Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

Apart from industry standards and recommendations, the only Austrian legal rule is that of article 32 GDPR.

See question 6.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

As such records do not fall within the scope of Austrian legal rules on the keeping of documents (eg, contracts, invoices), the only applicable rules are article 32 GDPR and those determined by industry standards or recommendations.

See question 15.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

Once again, apart from industry standards and recommendations, the only relevant Austrian legal rule in this regard is that of article 14 DSG 2000. This provision does not require the processor to notify the authority but rather the concerned data subjects.

See question 24.

Timeframes

What is the timeline for reporting to the authorities?

Article 14 DSG 2000 requires data subjects to be notified ‘without delay’. However, this provision does not require the notification of any authority.

As of 25 May 2018, the date the GDPR entered into validity, companies will need to notify the national data protection authority in case of any risk to the rights and freedoms of natural person. If said risk is high, the natural person will need to be notified additionally.

See question 24.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Austrian legal rules neither require the reporting of cyberthreats, nor do they require reports to be issued to others in the industry or the general public. See question 24 for details.