1. Data protection
    1. 1. Local data protection laws and scope
    2. 2. Data protection authority
    3. 3. Anticipated changes to local laws
    4. 4. Sanctions & non-compliance
    5. 5. Registration / notification / authorisation
    6. 6. Main obligations and processing requirements
    7. 7. Data subject rights
    8. 8. Processing by third parties
    9. 9. Transfers out of country
    10. 10. Data Protection Officer
    11. 11. Security
    12. 12. Breach notification
    13. 13. Direct marketing
    14. 14. Cookies and adtech
    15. 15. Risk scale
    16. 16. Useful links
  2. Cybersecurity
    1. 1. Local cybersecurity laws and scope
    2. 2. Anticipated changes to local laws
    3. 3. Application 
    4. 4. Authority
    5. 5. Key obligations 
    6. 6. Sanctions & non-compliance 
    7. 7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 
    8. 8. National cybersecurity incident management structure
    9. 9. Other cybersecurity initiatives 
    10. 10. Useful links

jurisdiction

Chile
Montenegro
Austria

Data protection

1. Local data protection laws and scope

Chile’s current data protection regime is governed by Law No. 19.628 on the Protection of Private Life, which remains in force and fully applicable until November 30, 2026.

However, on December 13, 2024, Chile enacted Law No. 21.719 on the Protection of Personal Data, a comprehensive reform that modernizes the legal framework, brings it closer to international standards (such as the GDPR) and establishes a dedicated Data Protection Authority. This new law will enter into force on December 1, 2026.

Other legal provisions that regulate some aspects of personal data processing include:

  • The Chilean Constitution, in its article 19 No. 4 and No. 5, which enshrine the right to privacy, as well as the protection of personal data, and also;
  • Law 19.496 (Consumer Protection Law) that establishes the regulation regarding unsolicited commercial marketing communications for consumers.

The Personal Data Protection Law (Official Gazette of Montenegro Nos. 79/2008, 70/2009, 44/2012, 22/2017 and 77/2024) ("the PDPL").

On 1 March 2023, the National Assembly of Montenegro adopted a new Personal Data Protection Act (“New PDPA”), which entered into force on 1 July 2023 and replaced the previous PDPL. The New PDPA is broadly aligned with the General Data Protection Regulation (GDPR) of the European Union, introducing stricter requirements for data controllers and processors, including enhanced data subject rights, new data breach notification obligations, and higher penalties for non-compliance.)  

As of now, Montenegro’s Personal Data Protection Law (PDPL), originally adopted in 2008 (Official Gazette Nos. 79/08, 70/09, 44/12, 22/17), is still in force, with only one minor amendment introduced in August 2024 (Official Gazette No. 77/2024).

2. Data protection authority

The Agencia de Protección de Datos Personales (APDP) will act as the supervisory authority in Chile, with regulatory, investigative and sanctioning powers.

While the APDP has been created by Law No. 21.719, it is not yet operational. Until its formal implementation, Chile remains without a functioning authority in charge of overseeing data protection compliance.

Agency for Personal Data Protection and Free Access to Information (“the Agency”):

Under the New PDPA, the Agency has gained administrative enforcement powers. It can now impose administrative fines for breaches of the New PDPA without recourse to criminal or offence proceedings.)

Austrian Data Protection Authority: https://www.dsb.gv.at

3. Anticipated changes to local laws

The reform is no longer pending: Law No. 21.719 has been enacted. Its main features include:

  • A modernized legal definition of personal data and sensitive data, aligned with international standards;
  • Expanded lawful bases for processing: consent, legal obligations, contract performance, vital interests, public interest, and legitimate interest;
  • Establishment of the APDP as a fully empowered supervisory authority;
  • Regulation of international data transfers based on adequacy decisions, safeguards (standard clauses, binding corporate rules), or informed consent;
  • A structured catalogue of infringements with fines of up to 20,000 UTM, or 2% to 4% of annual revenue for large enterprises in case of repeated violations;
  • Introduction of a formal complaint mechanism before the APDP, with judicial review before the Court of Appeals.

Changes of the PDPL are anticipated soon, first drafts of the law are already being negotiated.

The new law entered into force on 1 July 2023, as noted above, and no further major legislative changes in personal data protection are currently expected before 2026.) 

