Last reviewed: 27 December 2024

Yes.

Some include requirements for:

• general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
• obligation to take specific security measures e.g., encryption

Not a strict legal requirement, but encryption is considered by the GDPR as an appropriate technical and organizational measure. In practice, the authorities expect encryption unless specific circumstances justify no encryption.

Last reviewed: 27 December 2024

Yes.

Financial services requirements

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience in the financial sector ("DORA") requires affected financial entities and information and communication technology ("ICT") third-party providers to comply with numerous digital security and reporting obligations in order to make financial entities more resilient to cyber-attacks and mitigate other risks arising from the use of ICT, such as:

• Implementation of an ICT risk management framework and business continuity management (Art 5 to 14 DORA);
• Reporting on ICT incidents (Art 15 to 20 DORA);
• Testing of digital operational stability (including penetration tests (Art 21 to 24 DORA);
• Management and monitoring of ICT third-party service provider risks (Art 25 to 36 DORA);
• Exchange of information between the companies concerned (Art 40 DORA).

Pursuant to Art 2(1) DORA, the requirements of the regulation apply to financial entities such as credit institutions, payment institutions, account information service provider or investment firms and third-party ICT service providers that conclude contracts with financial entities.

The definition of ICT third-party service providers includes companies that provide digital and data services, including providers of cloud computing services, software data analytics services and data centers. Financial organizations must also include specific contractual specific contractual provisions in their contracts with such ICT third-party providers.

However, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries qualifying as microenterprises or as small or medium-sized enterprises (according to DORA) are not subject to this Regulation.

Providers of critical infrastructure

The Austrian Network and Information System Security Act applies to providers of "essential" services (i.e., critical infrastructure) in the following sectors:

• Energy
• Transport
• Banking
• Financial market infrastructures
• Health sector
• Drinking water supply and distribution and
• Digital infrastructure

A service is considered "essential" if (i) it is essential for the maintenance of critical infrastructure, in particular for the maintenance of public health services, public supply of water, energy as well as vital goods, public transport or the functioning of public information and communication technology, and (ii) the availability of the service depends on network and information systems.

Operators of essential services are obliged:

• to take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems which they use in their operations;
• to demonstrate compliance with these obligations to the competent federal minister at least every three years; and
• to immediately report a security incident to the Computer Emergency Response Team set up for this purpose, whereby the report must contain all essential information on the security incident and the technical framework conditions.

Similar obligations apply to providers of digital services and public administration bodies.

Risks, incidents, and security incidents involving entities that are operators of essential services, digital service providers, or public administration bodies, can also be reported by them to the responsible Computer Emergency Response Team, which will forward the reports in aggregate to the competent Federal Ministry.

In case of violation of the provisions for operators of essential services or operators of digital services or violation of other provisions of the Austrian Network and Information System Security Act, administrative fines of up to EUR 100,000 may be imposed.

Last reviewed: 27 December 2024

No.

Last reviewed: 27 December 2024

Yes.

Data privacy

• "Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Cybersecurity

• "Major ICT-related incidents" means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity (pursuant to Art. 3(10) DORA).
• "Cyber-attack" means a malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorized access to, or make unauthorized use of, an asset ((pursuant to Art. 3(14) DORA);
• "Significant cyber threat" means a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident (pursuant to Art. 3(13) DORA).

Last reviewed: 27 December 2024

• data protection authorities
  • in case of a personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
  • without undue delay and, where feasible, not later than 72 hours after having become aware of it

• cybersecurity authorities
  • Operators of essential services must immediately report a security incident affecting an essential service provided by them to the computer emergency team (CSRIT) responsible for them, which will immediately forward the report to the Federal Minister of Interior Affairs.

• affected individuals
  • "without undue delay" (Article 34 (1) GDPR)
  • if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, unless any of the following conditions are met:
    • the controller has implemented technical and organizational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption
    • the controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize

• other.
  • Pursuant to Art 19 DORA financial entities must report this to the relevant competent authority responsible for the respective financial entity (Art 46 DORA) major ICT-related incidents.
  • Financial entities may, on a voluntary basis, notify significant cyber threats to the relevant competent authority when they deem the threat to be of relevance to the financial system, service users or clients.

