Data protection and cybersecurity laws in Austria

• General Data Protection Regulation (GDPR)
• Austrian Data Protection Act 2018 (DPA)
• Austrian Telecommunications Act 2021 (Telekommunikationsgesetz 2021) (TKG 2021)
• Health Telematics Act 2012 (Gesundheitstelematikgesetz 2012) (GTelG 2012)
• Regulation of the Austrian Data Protection Authority on processing operations for which a Data Protection Impact Assessment is to be carried out (Federal Law Gazette II No. 278/2018)
• Regulation of the Austrian Data Protection Authority on exemptions from the requirement to carry out a Data Protection Impact Assessment (Federal Law Gazette II No. 108/2018)
• Regulation of the Austrian Data Protection Authority on the requirements for accreditation of a monitoring body pursuant to Art 41 (1) GDPR (Federal Law Gazette II No. 264/2019)
• Regulation of the Austrian Data Protection Authority on the requirements for the accreditation of a certification body pursuant to Art 43 (2) GDPR (Federal Law Gazette II No. 79/2021)

Austrian Data Protection Authority: https://www.dsb.gv.at

The “media privilege” under § 9 (1) DPA, which generally exempted media from data protection principles, was repealed by the constitutional court. From July 1^st 2024, the legislator enacted a revised version through the Data Protection Act Amendment 4031/A to substitute. Media companies must now ensure that their data processing for journalistic purposes meets general criteria, although they remain entitled to limited exceptions tailored to their public interest functions (eg investigative journalism, protection of sources). 

Sanctions are primarily laid down in the GDPR.

• Non-compliance with DPA may result in complaints, data protection authority audits and/or orders, administrative fines, seizure of equipment or data and civil actions and/or criminal proceedings.

• The Austrian Data Protection Authority may issue administrative fines of up to € 50,000 for non-compliance with DPA. The fines under the DPA will only be imposed if an offence does not constitute an offence under Art 83 GDPR ("catch-all clause").

Fines may be imposed on legal persons

• because of an executive's violation; or
• for monitoring or control failures.

A legal person is responsible for breaches if its executive does not comply with surveillance duties or does not enact organisational matters, thus, enabling an offence to be committed by an employee. Moreover, fines may be imposed on responsible persons in accordance with Article 9 Administrative Penal Act 1991 (Verwaltungsstrafgesetz 1991).

According to Article 63 DPA, the data processing for profit or malicious intent is punishable. An offence is punishable by imprisonment of up to 1 year or a fine of up to 720 daily rates.

Failure to comply with the GDPR and/or the DPA may further result in complaints, official audits and/or orders by the Data Protection Authority, administrative fines, seizure of equipment or data, and civil actions (e.g., under the GDPR, an affected data subject may sue for compensation for material and non-material damages before the civil courts in Austria) and/or criminal proceedings (e.g. pursuant to Section 118a et seq. Austrian Criminal Code).

Article 37 GDPR requires the controller or processor to publish the contact details of the designated data protection officer and communicate these details to the Austrian Data Protection Authority.

• a data controller collecting personal data must provide data subjects with information on:
  • the data controller’s identity (name, address, contact details);
  • the processing purposes and legal basis;
  • the data categories;
  • the data recipients (solely if the data is subject to a controller-to-controller transfer);
  • if consent is needed, (the possibility to revoke the consent at any time shall be indicated); and
  • the data subject’s rights.

• if consent is needed, electronic as well as non-electronic consent is permissible and deemed effective if it is properly structured and documented. The data subject has to be provided with information on:
  • the data controller’s identity;
  • the processed data categories;
  • the recipients (if they are data controllers as well);
  • the processing purposes; and
  • the right to revoke consent at any time.

• where processing is carried out by a processor on behalf of a controller, the controller shall only use processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject (Art 28 GDPR).

Chapter III GDPR expressly foresees the following data subject rights:

• Right of access by the data subject (Art 15 GDPR),
• Right to rectification (Art 16 GDPR),
• Right to erasure (Art 17 GDPR),
• Right to restriction of processing (Art 18 GDPR),
• Right to data portability (Art 20 GDPR),
• Right to object (Art 21 GDPR),
• Right, not to be subject to a decision based solely on automated processing, including profiling (Art 22 GDPR).