The “media privilege” under § 9 (1) DPA, which generally exempted media from data protection principles, was repealed by the constitutional court. From July 1st 2024, the legislator enacted a revised version through the Data Protection Act Amendment 4031/A to substitute. Media companies must now ensure that their data processing for journalistic purposes meets general criteria, although they remain entitled to limited exceptions tailored to their public interest functions (eg investigative journalism, protection of sources). 

4. Sanctions & non-compliance

Sanctions in Chile are now administrative rather than solely judicial. The new framework distinguishes between minor, serious and very serious infringements, with fines of up to 5,000, 10,000 and 20,000 UTM, respectively.

In addition, for large enterprises, repeated infringements may give rise to fines of up to 2% or 4% of annual revenues, whichever amount is greater. This marks an important difference with the former regime, where only civil courts could impose sanctions through civil court proceedings.

Sanctions are primarily laid down in the GDPR.

5. Registration / notification / authorisation

Controllers and processors must keep a register of processing activities, detailing the categories of data, purposes, lawful basis, transfers, and security measures. Controllers must also document the lawful basis relied upon for each processing activity.

Setting up a personal data filing system is subject to notification. After setting up a data filing system, the data controller must appoint a person responsible for the protection of personal data (if the data controller employs more than ten people who process personal data).

Under the New PDPA, registration or notification requirements have largely been replaced with an accountability-based approach, whereby data controllers must be able to demonstrate compliance with all principles of data processing. However, the obligation to appoint a data protection officer remains if the controller employs more than ten people, or if the data processing activities pose heightened risks to data subjects.

Article 37 GDPR requires the controller or processor to publish the contact details of the designated data protection officer and communicate these details to the Austrian Data Protection Authority.

6. Main obligations and processing requirements

Data processing: 

According to the New CDLP the processing of all data shall be carried out:

  • In a manner consistent with the law;
  • For the purposes permitted by the legal system; and
  • With attention to the full exercise of the fundamental rights of the data subject.

Consent of the data subject: Article 12 of the law establishes that the processing of personal data is permitted only when subject expressly consents or authorises it.

The consent of the data subject must be freely given, informed, and specific as to its purpose or purposes. Consent must also be given in advance and unequivocally, by means of a verbal, written or equivalent electronic statement, or by an affirmative act that clearly indicates the data subject's will.

Article 3 of the law establishes the principles on which the entity responsible for processing personal data must act. The principles are:

Article 3(a): Principles of lawfulness and fairness. Personal data may only be processed in a lawful and fair manner.

Article 3(b): Principle of purpose. Personal data must be collected for specific, explicit and lawful purposes. The processing of personal data must be limited to the fulfilment of these purposes.

Article 3(c): Principle of proportionality. The personal data processed must be strictly limited to what is necessary, appropriate and relevant in relation to the purposes of the processing.

Article 3(d): Principle of quality. Personal data must be accurate, complete, up-to-date and relevant in relation to its source and the purposes for which it is processed.

Article 3(e): Principle of responsibility. Those who process personal data shall be legally responsible for complying with the principles contained in this article and with the obligations and duties under the law.

Article 3(f): Principle of security. When processing personal data, the controller must ensure adequate security standards, protecting it against unauthorized or unlawful processing, and against loss, leakage, accidental damage or destruction. Security measures must be appropriate and proportionate with the processing to be carried out and the nature of the data.

Article 3(g): Principle of transparency and information. The controller must provide the data subject with all the information necessary for the exercise of the rights established by this law, including policies and practices regarding the processing of personal data, which must also be permanently accessible and available to any interested party in a precise, clear, unambiguous and free manner.

Article 3(h): Principle of confidentiality. The controller of personal data and those who have access to it must maintain secrecy or confidentiality regarding such data. The controller shall establish appropriate controls and measures to preserve secrecy or confidentiality. This obligation shall remain in force even after the relationship with the data subject has ended.

