CRA Compliance in Austria
National competent authority, Article 14 CSIRT contacts, and enforcement guidance for Austria manufacturers.
Austria's national cybersecurity authority for CRA purposes centres on the Federal Ministry of the Interior (BMI) and its GovCERT Austria function, supported by CERT.at operated by nic.at for the private sector. Austria has a significant precision engineering and industrial automation manufacturing sector with considerable CRA exposure. The country's comprehensive NIS2 transposition through the NISG 2024 provides a solid legislative foundation for CRA implementation.
National Competent Authority (CRA)
BMI / GovCERT Austria
Bundesministerium für Inneres / GovCERT Austria
The Austrian Federal Ministry of the Interior (BMI) oversees Austria's national cybersecurity framework and GovCERT Austria. The Rundfunk und Telekom Regulierungs-GmbH (RTR) supports regulatory functions. CRA national competent authority responsibilities are expected to be confirmed through national implementing legislation.
https://www.bmi.gv.at →National CSIRT (Article 14 Reports)
GovCERT Austria
GovCERT Austria / CERT.at
https://www.cert.at/de/kontakt/
https://www.bmi.gv.at/cyberbuero →CRA Enforcement in Austria
Austria's CRA national competent authority responsibilities are distributed between BMI (national security and critical infrastructure), the Rundfunk und Telekom Regulierungs-GmbH (RTR, for telecoms and digital markets), and the Federal Ministry for Digital and Economic Affairs (BMAW) for market surveillance of consumer and industrial products. Austria has implemented NIS2 through the Netz- und Informationssystemsicherheitsgesetz 2024 (NISG 2024), which provides the legislative framework for cybersecurity oversight. The allocation of specific CRA NCA responsibilities will be confirmed through national implementing legislation expected before December 2027.
Article 14 Incident Reporting for Austrian Manufacturers
Austrian manufacturers are expected to submit Article 14 notifications to GovCERT Austria (for government and critical infrastructure supply chain) or CERT.at (for private sector manufacturers) within the CRA timeframes. CERT.at is operated by nic.at (the Austrian domain registry) and provides incident coordination services for the Austrian internet community and industry. The Article 14 obligation requires an early warning within 24 hours of detecting active exploitation and a full notification within 72 hours. The specific Article 14 reporting channel for manufacturers will be confirmed through national CRA implementing guidance — manufacturers should monitor BMI and RTR announcements.
Market Surveillance & Penalties
Market surveillance for CRA products in Austria is coordinated between BMAW and sector regulators, with the Federal Office of Metrology and Surveying (BEV) involved in conformity assessment accreditation. The full CRA penalty regime applies: up to €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements. Austria's market surveillance under the General Product Safety Regulation and Radio Equipment Directive provides a foundation for CRA enforcement. The BMAW has active market surveillance operations for CE-marked products and is expected to integrate CRA cybersecurity requirements into existing market surveillance procedures.
Support for Austrian Manufacturers
CERT.at publishes free cybersecurity advisories and guidance in German for Austrian businesses. The Austrian Institute of Technology (AIT) provides technical research and conformity testing services relevant to CRA product evaluations. The Wirtschaftskammer Österreich (WKÖ) provides CRA implementation guidance for its SME members through its digital economy division. Austria Wirtschaftsservice (aws) supports SME investment in cybersecurity compliance through innovation funding programmes. The Austrian Standards Institute (ASI) publishes national adoptions of IEC and ETSI standards relevant to CRA Annex I compliance.
CVD Portal automates your Article 14 notification obligations.
Pre-built notification workflows for GovCERT Austria, deadline tracking, CSAF advisory generation, and a public CVD submission portal. Free forever.
Start your free portalFrequently asked
How do I contact GovCERT Austria or CERT.at as a manufacturer?+
For government and critical infrastructure supply chain matters, GovCERT Austria is reachable through the BMI Cybersicherheitszentrum at bmi.gv.at/cyberbuero. Private sector manufacturers should contact CERT.at through cert.at/de/kontakt. The Wirtschaftskammer Österreich (WKÖ) at wko.at also provides a first point of contact for manufacturers seeking CRA implementation guidance in German.
Does Austria have national-level CRA implementing legislation?+
Austria has implemented NIS2 through the NISG 2024 (Netz- und Informationssystemsicherheitsgesetz 2024). CRA implementing measures are expected through amendments to the NISG 2024 and product safety regulations under the Produktsicherheitsgesetz 2004. BMAW is leading the CRA product safety aspects, with BMI leading cybersecurity enforcement. National implementing regulations are expected ahead of the CRA's December 2027 application date.
How does the CRA interact with Austria's NISG 2024 and NIS2 obligations?+
Austria's NISG 2024 creates incident reporting obligations for essential and important entities that partially overlap with CRA Article 14 for manufacturers. Austrian manufacturers that are also NIS2-designated entities should expect RTR and BMI to provide consolidated guidance on satisfying both frameworks with a single notification where applicable. Austria's small and medium enterprise manufacturing sector — the backbone of the Mittelstand — should pay particular attention to the simplified compliance pathways being developed for products not in the highest-risk CRA categories.
CRA guides for neighbouring countries
Need a CRA compliance checklist for your product?
Browse free niche-specific checklists covering classification, Annex I obligations, and CVD requirements.