The GDPR provides for additional rights of the data subject, such as the right to be informed (Art 13 and 14 GDPR), the right to lodge a complaint with the Austrian Data Protection Authority (Art 77 GDPR in conjunction with Section 24 DPA) or to the right to an effective judicial remedy (Art 78 and 79 GDPR).

There are no derogations from the GDPR.

Transfer to third countries is generally prohibited.

However, GDPR foresees several mechanisms in order to transfer data to third countries, such as:

• Adequacy decision of European Commission according to Art 45 GDPR (e.g. EU-U.S. Data Privacy Framework),
• Internal data protection regulations (Binding Corporate Rules) according to Art 46 GDPR,
• Standard contract clauses (SCCs) according to Art 46 GDPR,
• Code of conducts and certification mechanisms as transfer tools according to Art 46 GDPR,
• Data transfers on the basis of Art 28 GDPR.

For further transfer mechanisms or tools, please see Art 44 – 49 GDPR.

It should be noted that the EU-U.S. Data Privacy Framework (Art 45 GDPR) only applies partially and only covers data transfers to certain U.S.-American data importers. The U.S. Department of Commerce’s International Trade Administration features a comprehensive list on its website.

Controllers and processors must appoint a Data Protection Officer if any of the following conditions apply:

• processing is carried out by a public authority or public body;
• core data processing activities consist of extensive regular and systematic monitoring;
• core data processing activities consist of processing of special categories of data on a large scale or of crime data.

Austrian ministries are obliged to appoint at least one Data Protection Officer according to Section 5 (4) DPA.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

• the pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Art 55 GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the data breach to the data subject without undue delay.

If the processor becomes aware of a personal data breach, it must report this to the controller without delay.

No general additional requirements under local law apply.

To notify a data breach to the Austrian Data Protection Authority, one can either:

• Fill out the online data breach notification form (German)
• Send its PDF version via email to dsb@dsb.gv.at
• Send a print-out via letter to „Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Wien“

Template form for the notification of the data subject (German)

The GDPR and Austrian Data Protection Act (DPA 2018) apply to all marketing and advertising activities involving personal data. Personal data means any information relating to an identified or identifiable natural person (Art 4 (1) GDPR):

• This is the main legislation that marketers and ad tech companies will need to comply with regarding security measures and the notification of personal data breaches.
• Administrative fines under GDPR and DPA are imposed by the Austrian Data Protection Authority.
• Actions for damages (“Schadenersatzklagen”) and injunctions (“Unterlassungsklagen”) as well as interim injunctions (“einstweilige Verfügungen”) under GDPR and DPA are imposed by the courts.

In addition, Article 174 of Austria’s Telecommunications Act (TKG 2021), which implements the EU ePrivacy Directive 2002/58/EC, applies to specific marketing and advertising purposes - e.g. by imposing additional requirements on how organisations can carry out unsolicited direct electronic marketing.

• The Austrian Data Protection Authority enforces violations of data subject rights under TKG 2021 by issuing administrative fines up to € 50,000, since the Telecommunications Act 2021 is a lex specialis to the GDPR.

The TKG 2021 as lex specialis takes precedence over the GDPR regarding the use of cookies. Data subjects must be informed about the use of cookies within the meaning of Section  165 (3) TKG 2021. Austrian website operators must inform affected users comprehensively and obtain their consent. Violations could result in administrative fines up to € 50,000.

The use of cookies is only permitted if:

• without consent when it is absolutely necessary for the provider of an information society service to provide a service that has been expressly requested by the user (“technically necessary cookies”) or
• the user is informed in detail in advance,
• consent has been given before the use of cookies and
• the consent was given voluntarily, without doubt and by an active act.

The Austrian Data Protection Authority provides a Q&A on cookies (German)

The intensity of regulatory obligations and enforcement can be classified as moderate in Austria.

• Austrian Data Protection Act 2018 (DPA)
• Austrian Telecommunications Act 2021 (Telekommunikationsgesetz 2021 – TKG 2021)
• Data Protection Authority Austria

Outdated: Network and Information System Security Act (“Netzwerk – und Informationssicherheitsgesetz” – “NISG 2018”) as the implementing act of Directive (EU) 2016/1148 (“NIS-1”) concerning measures for a high common level of security of network and information systems across the Union. The latter has run out on October 17^th 2024.

Austria has not yet implemented Directive (EU) 2022/2555 concerning measures for a high common level of security of network and information systems across the Union (“NIS-2”), whose implementation deadline has lapsed on October 17^th 2024.