Sensitive data: Article 16 of the law prescribes that sensitive personal data, defined as any information regarding characteristics of a physical or moral nature of an individual or facts or circumstances of his private life, such as personal habits, racial or ethnic origin, ideologies and political opinions, religious beliefs or convictions, physical or mental health and sexual life, cannot be processed unless:

  • The data subject expressly consents to said processing;
  • Without consent when:
    • the processing refers to sensitive personal data that the subject has made manifestly public and its processing is related to the purposes for which it was published;
    • the processing is based on a legitimate interest pursued by a legal entity governed by public or private law that does not pursue profit-making purposes and certain conditions are met;
    • the processing of the data subject's personal data is essential to safeguard the life, health or physical or mental integrity of the data subject or another person;
    • the data processing is necessary for the establishment, exercise, or defence of legal claims before courts of law or administrative entities;
    • data processing is necessary for the exercise of rights and the fulfilment of obligations of the data controller or data subject, in the field of employment or social security, and is carried out within the framework of the law; and
    • the processing of sensitive personal data is expressly authorized or mandated by law.
  • Information requirement;
  • Consent requirements, unless processing is required by the law;
  • Notification requirement.

Under the New PDPA, data controllers and processors must also implement data protection by design and by default, conduct data protection impact assessments for high-risk processing, and maintain detailed records of processing activities.

7. Data subject rights

Law No. 21.719 establishes a comprehensive set of rights for data subjects, which are personal, non-transferable, non-waivable, and may not be contractually limited. These rights may also be exercised by the data subject's legal representative or, in the event of death, by their heirs (subject to certain restrictions). The rights include:

Right of Access:

Data subjects have the right to know whether their personal data is being processed, access it, and receive information about its origin, purposes, recipients, retention period, and, in the case of automated decisions, the logic involved and potential effects.

Right to Rectification:

This right allows individuals to request the correction, update, or completion of their personal data when it is inaccurate, outdated, or incomplete. The data controller must suspend processing until the data is rectified.

Right to Erasure (“Right to be Forgotten”):

Individuals can request the deletion of their data when it is no longer necessary, consent has been withdrawn, data has been unlawfully processed, or deletion is required by law or judicial decision, subject to certain legal exceptions.

Right to Object:

Data subjects may object to the processing of their data on compelling personal grounds or when it is used for direct marketing purposes, unless the controller can demonstrate overriding legitimate reasons for the processing.

Right Not to Be Subject to Automated Decisions:

This right ensures individuals are not subject to decisions based solely on automated processing (including profiling) that produce legal effects or significantly affect them, except in certain lawful circumstances with appropriate safeguards.

Right to Data Portability:

Subjects can request a copy of their data in a structured, commonly used, and machine-readable format and transfer it to another controller, provided the processing is based on consent and conducted through automated means.

Right to Restriction of Processing (Blocking):

Data subjects may request the restriction of processing (i.e., blocking) in specific situations, such as when data accuracy is contested, the processing is unlawful but erasure is not desired, or the data is no longer needed but required for legal claims.

Data subjects have the right to:

  • be informed in connection with the data processing
  • access data relating to them;
  • request that the data be corrected, modified, updated or deleted; 
  • request a stay and suspension of processing; 
  • have the data processing stayed or suspended if they have challenged the correctness, completeness and accuracy of the data. 

The New PDPA introduces the right to data portability, aligning Montenegro’s legislation more closely with the GDPR. Data subjects are now entitled to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit those data to another controller if technically feasible.

Chapter III GDPR expressly foresees the following data subject rights:

  • Right of access by the data subject (Art 15 GDPR),
  • Right to rectification (Art 16 GDPR),
  • Right to erasure (Art 17 GDPR),
  • Right to restriction of processing (Art 18 GDPR),
  • Right to data portability (Art 20 GDPR),
  • Right to object (Art 21 GDPR),
  • Right, not to be subject to a decision based solely on automated processing, including profiling (Art 22 GDPR).

The GDPR provides for additional rights of the data subject, such as the right to be informed (Art 13 and 14 GDPR), the right to lodge a complaint with the Austrian Data Protection Authority (Art 77 GDPR in conjunction with Section 24 DPA) or to the right to an effective judicial remedy (Art 78 and 79 GDPR).

8. Processing by third parties

Under Law No. 21.719, personal data may be processed by a third party acting as a data processor (“encargado del tratamiento”) on behalf of a data controller (“responsable del tratamiento”), provided that such processing is carried out under the controller’s instructions and responsibility. The relationship must be governed by a written agreement that clearly defines the scope, purpose, and duration of the processing, as well as the obligations of the processor to ensure data security, confidentiality, and compliance with the law. The processor must not use the data for its own purposes and must return or delete the data once the processing is complete or upon the controller’s request. Subprocessing is only allowed with prior written authorization.

