1. Data protection
    1. 1. Local data protection laws and scope
    2. 2. Data protection authority
    3. 3. Anticipated changes to local laws
    4. 4. Sanctions & non-compliance
    5. Administrative sanctions:
    6. Criminal sanctions:
    7. Others: 
    8. 5. Registration / notification / authorisation
    9. 6. Main obligations and processing requirements
    10. 7. Data subject rights
    11. 8. Processing by third parties
    12. 9. Transfers out of country
    13. 10. Data Protection Officer
    14. 11. Security
    15. 12. Breach notification
    16. 13. Direct marketing
    17. 14. Cookies and adtech
    18. 15. Risk scale
    19. 16. Useful links
  2. Cybersecurity
    1. 1. Local cybersecurity laws and scope
    2. 2. Anticipated changes to local laws
    3. 3. Application 
    4. 4. Authority
    5. 5. Key obligations 
    6. 6. Sanctions & non-compliance 
    7. Administrative sanctions:
    8. Criminal sanctions:
    9. Others: 
    10. 7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 
    11. 8. National cybersecurity incident management structure
    12. 9. Other cybersecurity initiatives 
    13. 10. Useful links

jurisdiction

Montenegro
Austria
Add jurisdiction

Data protection

1. Local data protection laws and scope

The Personal Data Protection Law (Official Gazette of Montenegro Nos. 79/2008, 70/2009, 44/2012, 22/2017 and 77/2024) ("the PDPL").

On 1 March 2023, the National Assembly of Montenegro adopted a new Personal Data Protection Act (“New PDPA”), which entered into force on 1 July 2023 and replaced the previous PDPL. The New PDPA is broadly aligned with the General Data Protection Regulation (GDPR) of the European Union, introducing stricter requirements for data controllers and processors, including enhanced data subject rights, new data breach notification obligations, and higher penalties for non-compliance.)  

As of now, Montenegro’s Personal Data Protection Law (PDPL), originally adopted in 2008 (Official Gazette Nos. 79/08, 70/09, 44/12, 22/17), is still in force, with only one minor amendment introduced in August 2024 (Official Gazette No. 77/2024).

2. Data protection authority

Agency for Personal Data Protection and Free Access to Information (“the Agency”):

Under the New PDPA, the Agency has gained administrative enforcement powers. It can now impose administrative fines for breaches of the New PDPA without recourse to criminal or offence proceedings.)

Austrian Data Protection Authority: https://www.dsb.gv.at

3. Anticipated changes to local laws

Changes of the PDPL are anticipated soon, first drafts of the law are already being negotiated.

The new law entered into force on 1 July 2023, as noted above, and no further major legislative changes in personal data protection are currently expected before 2026.) 

The “media privilege” under § 9 (1) DPA, which generally exempted media from data protection principles, was repealed by the constitutional court. From July 1st 2024, the legislator enacted a revised version through the Data Protection Act Amendment 4031/A to substitute. Media companies must now ensure that their data processing for journalistic purposes meets general criteria, although they remain entitled to limited exceptions tailored to their public interest functions (eg investigative journalism, protection of sources). 

4. Sanctions & non-compliance

Sanctions are primarily laid down in the GDPR.

Administrative sanctions:

N/A

  • The Austrian Data Protection Authority may issue administrative fines of up to € 50,000 for non-compliance with DPA. The fines under the DPA will only be imposed if an offence does not constitute an offence under Art 83 GDPR ("catch-all clause").

Fines may be imposed on legal persons

  • because of an executive's violation; or
  • for monitoring or control failures.

A legal person is responsible for breaches if its executive does not comply with surveillance duties or does not enact organisational matters, thus, enabling an offence to be committed by an employee. Moreover, fines may be imposed on responsible persons in accordance with Article 9 Administrative Penal Act 1991 (Verwaltungsstrafgesetz 1991).

Criminal sanctions:

The Agency does not have any enforcement powers. Sanctions can only be imposed by a judge (in criminal or offence proceedings). The fines for offences range from EUR 500 to EUR 20,000 for a legal entity, from EUR 150 to EUR 2,000 for the responsible person in the legal entity, and from EUR 150 to EUR 6,000 for an entrepreneur, per offence.