A ministerial draft (Netzwerk – und Informationssicherheitsgesetz  - “NISG 2024” - 4129/A) has been rejected by parliament on July 4^th 2024, as it has not reached the necessary two-third majority to pass contained constitutional provisions. This demonstrates the Austrian government’s approach to the NIS-2 implementation.

Intil NIS-2 is implemented, there is no national law transposing the EU directive, but EU-level expectations and sectoral best practices may still influence regulatory scrutiny.

A law transposing NIS-2 is to be expected in Q4 2025. On May 7^th 2025 the EU Commission has issued a reasoned opinion to MS which failed to notify full transposition, which includes Austria. The current Austrian policy stance is underlined by the NISG 2024 draft.

The draft also set out transitional provisions, which companies are advised to review to ensure compliance. Important material differences to NIS-2 will be highlighted. Generally, the NIS-2 framework will feature expanded security requirements for more entities (including updated incident reporting obligations, risk management measures, and higher administrative fines).

• Additional economic and public areas are covered by the scope
• Stronger and more detailed requirements for risk management, incident reporting, encryption, etc.
• Authorities have broader monitoring and enforcement powers (eg auditing competences and the ability to impose non-monetary measures) and can issue higher fines

• Large enterprises: at least 250 employees or over € 50 million annual turnover and over € 43 million annual balance sheet total
• Medium enterprises: at least 50, but less than 250 employees and between € 10-50 million annual turnover or between € 10-43 million annual balance sheet total
• Small enterprises: less than 50 employees and less than € 10 million annual turnover and less than € 10 million annual balance sheet total

For companies whose activities indicate a key role for society, the economy or certain sectors, the Directive provides special rules for small enterprises.

The scope of NIS-2 covers 18 sectors, whereby a distinction is made between "sectors of high criticality" and "other critical sectors".

There is also a distinction between:

• Essential services: large enterprises of the “sectors of high criticality”
• Important services: medium enterprises of the “sectors of high criticality”; large and medium enterprises of the “other critical sectors”

If the enterprise falls within the scope of NIS-2, it must register with the competent authority and comply with the directive’s national implementation. This includes the implementation of risk management measures that address technical, operational, and organizational aspects to safeguard network and information systems and reduce the impact of cybersecurity threats.

This includes, among other things

• ensuring business continuity through backup and crisis management measures
• measures to ensure the security of supply chains
• the use of cryptography and encryption technology
• the use of secure voice, video and text communication
• and more…

The scope of NIS-2 covers 18 sectors, whereby a distinction is made between "sectors of high criticality" (Annex I NIS-2) and "other critical sectors" (Annex II NIS-2).

• Highly critical sectors: Energy, transport, banking and financial market infrastructures, healthcare, water- enterprises related to the water cycle, digital infrastructure and space.
• Other critical sectors: Postal and courier services; waste management; manufacture, production and distribution of chemicals; production, processing and distribution of food; certain types of manufacturing; digital providers; research

Small enterprises fulfilling specific criteria could fall under NIS-2, for example through listed exceptions or by being a part of the supply chain of an affected enterprise (Preamble 7 NIS-2, § 26 NISG 2024)

There further exists a distinction between:

• Essential services: large enterprises of the “sectors of high criticality” and enterprises providing a certain service (eg top-level domain name registries) (Art 3 (1) NIS-2)
• Important services: medium enterprises of the “sectors of high criticality”; large and medium enterprises of the “other critical sectors” (Art 3 (2) NIS-2)

Cyber Security Authority („Cybersicherheitsbehörde“)

Federal Minister of the Interior

Cyber Security Coordination Group („Cyber Sicherheit Steuerungsgruppe“ – CSS)

Federal Ministry of the Interior

According to § 44 (1) NISG 2024 the district administrative authorities were competent to impose fines. The local jurisdiction for administrative offences shall be determined by the principal place of business of the operator of essential services or the provider of digital services, in the absence of such in Austria by the registered office of the representative.