According to the PDPL, a third party i.e. user of personal data, is any natural or legal person, state body, state administration body, local self-government body or local administration and other entities exercising public authority, which has the right to process personal data, and it is not a person whose personal data is processed, the original data controller of a data filing system, the processor of personal data or a person employed by the controller of the data filling system or the processor of personal data. A data controller is obliged to inform a person if his/her data will be processed by the third party.

Under the New PDPA, the concept of “third party” remains similar. Data controllers must ensure that any third-party processor provides sufficient guarantees to implement appropriate technical and organisational measures so that processing meets the requirements of the law and ensures the protection of data subject rights.

There are no derogations from the GDPR.

9. Transfers out of country

Article 27 of the law establishes that, provided the requirements authorizing data processing are met, international data transfer operations are lawful in any of the following cases:

  • When the transfer is made to a person, entity, or public or private organization subject to the legal system of a country that provides adequate levels of personal data protection, as determined by the APDP;
  • When the transfer of data is covered by contractual clauses, binding corporate rules, or other legal instruments signed between the controller making the transfer and the controller or third-party agent receiving it, and these establish adequate safeguards; and
  • When the controller making the transfer and the controller or third-party agent receiving it adopt a compliance model or certification mechanism and these establish adequate protection.

In the absence of an adequacy decision or appropriate safeguards, a specific and non-routine transfer may be made if one of the following conditions is met:

  • The data subject has given express and informed consent;
  • The transfer relates to specific banking, financial, or stock market operations governed by applicable sectoral laws;
  • The transfer is necessary to comply with obligations arising from international treaties or agreements ratified by the Chilean State.
  • The transfer is required under cooperation, information exchange, or supervision agreements signed by public bodies to carry out their functions;
  • The transfer is expressly authorized by law for a specific purpose;
  • The transfer is necessary for purposes of international judicial cooperation;
  • The transfer is required for the conclusion or performance of a contract with the data subject; or
  • The transfer is necessary for urgent medical or health-related measures, such as disease prevention or treatment, or the management of health services.

The APDP may also authorize specific transfers when sufficient guarantees are demonstrated, and it may issue recommendations, suspend transfers, or impose measures to safeguard the rights of data subjects.

The Agency's approval is required for the transfer of personal data from Montenegro to a state that is not party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Agency determines whether the requirements are met and whether safeguards are in place for the transfer of data from Montenegro.

Under the New PDPA, cross-border transfers to countries that do not ensure an adequate level of protection may also be carried out if appropriate safeguards are in place, including standard contractual clauses or binding corporate rules approved by the Agency. The Agency generally follows the adequacy framework outlined in the EU GDPR.

Transfer to third countries is generally prohibited.

However, GDPR foresees several mechanisms in order to transfer data to third countries, such as:

  • Adequacy decision of European Commission according to Art 45 GDPR (e.g. EU-U.S. Data Privacy Framework),
  • Internal data protection regulations (Binding Corporate Rules) according to Art 46 GDPR,
  • Standard contract clauses (SCCs) according to Art 46 GDPR,
  • Code of conducts and certification mechanisms as transfer tools according to Art 46 GDPR,
  • Data transfers on the basis of Art 28 GDPR.

For further transfer mechanisms or tools, please see Art 44 – 49 GDPR.

It should be noted that the EU-U.S. Data Privacy Framework (Art 45 GDPR) only applies partially and only covers data transfers to certain U.S.-American data importers. The U.S. Department of Commerce’s International Trade Administration features a comprehensive list on its website.

10. Data Protection Officer

Not mandatory. Article 49 of the CDPL establishes that data controllers may voluntarily adopt an infringement prevention model (modelo de prevención de infracciones) consisting of a compliance program. This program must include, among other elements, the designation of a Personal Data Protection Officer (PDPO), who will be responsible for overseeing the controller’s compliance with data protection obligations.

The personal data collection manager is obliged, after the establishment of automatic personal data collection, to appoint a person responsible for the protection of personal data. A data controller with more than ten employees who process personal data must designate a person responsible for protecting personal data.

The New PDPA clarifies that a Data Protection Officer (DPO) must be appointed by all public authorities, as well as private entities whose core activities require regular and systematic monitoring of data subjects on a large scale or involve large-scale processing of special categories of data.

