Even though cybersecurity and, as a related topic, cybercrime have a long history in Austrian rules of law, efforts to establish dedicated and detailed rules on cybersecurity that are binding, not only for governmental agencies and (partially) state-owned companies but also the private sector, are fairly recent.
The first legal provision on cybersecurity in its widest sense was article 10 of the then new Austrian Data Protection Act (DSG 1978), which entered into force in 1980. In this provision, data processors were obliged to set up work rules regarding data security, such as measures for access security or software testing. Although the provision did not contain any details on the required rules and, further, took economic and technical feasibility into account, it required these internal rules to be approved by the Austrian Data Protection Commission (now the Data Protection Authority, or DSB), thus granting at least a minimum level of homogeneity.
In hindsight, article 10, despite its lack of detail, provided a solid basis for a unified understanding of required data security measures. But in 1987, this provision was amended with far-reaching consequences: first, the new article 10 no longer required data security measures to be compiled in a set of work rules; and second, the requirement for approval by the now DSB was removed. However, the modified provision still took into account the economic and technical feasibility of the measures as well as their adequacy related to the processed data.
In Austria, a country dominated by small and medium-sized enterprises, the flexibility of article 10 DSG 1978, coupled with a legal and factual lack of control of the security measures taken, has led to wide variation of levels of cybersecurity and has, in extreme cases, led to very small enterprises not taking any relevant security measures at all, arguing that they were neither economically feasible nor required by the type of processed data. Unfortunately, this relatively toothless rule has found its way into article 14 of the current Austrian Data Protection Act (DSG 2000) in mostly unmodified form. Although article 14 DSG 2000 applies to data controllers and data processors alike and corresponds in essence to article 17 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the EU Data Protection Directive), it is, nevertheless, a step backward from its predecessor, article 10 DSG 1978. As of 25 May 2018, however, the DSG 2000 was replaced by Regulation (EU) No. 2016/679 (the General Data Protection Regulation) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which provides for slightly more detailed rules on data security in its article 32.
The first cybercrime-related rules were established in 1987 with articles 126a and 148a of the Austrian Criminal Code (StGB). These provisions penalised the damaging of data and the abuse of automated data processing (including the modification of processed data as well as the processing software), respectively. Depending on the damage caused, these actions were punishable by imprisonment for up to five or 10 years respectively.
In 2002, Austria adopted the Council of Europe’s Convention on Cybercrime, modifying the StGB to also penalise acts such as the illegitimate access to a computer system (article 118a) or the abusive interception of data (article 119a).
With these provisions of the DSG 2000 and the StGB, a first basic set of cybersecurity rules was in place, obliging enterprises to take protective measures while protecting their efforts and systems by means of the Criminal Code.
Although it was not until 2014 that new legal rules on cybersecurity were announced, Austrian private entities as well as the federal government were far from inactive in the meantime.
The first industry-wide initiative to centrally collect and manage cybersecurity incidents from the private as well as the public sector was the Computer Incident Response Coordination Austria (CIRCA), established by the Internet Service Providers Association (ISPA) in cooperation with the Austrian Federal Chancellery. In 2008, CIRCA was incorporated into the newly created Austrian Computer Emergence Response Team (CERT) as well as the Austrian Government Computer Emergency Response Team (GovCERT) with the former being primarily operated by NIC.at, the Austrian domain registry, and the latter by the Federal Chancellery. Though factually important and well recognised, the main purpose of both CERT institutions lies in the collection of information on incidents and the coordination of the incident response. As such, both institutions may only advise on prevention measures but have no authority to demand certain actions.
Apart from these two most important CERTs, there are others established at authorities or formerly state-owned enterprises, such as the City of Vienna, A1 (the former state-owned telephone operator) or the Austrian Federal Computing Centre (BRZ), which is the former federal data centre and now e-government partner of the federal administration in Austria. These are all organised in the Austrian CERT network, which was established in 2011.
The most recent addition to the Austrian organisations active in the field of cybercrime is the Cyber Crime Competence Centre (C4), which was established in 2012. In contrast to the CERTs, C4’s aim is to actively combat cybercrime. Therefore, its personnel consists of members of the Austrian Federal Police as well as the Austrian Federal Ministry for Internal Affairs.
In May 2014, the Austrian government announced the introduction of a dedicated Austrian Cybersecurity Act. This announcement came in the wake of similar efforts in Europe, most notably the presentation of the draft version of a Network and Information Security Directive by the European Commission in February 2012, in the meantime published as Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, and of a German law on cybersecurity (the IT Security Act) in March 2013. In June 2016, a White Paper was published that contains recommendations for the planned Austrian Cybersecurity Act. Following these recommendations, the new Act will be a transposition of the Network and Information Security Directive into Austrian law, taking into account Austria’s experiences in combatting cybercrime so far, as well as the government’s Austrian Strategy for Cybersecurity, which is based not only on general experience but also on the results of larger scale cybersecurity exercises held for the purpose of evaluating and improving cyber defence readiness.
While the promised draft of the Austrian Cybersecurity Act was still outstanding, another law established itself as the first legal act to require Austrian companies to ascertain an appropriate level of cybersecurity: Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, better known as the General Data Protection Regulation (GDPR). This Regulation first and foremost aims at protecting personal data (ie, data by which a natural person can be identified). However, in contrast to the currently existing rules on data protection, the GDPR is no longer satisfied with requiring companies to have appropriate contractual provisions in place but explicitly also requires appropriate technical and organisational measures, thus, basically, cybersecurity measures.
In the meantime, the Austrian government has revived the Cybersecurity Act as the Network- and Informationsystems Security Act (NISG) and submitted a draft to the Austrian Parliament on 21 November 2018.
Back to top