Criminal offences involving the unauthorised collection and usage of personal data carry a penalty of a monetary fine or imprisonment for up to one year.

According to Article 63 DPA, the data processing for profit or malicious intent is punishable. An offence is punishable by imprisonment of up to 1 year or a fine of up to 720 daily rates.

Others: 
  • Reputational risk;
  • Reimbursement of the potential damages (material and non-material)

Under the New PDPA, the Agency can impose administrative fines ranging from EUR 2,000 to EUR 50,000 for legal entities, while responsible individuals may be fined between EUR 500 and EUR 5,000. The possibility of criminal liability remains for serious offences involving unauthorised collection or misuse of personal data.

Failure to comply with the GDPR and/or the DPA may further result in complaints, official audits and/or orders by the Data Protection Authority, administrative fines, seizure of equipment or data, and civil actions (e.g., under the GDPR, an affected data subject may sue for compensation for material and non-material damages before the civil courts in Austria) and/or criminal proceedings (e.g. pursuant to Section 118a et seq. Austrian Criminal Code).

5. Registration / notification / authorisation

Setting up a personal data filing system is subject to notification. After setting up a data filing system, the data controller must appoint a person responsible for the protection of personal data (if the data controller employs more than ten people who process personal data).

Under the New PDPA, registration or notification requirements have largely been replaced with an accountability-based approach, whereby data controllers must be able to demonstrate compliance with all principles of data processing. However, the obligation to appoint a data protection officer remains if the controller employs more than ten people, or if the data processing activities pose heightened risks to data subjects.

Article 37 GDPR requires the controller or processor to publish the contact details of the designated data protection officer and communicate these details to the Austrian Data Protection Authority.

6. Main obligations and processing requirements

  • Information requirement;
  • Consent requirements, unless processing is required by the law;
  • Notification requirement.

Under the New PDPA, data controllers and processors must also implement data protection by design and by default, conduct data protection impact assessments for high-risk processing, and maintain detailed records of processing activities.

7. Data subject rights

Data subjects have the right to:

  • be informed in connection with the data processing
  • access data relating to them;
  • request that the data be corrected, modified, updated or deleted; 
  • request a stay and suspension of processing; 
  • have the data processing stayed or suspended if they have challenged the correctness, completeness and accuracy of the data. 

The New PDPA introduces the right to data portability, aligning Montenegro’s legislation more closely with the GDPR. Data subjects are now entitled to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit those data to another controller if technically feasible.

Chapter III GDPR expressly foresees the following data subject rights:

  • Right of access by the data subject (Art 15 GDPR),
  • Right to rectification (Art 16 GDPR),
  • Right to erasure (Art 17 GDPR),
  • Right to restriction of processing (Art 18 GDPR),
  • Right to data portability (Art 20 GDPR),
  • Right to object (Art 21 GDPR),
  • Right, not to be subject to a decision based solely on automated processing, including profiling (Art 22 GDPR).

The GDPR provides for additional rights of the data subject, such as the right to be informed (Art 13 and 14 GDPR), the right to lodge a complaint with the Austrian Data Protection Authority (Art 77 GDPR in conjunction with Section 24 DPA) or to the right to an effective judicial remedy (Art 78 and 79 GDPR).

8. Processing by third parties

According to the PDPL, a third party i.e. user of personal data, is any natural or legal person, state body, state administration body, local self-government body or local administration and other entities exercising public authority, which has the right to process personal data, and it is not a person whose personal data is processed, the original data controller of a data filing system, the processor of personal data or a person employed by the controller of the data filling system or the processor of personal data. A data controller is obliged to inform a person if his/her data will be processed by the third party.

Under the New PDPA, the concept of “third party” remains similar. Data controllers must ensure that any third-party processor provides sufficient guarantees to implement appropriate technical and organisational measures so that processing meets the requirements of the law and ensures the protection of data subject rights.

There are no derogations from the GDPR.

9. Transfers out of country

The Agency's approval is required for the transfer of personal data from Montenegro to a state that is not party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Agency determines whether the requirements are met and whether safeguards are in place for the transfer of data from Montenegro.