Controllers and processors must appoint a Data Protection Officer if any of the following conditions apply:

  • processing is carried out by a public authority or public body;
  • core data processing activities consist of extensive regular and systematic monitoring;
  • core data processing activities consist of processing of special categories of data on a large scale or of crime data.

Austrian ministries are obliged to appoint at least one Data Protection Officer according to Section 5 (4) DPA.

11. Security

Under article 14 quinquies, data controllers must implement appropriate technical and organizational measures to comply with the security principle. These measures must ensure the confidentiality, integrity, availability and resilience of the data processing systems and services. They should be proportionate to the nature and volume of data processed and must prevent unauthorized access, alteration, destruction, loss, or unlawful processing.

Data controllers and data processors must take all necessary technical, human resources and organisational measures to protect data in accordance with established standards and procedures in order to protect data from loss, damage, inadmissible access, modification, publication and any other abuse. These measures must also include a data confidentiality obligation for all persons who work on data processing.

The New PDPA introduces additional requirements regarding encryption, pseudonymisation, and regular testing of security measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

12. Breach notification

Under Article 14 sexies of the CDPL, data controllers must report personal data breaches to the ADPD without undue delay when there is a reasonable risk to the rights and freedoms of data subjects. If the breach involves sensitive data, information about children under 14, or data related to financial or commercial obligations, controllers must also notify the affected data subjects in clear language. These obligations are without prejudice to any additional notification duties under other laws.

A breach notification is not regulated by the PDPL. However, under the Law on Information Security of Montenegro, users must report computer security incidents to the competent body.

Under the New PDPA, data controllers are required to notify the Agency of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such risk is high, the affected data subjects must also be informed without undue delay.

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Art 55 GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the data breach to the data subject without undue delay.

If the processor becomes aware of a personal data breach, it must report this to the controller without delay.

No general additional requirements under local law apply.

To notify a data breach to the Austrian Data Protection Authority, one can either:

Template form for the notification of the data subject (German)

13. Direct marketing

Direct marketing is governed by Law No. 19.496 on Consumer Protection, which establishes that unsolicited commercial communications sent via email must clearly identify their commercial purpose and include a valid email address to allow recipients to opt out of future communications. Once the recipient requests to opt out, any further unsolicited emails are prohibited by law. The law is applicable to communications sent to individuals for consumer purposes.

Prior information consent of a data subject (a natural person) is required.

The New PDPA provides clearer provisions regarding direct marketing and unsolicited communications, requiring explicit and verifiable consent for electronic marketing messages.

The GDPR and Austrian Data Protection Act (DPA 2018) apply to all marketing and advertising activities involving personal data. Personal data means any information relating to an identified or identifiable natural person (Art 4 (1) GDPR):

  • This is the main legislation that marketers and ad tech companies will need to comply with regarding security measures and the notification of personal data breaches.
  • Administrative fines under GDPR and DPA are imposed by the Austrian Data Protection Authority.
  • Actions for damages (“Schadenersatzklagen”) and injunctions (“Unterlassungsklagen”) as well as interim injunctions (“einstweilige Verfügungen”) under GDPR and DPA are imposed by the courts.

In addition, Article 174 of Austria’s Telecommunications Act (TKG 2021), which implements the EU ePrivacy Directive 2002/58/EC, applies to specific marketing and advertising purposes - e.g. by imposing additional requirements on how organisations can carry out unsolicited direct electronic marketing.

  • The Austrian Data Protection Authority enforces violations of data subject rights under TKG 2021 by issuing administrative fines up to € 50,000, since the Telecommunications Act 2021 is a lex specialis to the GDPR.

14. Cookies and adtech

The New CDPL does not directly regulate the use of cookies or similar technologies. However, their use may still be subject to general data protection principles, such as transparency, purpose limitation and consent, particularly when cookies process personal data.

Not regulated. General personal data protection rules apply.

The TKG 2021 as lex specialis takes precedence over the GDPR regarding the use of cookies. Data subjects must be informed about the use of cookies within the meaning of Section  165 (3) TKG 2021. Austrian website operators must inform affected users comprehensively and obtain their consent. Violations could result in administrative fines up to € 50,000.

The use of cookies is only permitted if:

  • without consent when it is absolutely necessary for the provider of an information society service to provide a service that has been expressly requested by the user (“technically necessary cookies”) or
  • the user is informed in detail in advance,
  • consent has been given before the use of cookies and
  • the consent was given voluntarily, without doubt and by an active act.

