Last reviewed: 28 December 2023

☒   omnibus – all personal data

☒   sector-specific

Telecoms, public healthcare sector

☒   constitutional

Last reviewed: 28 December 2023

• EU General Data Protection Regulation
• Austrian Data Protection Act

Last reviewed: 28 December 2023

• Network and Information System Security Act
• Network and Information System Security Ordinance
• Qualified Entities Ordinance

EU law:

• Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems ("NIS Directive")
• Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact
• Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 ("Cybersecurity Act")
• Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union ("NIS2 Directive")
• Regulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector ("DORA", or Digital Operational Resilience Act)

Last reviewed: 28 December 2023

Data Privacy

No.

Cybersecurity

At present, there is no draft law for the implementation of Directive (EU) 2022/2555 (NIS2) in Austria. As the deadline for the transposition of the Directive is 17 October 2024, a draft is expected in Q3 of 2024.

European developments

New data- and cyber-related legislation was enacted in the European Union in 2022 and 2023 that will come into force, or be implemented in Member States, in the next few years.

The Digital Operational Resilience Act ("DORA"), which lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities, entered into force in January 2023, and includes a two-year implementation window with the new rules taking effect on 17 January 2025.

The NIS2 Directive, which in particular broadens the scope of application and also extends the relevant obligations in comparison to NIS, requires Member States to apply implementing measures from 17 October 2024.

In December 2023, Regulation (EU) 2023/2854 on harmonized rules on fair access to and use of data ("Data Act") was published in the Official Journal of the EU. It shall apply from 12 September 2025. The Data Act contains provisions regarding the access, use, making available and sharing of data (both personal and non-personal data) generated by the use of connected products and related services. Users can also ask data holders to make this data available to third parties..

A political agreement on the EU Artificial Intelligence Act ("EU AI Act") was announced in December 2023. The EU AI Act provides for graduated regulation of AI products based on risk categories: it prohibits certain technologies and imposes obligations on technology producers and deployers based on the risk category into which the AI product falls. The EU AI Act should apply two years after its entry into force, with some exceptions for specific provisions. The EU AI Act awaits formal adoption by the European Parliament and the Council.

A political agreement was also reached on the Cyber Resilience Act, in November 2023. It will introduce new obligations on manufacturers of products with digital elements designed to ensure the cybersecurity of such products. Manufacturers will have to implement cybersecurity measures across the entire lifecycle of the product, from the design and development, to after the product is placed on the market. The Cyber Resilience Act awaits formal adoption by the European Parliament and the Council.

There is further data- and cyber-related legislation pending in the EU.

A proposal for an ePrivacy Regulation has been pending at a European level since 2017 to adapt rules for electronic communications to the GDPR and to strengthen privacy protection online. If enacted, it would introduce reforms to the EU law on areas such as direct marketing, cookies and similar technologies and electronic communications data. However, progress has been slow in comparison to other major EU digital files of the EU’s data strategy, such as the Digital Markets Act and the Digital Services Act.

In relation to EU-US data transfers, in July 2023 the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. On the basis of the new adequacy decision, personal data can flow from EU companies to US companies participating in the EU-U.S. Data Privacy Framework, as if the US company was based in the EU. The first review of the EU-U.S. Data Privacy Framework will take place in 2024, in order to verify that all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice. The adequacy decision is already being challenged in courts.