Under the New PDPA, cross-border transfers to countries that do not ensure an adequate level of protection may also be carried out if appropriate safeguards are in place, including standard contractual clauses or binding corporate rules approved by the Agency. The Agency generally follows the adequacy framework outlined in the EU GDPR.

Transfer to third countries is generally prohibited.

However, GDPR foresees several mechanisms in order to transfer data to third countries, such as:

  • Adequacy decision of European Commission according to Art 45 GDPR (e.g. EU-U.S. Data Privacy Framework),
  • Internal data protection regulations (Binding Corporate Rules) according to Art 46 GDPR,
  • Standard contract clauses (SCCs) according to Art 46 GDPR,
  • Code of conducts and certification mechanisms as transfer tools according to Art 46 GDPR,
  • Data transfers on the basis of Art 28 GDPR.

For further transfer mechanisms or tools, please see Art 44 – 49 GDPR.

It should be noted that the EU-U.S. Data Privacy Framework (Art 45 GDPR) only applies partially and only covers data transfers to certain U.S.-American data importers. The U.S. Department of Commerce’s International Trade Administration features a comprehensive list on its website.

10. Data Protection Officer

The personal data collection manager is obliged, after the establishment of automatic personal data collection, to appoint a person responsible for the protection of personal data. A data controller with more than ten employees who process personal data must designate a person responsible for protecting personal data.

The New PDPA clarifies that a Data Protection Officer (DPO) must be appointed by all public authorities, as well as private entities whose core activities require regular and systematic monitoring of data subjects on a large scale or involve large-scale processing of special categories of data.

Controllers and processors must appoint a Data Protection Officer if any of the following conditions apply:

  • processing is carried out by a public authority or public body;
  • core data processing activities consist of extensive regular and systematic monitoring;
  • core data processing activities consist of processing of special categories of data on a large scale or of crime data.

Austrian ministries are obliged to appoint at least one Data Protection Officer according to Section 5 (4) DPA.

11. Security

Data controllers and data processors must take all necessary technical, human resources and organisational measures to protect data in accordance with established standards and procedures in order to protect data from loss, damage, inadmissible access, modification, publication and any other abuse. These measures must also include a data confidentiality obligation for all persons who work on data processing.

The New PDPA introduces additional requirements regarding encryption, pseudonymisation, and regular testing of security measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

12. Breach notification

A breach notification is not regulated by the PDPL. However, under the Law on Information Security of Montenegro, users must report computer security incidents to the competent body.

Under the New PDPA, data controllers are required to notify the Agency of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such risk is high, the affected data subjects must also be informed without undue delay.

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Art 55 GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the data breach to the data subject without undue delay.

If the processor becomes aware of a personal data breach, it must report this to the controller without delay.

No general additional requirements under local law apply.

To notify a data breach to the Austrian Data Protection Authority, one can either:

Template form for the notification of the data subject (German)

13. Direct marketing

Prior information consent of a data subject (a natural person) is required.

The New PDPA provides clearer provisions regarding direct marketing and unsolicited communications, requiring explicit and verifiable consent for electronic marketing messages.

The GDPR and Austrian Data Protection Act (DPA 2018) apply to all marketing and advertising activities involving personal data. Personal data means any information relating to an identified or identifiable natural person (Art 4 (1) GDPR):

  • This is the main legislation that marketers and ad tech companies will need to comply with regarding security measures and the notification of personal data breaches.
  • Administrative fines under GDPR and DPA are imposed by the Austrian Data Protection Authority.
  • Actions for damages (“Schadenersatzklagen”) and injunctions (“Unterlassungsklagen”) as well as interim injunctions (“einstweilige Verfügungen”) under GDPR and DPA are imposed by the courts.

In addition, Article 174 of Austria’s Telecommunications Act (TKG 2021), which implements the EU ePrivacy Directive 2002/58/EC, applies to specific marketing and advertising purposes - e.g. by imposing additional requirements on how organisations can carry out unsolicited direct electronic marketing.

  • The Austrian Data Protection Authority enforces violations of data subject rights under TKG 2021 by issuing administrative fines up to € 50,000, since the Telecommunications Act 2021 is a lex specialis to the GDPR.