The Austrian Data Protection Authority provides a Q&A on cookies (German)

15. Risk scale

Low

Moderate

The intensity of regulatory obligations and enforcement can be classified as moderate in Austria.

No official code of conduct has been published yet but regulatory guidelines may be issued by the Data Protection Agency in the future.

Cybersecurity

1. Local cybersecurity laws and scope

The Cybersecurity Framework Law No. 21.663, published in April 2024, establishes a comprehensive legal and institutional framework for cybersecurity architecture. The law creates the National Cybersecurity Agency (Agencia Nacional de Ciberseguridad, ANCI), a new public authority tasked with overseeing the implementation of cybersecurity policies, issuing technical standards, coordinating incident responses and imposing sanctions.

The law aligns with international standards and applies to both public and private entities managing Critical Information Infrastructure (CII) or essential services, based on their risk exposure and strategic relevance.

In addition to Law No. 21.663, several other laws govern aspects of cybersecurity and information protection in Chile:

  • Law No. 20.285 (2008) - Law on Access to Public Information
  • Law No. 17.336 (2004) - Intellectual Property Law
  • Law No. 19.927 (2004) - Law amending criminal codes regarding child pornography
  • Law No. 19.880 (2003) - Administrative Procedure Law for acts of State administration
  • Law No. 19.799 (2002) - Law on Electronic Documents, Electronic Signatures, and Certification Services
  • Law No. 20.478 (2010) - Law on Recovery and Continuity in Critical and Emergency Conditions of Public Telecommunications
  • Law No. 21.459 (2022) - Cybercrime Law, which modernizes the criminal legal framework for addressing digital crimes, including unauthorized access, system interference and data breaches

Law on Information Security of Montenegro (Official Gazette of Montenegro Nos. 113/2024 ("the Law").

The new Law on Information Security of Montenegro (came into force in December 2024) establishes measures and rules for the protection of information systems and networks from cyber threats. It applies to state authorities, ministries, other administrative bodies, local self-government units, legal entities exercising public authority, companies, other legal entities, and individuals who access or handle data and use or manage network and information systems. The law covers both public and private sectors, with specific obligations for entities designated as "key" and "important" subjects, particularly those providing services essential for the life, health, and security of citizens and the functioning of the state.

Outdated: Network and Information System Security Act (“Netzwerk – und Informationssicherheitsgesetz” – “NISG 2018”) as the implementing act of Directive (EU) 2016/1148 (“NIS-1”) concerning measures for a high common level of security of network and information systems across the Union. The latter has run out on October 17th 2024.

Austria has not yet implemented Directive (EU) 2022/2555 concerning measures for a high common level of security of network and information systems across the Union (“NIS-2”), whose implementation deadline has lapsed on October 17th 2024.

A ministerial draft (Netzwerk – und Informationssicherheitsgesetz  - “NISG 2024” - 4129/A) has been rejected by parliament on July 4th 2024, as it has not reached the necessary two-third majority to pass contained constitutional provisions. This demonstrates the Austrian government’s approach to the NIS-2 implementation.

Intil NIS-2 is implemented, there is no national law transposing the EU directive, but EU-level expectations and sectoral best practices may still influence regulatory scrutiny.

2. Anticipated changes to local laws

The full implementation of Cybersecurity Framework Law No. 21.663 depends on future regulations to be issued by the ANCI. These will cover technical standards, risk management protocols, and classification criteria for Critical Information Infrastructure (CII). Meanwhile, Decree No. 295 (2025) has already established binding rules on cybersecurity incident reporting, applicable to both public and private entities.

N/A

3. Application 

The law applies to public and private entities operating CII or essential services. Applicability is based on risk and strategic relevance, not sector.

The Law applies to all entities that use or manage network and information systems, including state bodies, local government, public authorities, and private sector entities that handle data or provide services of public interest. The Law sets out obligations for these entities to implement information security measures to ensure the confidentiality, integrity, and availability of data.

The scope of NIS-2 covers 18 sectors, whereby a distinction is made between "sectors of high criticality" (Annex I NIS-2) and "other critical sectors" (Annex II NIS-2).

