Cybersecurity—Austria—Q&A guide

The following Information Law practice note provides comprehensive and up to date legal information covering:

  • Cybersecurity—Austria—Q&A guide
  • 1. Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
  • 2. Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
  • 3. Has your jurisdiction adopted any international standards related to cybersecurity?
  • 4. What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?
  • 5. How does your jurisdiction define cybersecurity and cybercrime?
  • 6. What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?
  • 7. Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?
  • 8. Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?
  • 9. Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?
  • More...

Cybersecurity—Austria—Q&A guide

This Practice Note contains a jurisdiction-specific Q&A guide to cybersecurity in Austria published as part of the Lexology Getting the Deal Through series by Law Business Research (published: February 2021).

Authors: MGLP Rechtsanwälte | Attorneys-at-Law—Árpád Geréd

1. Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?

Even though cybersecurity and, as a related topic, cybercrime have a long history in Austrian rules of law, efforts to establish dedicated and detailed rules on cybersecurity that are binding, not only for governmental agencies and (partially) state-owned companies but also the private sector, are fairly recent.

The first legal provision on cybersecurity in its widest sense was article 10 of the then new Austrian Data Protection Act (DSG 1978), which entered into force in 1980. In this provision, data processors were obliged to set up work rules regarding data security, such as measures for access security or software testing. While the provision did not contain any details on the required rules and, further, took economic and technical feasibility into account, it required these internal rules to be approved by the Austrian Data Protection Commission (now the Data Protection Authority, or DSB), thus granting at least a minimum level of homogeneity.

In hindsight, article 10, despite its lack of detail, provided a solid basis for a unified understanding of required data security measures. But in

Popular documents