14. Cookies and adtech

Not regulated. General personal data protection rules apply.

The TKG 2021 as lex specialis takes precedence over the GDPR regarding the use of cookies. Data subjects must be informed about the use of cookies within the meaning of Section  165 (3) TKG 2021. Austrian website operators must inform affected users comprehensively and obtain their consent. Violations could result in administrative fines up to € 50,000.

The use of cookies is only permitted if:

  • without consent when it is absolutely necessary for the provider of an information society service to provide a service that has been expressly requested by the user (“technically necessary cookies”) or
  • the user is informed in detail in advance,
  • consent has been given before the use of cookies and
  • the consent was given voluntarily, without doubt and by an active act.

The Austrian Data Protection Authority provides a Q&A on cookies (German)

15. Risk scale

Moderate

The intensity of regulatory obligations and enforcement can be classified as moderate in Austria.

Cybersecurity

1. Local cybersecurity laws and scope

Law on Information Security of Montenegro (Official Gazette of Montenegro Nos. 113/2024 ("the Law").

The new Law on Information Security of Montenegro (came into force in December 2024) establishes measures and rules for the protection of information systems and networks from cyber threats. It applies to state authorities, ministries, other administrative bodies, local self-government units, legal entities exercising public authority, companies, other legal entities, and individuals who access or handle data and use or manage network and information systems. The law covers both public and private sectors, with specific obligations for entities designated as "key" and "important" subjects, particularly those providing services essential for the life, health, and security of citizens and the functioning of the state.

Outdated: Network and Information System Security Act (“Netzwerk – und Informationssicherheitsgesetz” – “NISG 2018”) as the implementing act of Directive (EU) 2016/1148 (“NIS-1”) concerning measures for a high common level of security of network and information systems across the Union. The latter has run out on October 17th 2024.

Austria has not yet implemented Directive (EU) 2022/2555 concerning measures for a high common level of security of network and information systems across the Union (“NIS-2”), whose implementation deadline has lapsed on October 17th 2024.

A ministerial draft (Netzwerk – und Informationssicherheitsgesetz  - “NISG 2024” - 4129/A) has been rejected by parliament on July 4th 2024, as it has not reached the necessary two-third majority to pass contained constitutional provisions. This demonstrates the Austrian government’s approach to the NIS-2 implementation.

Intil NIS-2 is implemented, there is no national law transposing the EU directive, but EU-level expectations and sectoral best practices may still influence regulatory scrutiny.

2. Anticipated changes to local laws

N/A

3. Application 

The Law applies to all entities that use or manage network and information systems, including state bodies, local government, public authorities, and private sector entities that handle data or provide services of public interest. The Law sets out obligations for these entities to implement information security measures to ensure the confidentiality, integrity, and availability of data.

The scope of NIS-2 covers 18 sectors, whereby a distinction is made between "sectors of high criticality" (Annex I NIS-2) and "other critical sectors" (Annex II NIS-2).

  • Highly critical sectors: Energy, transport, banking and financial market infrastructures, healthcare, water- enterprises related to the water cycle, digital infrastructure and space.
  • Other critical sectors: Postal and courier services; waste management; manufacture, production and distribution of chemicals; production, processing and distribution of food; certain types of manufacturing; digital providers; research

Small enterprises fulfilling specific criteria could fall under NIS-2, for example through listed exceptions or by being a part of the supply chain of an affected enterprise (Preamble 7 NIS-2, § 26 NISG 2024)

There further exists a distinction between:

  • Essential services: large enterprises of the “sectors of high criticality” and enterprises providing a certain service (eg top-level domain name registries) (Art 3 (1) NIS-2)
  • Important services: medium enterprises of the “sectors of high criticality”; large and medium enterprises of the “other critical sectors” (Art 3 (2) NIS-2)

4. Authority

  • Ministry responsible for information society and e-government: Oversees state administration cybersecurity and acts as the national contact point.
  • CIRT for State Administration: Handles incident response for state bodies.
  • Cybersecurity Agency: Responsible for cybersecurity of all other key and important entities, conducts professional oversight, and enforces compliance.
  • Council for Information Security: Advisory body for monitoring and improving information security.