  • Highly critical sectors: Energy, transport, banking and financial market infrastructures, healthcare, water- enterprises related to the water cycle, digital infrastructure and space.
  • Other critical sectors: Postal and courier services; waste management; manufacture, production and distribution of chemicals; production, processing and distribution of food; certain types of manufacturing; digital providers; research

Small enterprises fulfilling specific criteria could fall under NIS-2, for example through listed exceptions or by being a part of the supply chain of an affected enterprise (Preamble 7 NIS-2, § 26 NISG 2024)

There further exists a distinction between:

  • Essential services: large enterprises of the “sectors of high criticality” and enterprises providing a certain service (eg top-level domain name registries) (Art 3 (1) NIS-2)
  • Important services: medium enterprises of the “sectors of high criticality”; large and medium enterprises of the “other critical sectors” (Art 3 (2) NIS-2)

4. Authority

National Cybersecurity Agency (ANCI)

  • Ministry responsible for information society and e-government: Oversees state administration cybersecurity and acts as the national contact point.
  • CIRT for State Administration: Handles incident response for state bodies.
  • Cybersecurity Agency: Responsible for cybersecurity of all other key and important entities, conducts professional oversight, and enforces compliance.
  • Council for Information Security: Advisory body for monitoring and improving information security.

Cyber Security Authority („Cybersicherheitsbehörde“)

Federal Minister of the Interior

Cyber Security Coordination Group („Cyber Sicherheit Steuerungsgruppe“ – CSS)

Federal Ministry of the Interior

5. Key obligations 

Obligations for agencies subject to the law:

  • Implementation of technical and organizational measures. Obligated organizations must implement a cybersecurity management system that includes: i) Information security policies; ii) Periodic risk assessments; iii) Technical and operational controls; iv) Vulnerability management; and v) Digital supply chain protection.
  • Incident reporting: One of the core obligations is the mandatory reporting of cybersecurity incidents to the National CSIRT.
  • Continuity and recovery plans: Entities must have documented and updated plans in place to: i) Ensure operational continuity in the event of disruptive events; ii) Restore services in a secure and orderly manner; and iii) Assess damage and prevent the incident from recurring.
  • Audits and monitoring: Entities will be subject to periodic technical audits.
  • Training and awareness: All organizations must regularly train their staff in cybersecurity, best practices, incident management and the safe use of information systems.
  • Implementation of Security Measures: All entities must implement measures to ensure confidentiality, integrity, and availability of data, including physical, technical, and organizational safeguards.
  • Risk Management: Key and important entities must conduct risk analyses, adopt incident response rules, business continuity plans, supply chain security policies, and apply cryptographic protection where necessary.
  • Certification: Key entities must obtain and maintain certification under the Montenegrin standard for information security management (MEST ISO/IEC 27001) and undergo periodic compliance checks.
  • Designation of Responsible Person: All entities must appoint a person responsible for monitoring the implementation of information security measures.
  • Incident Reporting: Entities must assess the impact of cyber threats and incidents. If an incident could significantly affect service continuity, it must be reported to the Cybersecurity Agency (or CIRT for state bodies) within 24 hours. Ongoing and final reports are also required.
  • Data Protection: Personal data must be processed in accordance with data protection laws.

Enterprises falling within the scope of NIS-2 must ensure necessary risk management measures for their entire organisation, rather than just for essential services:

  • Cybersecurity Risk Management Measures (Art 21 NIS-2) are wide-ranging and include, among other things:
    • ensuring business continuity through backup and crisis management measures
    • measures to ensure the security of supply chains
    • the use of secure voice, video and text communication
    • the use of cryptography and encryption technology
  • Governance Obligations (Art 20 NIS-2): The management bodies of entities are responsible for the implementation of cybersecurity measures and must attend cyber security training courses
  • Incident Reporting Obligations (Art 23 NIS-2): Tiered notification system.
    • Initial notification (“early warning”) without undue delay and within 24 hours of becoming aware of the significant incident
    • Initial assessment (“incident notification”) within 72 hours including severity and impact
    • Final report not later than one month after the incident notification including a detailed description, the type of threat, mitigation measures and cross-border impact (if applicable)

6. Sanctions & non-compliance 

The law provides a graduated penalty system for non-compliance, with fines of up to 40,000 UTM depending on the severity of the infringement (minor, serious, or very serious). Enforcement will be led by the ANCI, including its power to supervise, classify and sanction entities subject to the law.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Chile has a national Computer Security Incident Response Team (CSIRT), officially known as: CSIRT of the Government of Chile (CSIRT Nacional)

As of April 2024, the National CSIRT operates under the newly created National Cybersecurity Agency, established by Law No. 21.663.

