to identify, prevent, or counter the cyberattack; or
- submit an affidavit, as will be published by the Israeli National Cyber Directorate, attesting that the supplier implements information security standards in accordance with the NIST 800-53 standard concerning “Security and Privacy Controls for Information Systems and Organizations”, or any other information security standard published by the Israeli National Cyber Directorate that provides adequate treatment of severe cyberattacks.
Cooperation and Documentation. Regulated suppliers must follow instructions by cyber security governmental agencies, and take any required action related to cyber defense. if necessary, the government agency may also require the supplier to provide it with any related information or documents.
Retention: Cyber security governmental agencies must document instructions given to regulated suppliers and provide them with a written copy of such instructions within a reasonable time.
Confidentiality: All data provided by the regulated supplier will be deleted by the governmental agencies following the handling of the cyberattack unless such data is essential for identifying the attack’s characteristics.
Publication: Cyber security governmental agencies may publish publicly the supplier’s identity, in accordance with this Temporary Law, following the approval of the relevant agency’s manager, and the receipt of the supplier claims prior to publication.
Penalty for Disclosure: Any recipient of disclosed data provided by the regulated supplier that discloses or uses such data, as part of fulfilling its duties or operation, and in contrary to the relevant provision of this temporary law, will be sentenced to three years imprisonment.
The new temporary law takes effect immediately as of the date of its publication and will remain in effect for 7 months, i.e., the end of July 2024.
Regulated suppliers should promptly assess their exposure under the temporary law and maintain the necessary documentation for legal archival purposes.
Feel free to contact us if you have any questions regarding the new Temporary Law and its practical implications.
*This post does not constitute a legal opinion.