Cyber Security Authority („Cybersicherheitsbehörde“)

Federal Minister of the Interior

Cyber Security Coordination Group („Cyber Sicherheit Steuerungsgruppe“ – CSS)

Federal Ministry of the Interior

5. Key obligations 

  • Implementation of Security Measures: All entities must implement measures to ensure confidentiality, integrity, and availability of data, including physical, technical, and organizational safeguards.
  • Risk Management: Key and important entities must conduct risk analyses, adopt incident response rules, business continuity plans, supply chain security policies, and apply cryptographic protection where necessary.
  • Certification: Key entities must obtain and maintain certification under the Montenegrin standard for information security management (MEST ISO/IEC 27001) and undergo periodic compliance checks.
  • Designation of Responsible Person: All entities must appoint a person responsible for monitoring the implementation of information security measures.
  • Incident Reporting: Entities must assess the impact of cyber threats and incidents. If an incident could significantly affect service continuity, it must be reported to the Cybersecurity Agency (or CIRT for state bodies) within 24 hours. Ongoing and final reports are also required.
  • Data Protection: Personal data must be processed in accordance with data protection laws.

Enterprises falling within the scope of NIS-2 must ensure necessary risk management measures for their entire organisation, rather than just for essential services:

  • Cybersecurity Risk Management Measures (Art 21 NIS-2) are wide-ranging and include, among other things:
    • ensuring business continuity through backup and crisis management measures
    • measures to ensure the security of supply chains
    • the use of secure voice, video and text communication
    • the use of cryptography and encryption technology
  • Governance Obligations (Art 20 NIS-2): The management bodies of entities are responsible for the implementation of cybersecurity measures and must attend cyber security training courses
  • Incident Reporting Obligations (Art 23 NIS-2): Tiered notification system.
    • Initial notification (“early warning”) without undue delay and within 24 hours of becoming aware of the significant incident
    • Initial assessment (“incident notification”) within 72 hours including severity and impact
    • Final report not later than one month after the incident notification including a detailed description, the type of threat, mitigation measures and cross-border impact (if applicable)

6. Sanctions & non-compliance 

Administrative sanctions:

The Law introduces significant administrative fines for non-compliance:

  • Key entities: EUR 500 to EUR 20,000
  • Important entities: EUR 500 to EUR 10,000
  • Other entities: EUR 500 to EUR 5,000
  • Responsible individuals: EUR 30 to EUR 1,500
  • Repeat violations may result in a ban from performing certain activities for 3 to 6 months.

The outdated § 26 (1) NISG 2018 punishes offences by a fine of up to €50,000 or up to €100,000 in the case of a repeat offence.

These scales were substantially increased by the directive. (Art 34 NIS-2) The NISG 2024 would have distinguished between essential and important entities:

  • Essential entities can be fined up to €10,000,000 or up to 2% of the global annual turnover in the preceding financial year (whichever is higher)
  • Important entities can be fined up to €7,000,000 or 1.4% of the global annual turnover in the preceding financial year (§ 45 NISG 2024).

The Austrian Data Protection Authority continues to have jurisdiction to impose fines for personal data breaches under the GDPR, while NIS-related authorities retain rights to issue additional measures specific to cybersecurity. Cooperation mechanisms between these authorities have been formalized under the revised NISG 2024 to avoid contradictory legal obligations for affected entities (§ 21 NISG 2024).

Criminal sanctions:

CIRT does not have any enforcement powers. Sanctions can only be imposed by a judge in criminal proceedings. Criminal Code of Montenegro (Official Gazette of Montenegro Nos. 70/2003, 13/2004, 3/2020, 26/2021, 144/2021, 145/2021, 110/2023, 123/2024) (“the Code”) envisages the legal frame for sanctioning the criminal offences against safety of computer data. Subject criminal offences are:

  • Damaging computer data and programmes (Article 349 of the Code), for which is envisaged a monetary fine or imprisonment up to five years;
  • Computer sabotage (Article 350 of the Code) for which is envisaged a monetary fine or imprisonment up to eight years;
  • Producing and entering computer viruses (Article 351 of the Code) for which is envisaged a monetary fine or imprisonment up to two years;
  • Computer fraud (Article 352 of the Code) for which is envisaged a monetary fine or imprisonment up to 12 years;
  • Unauthorised use of computers and computer network (Article 353 of the Code) for which is envisaged a monetary fine or imprisonment up to five years;
  • Disturbing electronic processing, data transfer and computer network functioning (Article 354 of the Code) for which is envisaged a monetary fine or imprisonment up to three years.