It serves public institutions and plays a coordinating role for national and international cybersecurity incidents.

Its core functions include:

  • Monitoring cyber threats nationwide.
  • Coordinating responses to incidents affecting public services and critical infrastructure.
  • Collaborating with sector-specific CSIRTs (defense, finance, energy, etc.).
  • Issuing alerts, vulnerability reports, and technical guidelines.
  • Sharing threat intelligence with international networks.

Montenegro has a national CERT/CSIRT structure composed of the CIRT for state administration (handling incidents for government bodies) and the Cybersecurity Agency (handling incidents for all other key and important entities). These bodies are mandated by law to coordinate incident response, ensure compliance, and represent Montenegro in international cybersecurity matters, ensuring a unified and effective national response to cyber threats and incidents.

The NIS-framework provides for a national computer emergency team to be set up to ensure the security of the network and information systems. §§ 14, 15 NISG 2018 already featured National Computer Emergency Teams, Sector-Specific Computer Emergency Teams and a Public Administration Computer Emergency Team (GovCERT). GovCERT shall assist public administration bodies in managing risks, incidents and security incidents.

The competences, requirements and supervision of these already established CERTs would have been further outlined in NISG 2024 under §§ 8 – 11.

8. National cybersecurity incident management structure

The National CSIRT forms part of a centralized structure, coordinated by the ANCI, responsible for incident response, oversight, and strategic coordination across sectors.

  • Incident Classification: Incidents are classified as low, medium, or high impact, with escalating reporting and response requirements.
  • Sectors Covered: The Law defines key and important entities across sectors such as energy, transport, banking, health, water, digital infrastructure, public administration, and more.
  • Crisis Management: In case of a major cyber crisis, the Ministry, with the Agency, can propose that the government declare a cyber crisis, triggering coordinated national response measures.

The reporting of security incidents to CSIRT is clearly structured under NIS-2: (Art 23 (3) NIS-2, § 34 (2) NISG 2024)

  • Early warning (within 24 hours):
    Entities must submit an early warning to the CSIRT or, where applicable, the competent authority within 24 hours of becoming aware of a significant incident. This warning should indicate, if relevant, whether the incident may be due to unlawful or malicious acts and whether it could have a cross-border impact.
  • Incident notification (within 72 hours):
    A full incident notification must follow within 72 hours of detecting the incident. This notification should update the earlier warning and provide an initial assessment of the incident’s severity and impact. Where possible, it should also include available indicators of compromise.
  • Intermediate report (upon request):
    Upon request by the CSIRT or competent authority, entities must provide an intermediate report with relevant updates on the status of the incident and response measures.
  • Final report (within 1 month):
    A final report must be submitted no later than one month after the initial incident notification. It should include a detailed description of the incident (including its severity and impact), the likely root cause or type of threat, mitigation measures taken or ongoing, and, where applicable, the cross-border impact.

The involved CSIRT then has to forward this information to the Cyber Security Agency. (Art 13 (3) NIS-2, § 34 (1) NISG 2024)

  • A security incident can be notified by using the online portal of CERT.at
    • Further reporting (not NIS related) can also be done by sending an E-mail to CERT.at: reports@cert.at, hereby one should include the information set out in the following form
    • In addition, please find further information on the recommended encryption and other measures on the this website:
  • A security incident involving the energy sector can be notified by using the online portal of AEC

9. Other cybersecurity initiatives 

No.

  • Awareness and Training: The Agency is tasked with organizing training for employees, raising public awareness, and collaborating with domestic and international partners.
  • Sectoral and Central Registers: The Law mandates the creation of sectoral and consolidated registers of key and important entities, with strict confidentiality requirements.

The “Cyber Security Platform” (CSP) is the central Austrian platform for cooperation between the private and public sectors on cybersecurity issues, with the close involvement of operators of critical infrastructure. It holds a plenary meeting once or twice a year and formulates recommendations in working groups. The Federal Chancellery of Austria runs the secretariat.

The "Austrian Handbook on Information Security" provides a broad overview of recognized information security standards based on common international standards such as ISO/IEC 27000. It serves to implement comprehensive security concepts in public administration and private sector.

Austrian Information Security Handbook

10. Useful links

New Cybercrime Law Status: