< Back

Share |

Putting the Digital Single Market initiative into action

The EU's Digital Single Market project is hugely ambitious in scope. Of 35 legislative proposals, to date, 18 have been passed. It is not only the European Commission which is facing an ambitious agenda. Member States have to pass implementing legislation for Directives within prescribed timescales, as well as dealing with permitted derogations in Regulations. Austria's struggle to improve its rate of digitisation and pass legislation implementing the Cybersecurity Directive is an example of the challenges Member States face.

November 2018

According to the Digital Economy and Society Index (DESI), Austria's progress in digitisation has been roughly in line with both the EU average and the average for the cluster of medium performing countries. In the 2018 report, Austria maintained its 11th position ranking. Its main strengths remain Human Capital and Digital Public Services, but, in 2018, Austria improved its relative position regarding both the use of internet services by citizens (where it is lagging behind) and the integration of digital technology by businesses (where it scores significantly above average). These improvements come despite a connectivity ranking in the lower half of EU countries. While improving rapidly, Austria's ranking has also been affected by the introduction of new indicators on ultra-fast broadband, where it performs less well than the majority of other Member States.

In order to develop and support Austria's digital economy, the government published a 'Digital Roadmap Austria'. While digitisation did develop faster (in some areas) in 2018 than in the previous year, and despite the tangible government plans, the Austrian government's efforts to ensure security of digitisation in the public as well as the private sector, did not meet expectations.

A clear example of these shortcomings is the delayed implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the Cybersecurity Directive or NISD).

The Cybersecurity Directive is one of the successes of the DSM project. Member States were required to pass implementing legislation by 9 May 2018. Austria has missed that deadline by some margin, only publishing a draft of its Cybersecurity law on 19 September 2018.

Under the draft, strategically important companies active in the energy, transport, banking, drinking water and healthcare sectors as well as internet search engines, public authorities and cloud service providers, will be obliged to prove that they adequately protect themselves against cyberattacks. In addition, they will have to report major security incidents to the Ministry of the Interior.

Failure to comply with reporting requirements will result in penalties of up to EUR 50,000, or, in case of recurrence, up to EUR 100,000. These fines will also apply if there are insufficient efforts to keep security measures up to date.

Two ministries are responsible for the implementation of this law. The Federal Chancellery is responsible for strategy and the Ministry of the Interior will assume operational tasks. The Austrian Federal Army does not play a role, even though it has developed expertise in the field of IT security in recent years. This expertise, has however, caused a somewhat public rivalry between the Ministry of the Interior and the Ministry of Defence.

Interestingly, it is the Minister of the Interior which is responsible for deciding the definition of a cyber crisis and whether a cyber crisis has occurred. Under § 3 Z 18 of the draft law, a cyber crisis occurs if:

a security incident causes a severe anomaly in cyber space and constitutes a current and immediate danger to the maintenance of important societal features (impacts on the health, security or the economic and social well-being of great parts of the population).

The main aspects of Austria's planned Cybersecurity law are:

  • Specification of tasks and competences to authorities as well as powers to ensure a high standard of security in network and information systems.
  • Specification of a national strategy for security in network and information systems.
  • Determination of the Operators of Essential Services (OESs) included in the scope of application on the basis of the subsectors and factors, yet to be specified.
  • The stipulation of two kinds of obligations for OESs, digital service providers (DSPs) and federal facilities: they shall a) provide adequate security measures for their network and information systems and b) report security incidents to the competent authority.
  • The audit of the implementation of adequate security measures and the adherence to reporting obligations. While this audit can be conducted at any time and at least every three years in relation to OESs, DSPs may only be audited in case of an incident.
  • The establishment of computer security incident response teams and specifications of their tasks.
  • Stipulation of structures, tasks and powers in the event of a cyber crisis.
  • Specification of penalties in case of non-compliance with the rules implemented by this federal law.

Companies likely to be caught by the future Cybersecurity law, should use the time until the law enters into force to proactively prepare their internal implementation.


Austria is not alone in struggling to pass required legislation on time in response to the DSM juggernaut. A number of countries are yet to implement the Cybersecurity Directive and many have not yet produced legislation to deal with GDPR derogations. The Commission's response to this has not yet taken the form of anything stronger than reminders, but Member States may run into trouble further down the line if they fail to keep up.

If you have any questions on this article please contact us.

People sitting at a desk
Dzevad Mujezinovic

Dzevad Mujezinovic


Dzevad looks at Austria's progress with digitisation.

"Austria is not alone in struggling to pass required legislation on time in response to the DSM juggernaut."