Enterprises falling within the scope of NIS-2 must ensure necessary risk management measures for their entire organisation, rather than just for essential services:

• Cybersecurity Risk Management Measures (Art 21 NIS-2) are wide-ranging and include, among other things:
  • ensuring business continuity through backup and crisis management measures
  • measures to ensure the security of supply chains
  • the use of secure voice, video and text communication
  • the use of cryptography and encryption technology
• Governance Obligations (Art 20 NIS-2): The management bodies of entities are responsible for the implementation of cybersecurity measures and must attend cyber security training courses
• Incident Reporting Obligations (Art 23 NIS-2): Tiered notification system.
  • Initial notification (“early warning”) without undue delay and within 24 hours of becoming aware of the significant incident
  • Initial assessment (“incident notification”) within 72 hours including severity and impact
  • Final report not later than one month after the incident notification including a detailed description, the type of threat, mitigation measures and cross-border impact (if applicable)

The outdated § 26 (1) NISG 2018 punishes offences by a fine of up to €50,000 or up to €100,000 in the case of a repeat offence.

These scales were substantially increased by the directive. (Art 34 NIS-2) The NISG 2024 would have distinguished between essential and important entities:

• Essential entities can be fined up to €10,000,000 or up to 2% of the global annual turnover in the preceding financial year (whichever is higher)
• Important entities can be fined up to €7,000,000 or 1.4% of the global annual turnover in the preceding financial year (§ 45 NISG 2024).

The Austrian Data Protection Authority continues to have jurisdiction to impose fines for personal data breaches under the GDPR, while NIS-related authorities retain rights to issue additional measures specific to cybersecurity. Cooperation mechanisms between these authorities have been formalized under the revised NISG 2024 to avoid contradictory legal obligations for affected entities (§ 21 NISG 2024).

Not regulated in the NISG 2024.

The NIS-framework provides for a national computer emergency team to be set up to ensure the security of the network and information systems. §§ 14, 15 NISG 2018 already featured National Computer Emergency Teams, Sector-Specific Computer Emergency Teams and a Public Administration Computer Emergency Team (GovCERT). GovCERT shall assist public administration bodies in managing risks, incidents and security incidents.

The competences, requirements and supervision of these already established CERTs would have been further outlined in NISG 2024 under §§ 8 – 11.

• CERT.at – Computer Emergency Response Team Austria
• GovCERT.at– Public Administration Computer Emergency Team
• AEC – Austrian Energy CERT

The reporting of security incidents to CSIRT is clearly structured under NIS-2: (Art 23 (3) NIS-2, § 34 (2) NISG 2024)

• Early warning (within 24 hours):
  Entities must submit an early warning to the CSIRT or, where applicable, the competent authority within 24 hours of becoming aware of a significant incident. This warning should indicate, if relevant, whether the incident may be due to unlawful or malicious acts and whether it could have a cross-border impact.
• Incident notification (within 72 hours):
  A full incident notification must follow within 72 hours of detecting the incident. This notification should update the earlier warning and provide an initial assessment of the incident’s severity and impact. Where possible, it should also include available indicators of compromise.
• Intermediate report (upon request):
  Upon request by the CSIRT or competent authority, entities must provide an intermediate report with relevant updates on the status of the incident and response measures.
• Final report (within 1 month):
  A final report must be submitted no later than one month after the initial incident notification. It should include a detailed description of the incident (including its severity and impact), the likely root cause or type of threat, mitigation measures taken or ongoing, and, where applicable, the cross-border impact.

The involved CSIRT then has to forward this information to the Cyber Security Agency. (Art 13 (3) NIS-2, § 34 (1) NISG 2024)

• A security incident can be notified by using the online portal of CERT.at
  • Further reporting (not NIS related) can also be done by sending an E-mail to CERT.at: reports@cert.at, hereby one should include the information set out in the following form
  • In addition, please find further information on the recommended encryption and other measures on the this website:
• A security incident involving the energy sector can be notified by using the online portal of AEC

The “Cyber Security Platform” (CSP) is the central Austrian platform for cooperation between the private and public sectors on cybersecurity issues, with the close involvement of operators of critical infrastructure. It holds a plenary meeting once or twice a year and formulates recommendations in working groups. The Federal Chancellery of Austria runs the secretariat.

The "Austrian Handbook on Information Security" provides a broad overview of recognized information security standards based on common international standards such as ISO/IEC 27000. It serves to implement comprehensive security concepts in public administration and private sector.

Austrian Information Security Handbook

• Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (“NIS-2”)
• General information about NIS-2 (German)
• Computer Emergency Response Team Austria:
  • CERT’s template for security incident notification (Sicherheitsvorfallsbericht) (German)
• NIS Incident Reporting System
• Austrian Information Security Management Handbook (German)
• Federal Chancellery’s annual Cybersecurity Report (last version 2021)