The new emergency regulations apply to suppliers of digital services in Israel and enable authorized authorities to request and receive any information from the regulated suppliers’ systems, in accordance with the regulations’ terms.
On November 27, 2023, the Israeli Government enacted the ‘Regulations (‘Iron Swords’)(on Handling Severe Cyberattacks in the Digital and Storage Services Sector), 5774-2023’.
The regulations establish supervision and intervention mechanisms, meant to allow managers in the Israeli National Cyber Directorate, the Israeli Security Service (Shin Bet), and the Director of Security of the Defense Establishment (Malmab) in the Ministry of Defense, to detect, prevent, or handle severe cyberattacks against regulated suppliers.
Regulated suppliers are defined as suppliers that:
- provide storage or digital services, that maintain either a permanent or periodic (physical or logical) connection to their customers’ computer systems, or frequent data transfers between their computer systems and those of their customers; or
- provide maintenance or management to storage or digital services.
These regulations enable government agencies to inform a regulated supplier of their concern of an imminent severe cyberattack.
Severe cyberattacks are actual or potential actions that are meant to unlawfully compromise computer systems or any data located on computer systems and are determined by governmental agencies to have a ‘significant impact’, meaning that the effect of the action:
- is not limited to the regulated supplier; and
- could compromise national security, public safety, or provision of essential services.
If a government agency has real concern of a severe cyberattack against a regulated supplier, it may actively supervise the regulated supplier. If necessary for the purpose of detecting, preventing, or countering the cyberattack, the agency may also instruct the regulated supplier to provide specific information or perform certain actions.
The main requirements applicable to regulated suppliers under the regulations include the following obligations:
Reporting. Regulated suppliers must, upon the governmental agency’s request, either:
- provide a report detailing all actions taken to identify, prevent, or counter the cyberattack; or
- submit an affidavit attesting that the supplier implements information security standards in accordance with the NIST 800-53 standard concerning “Security and Privacy Controls for Information Systems and Organizations”.
Cooperation and Documentation. Regulated suppliers must follow instructions by government agencies, and take any required action related to cyber defense. if necessary, the government agency may also require the supplier to provide it with any related information or documents.
Retention: Government agencies must document instructions given to regulated suppliers and provide them with a written copy of such instructions within reasonable time.
Confidentiality: All data provided by the regulated supplier will be deleted by the governmental agencies following the handling of the cyberattack, unless such data is essential for identifying the attack’s characteristics.
Regulated suppliers should assess their exposure under the regulations and maintain necessary documentation for legal archival purposes.
The regulations take effect immediately as of the date of their publication, and will remain in effect until December 26, 2023, unless further extended by the Israeli Government.
Feel free to contact us if you have any questions regarding the regulations and their practical implications.
*This post does not constitute a legal opinion.