🇦🇹Network and Information Security Directive in Austria
A comprehensive guide to Network and Information Security Directive compliance for organisations operating in Austria. Understand local enforcement, the national data protection authority, key focus areas, and notable enforcement actions.
About Network and Information Security Directive
The updated EU cybersecurity directive that expands security requirements to a broader range of sectors and imposes stricter obligations on essential and important entities.
Network and Information Security Directive Enforcement in Austria
Austria's DSB made international headlines with its January 2022 ruling that the use of Google Analytics violates GDPR due to US data transfers lacking adequate safeguards under Schrems II — one of the first post-Schrems II enforcement decisions globally. The ruling triggered a cascade of similar decisions across Europe. Austria supplemented the GDPR through the Datenschutzgesetz (DSG), which includes specific provisions on video surveillance, sector-specific data processing, and exemptions for small businesses. The DSB has also focused on political party data processing and employer surveillance. Austria sets the age of digital consent at 14.
NIS2 Transposition Status in Austria
DelayedData Protection Authority
Österreichische Datenschutzbehörde (DSB)
Key Enforcement Focus Areas in Austria
- Google Analytics and US data transfer compliance
- Video surveillance and CCTV regulations
- Political data processing oversight
- Employer monitoring and workplace privacy
- Small business compliance exemptions
Notable Enforcement Actions in Austria
Österreichische Post AG
Creating and selling profiles on political party affinities of 3 million Austrians using data analytics
REWE Group (BIPA)
Operating loyalty programme with insufficient consent mechanisms for data processing
Website operator (anonymous, Google Analytics case)
Landmark ruling that Google Analytics use transfers data to US without adequate GDPR safeguards
Jö Bonus Club
Processing loyalty card data beyond the original purpose without valid consent
Check Your Compliance Status
Take our free assessment to evaluate your organisation's compliance posture. Get a personalised report with actionable recommendations in minutes — no sign-up required.
Start Free AssessmentDisclaimer: The information on this page is for educational purposes and does not constitute legal advice. For specific compliance guidance, consult a qualified legal professional in your jurisdiction.
Other Regulations Affecting Austria
General Data Protection Regulation (GDPR)
The EU's landmark data protection law that governs how organisations collect, store, process, and transfer personal data of individuals in the European Economic Area.
Digital Operational Resilience Act (DORA)
The EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector, covering ICT risk management, incident reporting, testing, and third-party risk.
EU Artificial Intelligence Act (AI Act)
The world's first comprehensive AI regulation, establishing a risk-based framework for the development, deployment, and use of artificial intelligence systems within the EU.
ePrivacy Directive (2002/58/EC)
The EU directive governing privacy in electronic communications, covering cookies, direct marketing, traffic data, and the confidentiality of communications — often called the "Cookie Law".