Last reviewed: 27 December 2024

Controller/owner

• in case of a personal data breach irrespective of a risk to the rights and freedoms of the data subjects without undue delay after becoming aware of it (Art 33 (2) GDPR).
• Financial entities may outsource, in accordance with Union and national sectoral law, the reporting obligations to a third-party service provider. In case of such outsourcing, the financial entity remains fully responsible for the fulfilment of the incident reporting requirements (Art 19(5) DORA).

Last reviewed: 27 December 2024

Yes.

• financial services requirements
• telecommunication requirements
• providers of critical infrastructure

Details regarding the identified data security breach notification requirements

The breach notice requirements of Sec. 164 of the Austrian Telecommunications Act 2021 apply to:

• anyone who provides publicly available telecommunications services; and
• any personal data.

Data privacy

A data breach occurs when the protection of personal data is violated - that is, there is a violation of data security that leads to the loss, unlawful deletion, modification, storage, dissemination or other illegitimate use of personal data, which are transmitted, stored or otherwise processed in connection with the provision of publicly available telecommunications services, as well as the unlawful access to these. It is mandatory to inform affected individuals, without undue delay, in cases where it is reasonable to expect that the infringement violates the rights or protectable interests of such individuals (subject to exceptions, e.g., where certain security measures have been taken and documented). The Austrian Data Protection Authority has to be informed in any case and without undue delay. According to Article 2 (2) EU Regulation 611/2013 the authorities have to be informed within 24 hours after detection of the violation. Potential penalties for non-compliance with the breach notice requirements amount to up to EUR 50,000 per incident.

Telecommunication law

There is also a requirement under Sec. 44 of the Austrian Telecommunications Act 2021 for providers of publicly available communications networks and services to notify the Austrian Regulatory Authority for Broadcasting and Telecommunications, of any breach of security or loss of integrity where such breach has had a significant impact on network operation or service provision. It is best practice to provide such notification without undue delay. Potential penalties for non-compliance with the breach notice requirements amount to up to EUR 75,000 per incident.

The breach notice requirements of Sec. 19, 21 and 22 of the Austrian Network and Information System Security Act apply to:

• operators of critical infrastructures;
• providers of certain digital services; and
• public administration bodies.

The law speaks here of a security incident, which is any disruption of the availability, integrity, authenticity or confidentiality of network and information systems that has led to a restriction of the availability or to a failure of the service operated with significant consequences. To determine whether there are significant consequences due to a security incident, the following factors have to be taken into account:

• the number of users affected by the security incident, in particular those who need the service to provide their own services;
• the duration of the security incident;
• the geographical spread in relation to the area affected by the security incident; and
• the security incident's impact on economic and social activities.

It is not necessary to notify the individual. The competent Computer Emergency Team has to be informed "without undue delay" (Sec. 19, 21 Network and Information System Security Act). Potential penalties for non-compliance with the breach notice requirement amount to up to EUR 50,000 for the first incident and up to EUR 100,000 for any further incidents.

Financial services

Chapter III of DORA also requires financial entities to implement a management process for monitoring and logging ICT-related incidents. Pursuant to Art. 17 DORA requires financial entities to establish early warning indicators to detect and manage cyberattacks. In addition, the DORA creates uniform and standardized guidelines on how to proceed in the event of IT security incidents. For example, Art. 18 DORA describes a classification procedure based on factors such as the duration and severity of the ICT-related incident on the financial organization's ICT systems. Major ICT-related incidents (see Art. 3(10) DORA) must be reported by the respective financial entity to the competent authority (see Art. 46 DORA) in accordance with Art. 19 DORA.

The requirements laid down in DORA also apply to operational or security payment-related incidents and to major operational or security payment-related incidents, where they concern credit institutions, payment institutions, account information service providers, and electronic money institutions (Art 23 DORA).