Not regulated in the NISG 2024.

Others: 
  • Reputational risk;
  • Reimbursement of the potential damages (material and non-material).

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Montenegro has a national CERT/CSIRT structure composed of the CIRT for state administration (handling incidents for government bodies) and the Cybersecurity Agency (handling incidents for all other key and important entities). These bodies are mandated by law to coordinate incident response, ensure compliance, and represent Montenegro in international cybersecurity matters, ensuring a unified and effective national response to cyber threats and incidents.

The NIS-framework provides for a national computer emergency team to be set up to ensure the security of the network and information systems. §§ 14, 15 NISG 2018 already featured National Computer Emergency Teams, Sector-Specific Computer Emergency Teams and a Public Administration Computer Emergency Team (GovCERT). GovCERT shall assist public administration bodies in managing risks, incidents and security incidents.

The competences, requirements and supervision of these already established CERTs would have been further outlined in NISG 2024 under §§ 8 – 11.

8. National cybersecurity incident management structure

  • Incident Classification: Incidents are classified as low, medium, or high impact, with escalating reporting and response requirements.
  • Sectors Covered: The Law defines key and important entities across sectors such as energy, transport, banking, health, water, digital infrastructure, public administration, and more.
  • Crisis Management: In case of a major cyber crisis, the Ministry, with the Agency, can propose that the government declare a cyber crisis, triggering coordinated national response measures.

The reporting of security incidents to CSIRT is clearly structured under NIS-2: (Art 23 (3) NIS-2, § 34 (2) NISG 2024)

  • Early warning (within 24 hours):
    Entities must submit an early warning to the CSIRT or, where applicable, the competent authority within 24 hours of becoming aware of a significant incident. This warning should indicate, if relevant, whether the incident may be due to unlawful or malicious acts and whether it could have a cross-border impact.
  • Incident notification (within 72 hours):
    A full incident notification must follow within 72 hours of detecting the incident. This notification should update the earlier warning and provide an initial assessment of the incident’s severity and impact. Where possible, it should also include available indicators of compromise.
  • Intermediate report (upon request):
    Upon request by the CSIRT or competent authority, entities must provide an intermediate report with relevant updates on the status of the incident and response measures.
  • Final report (within 1 month):
    A final report must be submitted no later than one month after the initial incident notification. It should include a detailed description of the incident (including its severity and impact), the likely root cause or type of threat, mitigation measures taken or ongoing, and, where applicable, the cross-border impact.

The involved CSIRT then has to forward this information to the Cyber Security Agency. (Art 13 (3) NIS-2, § 34 (1) NISG 2024)

  • A security incident can be notified by using the online portal of CERT.at
    • Further reporting (not NIS related) can also be done by sending an E-mail to CERT.at: reports@cert.at, hereby one should include the information set out in the following form
    • In addition, please find further information on the recommended encryption and other measures on the this website:
  • A security incident involving the energy sector can be notified by using the online portal of AEC

9. Other cybersecurity initiatives 

  • Awareness and Training: The Agency is tasked with organizing training for employees, raising public awareness, and collaborating with domestic and international partners.
  • Sectoral and Central Registers: The Law mandates the creation of sectoral and consolidated registers of key and important entities, with strict confidentiality requirements.

The “Cyber Security Platform” (CSP) is the central Austrian platform for cooperation between the private and public sectors on cybersecurity issues, with the close involvement of operators of critical infrastructure. It holds a plenary meeting once or twice a year and formulates recommendations in working groups. The Federal Chancellery of Austria runs the secretariat.

The "Austrian Handbook on Information Security" provides a broad overview of recognized information security standards based on common international standards such as ISO/IEC 27000. It serves to implement comprehensive security concepts in public administration and private sector.

Austrian Information Security Handbook

10. Useful links