strafsachen.at
by Brandauer RA
DE EN BKS
Menü
Property crimes

Cybercrime in Austria: hacking, data offences and computer fraud

Cybercrime in Austria: the central computer offences from hacking (§ 118a) through data damage (§ 126a) to computer fraud (§ 148a), their penalties and steps for those affected.

Your personal attorney

Mag. Christopher Angerer, Rechtsanwalt

Your lawyer for criminal defence

Criminal proceedings are a matter of trust. One lawyer who walks with you from the first consultation through to the trial, everything from one hand.

Call directly +43 660 2407152 WhatsApp Send email
Book consultation
11 June 2026 · Mag. Christopher Angerer, Rechtsanwalt

Cybercrime has long been part of everyday life: from a hacked email account through manipulated data to a paralysed website. Austrian criminal law provides a range of dedicated computer offences for this. For the accused, it is often surprising how far these offences reach, for example that even possessing certain tools can be punishable. Injured parties ask themselves how to proceed and what evidence counts.

This post gives, from a legal perspective, an overview of the central computer offences of the StGB, from hacking through data damage to computer fraud, and explains the respective penalties and particularities. This is general information, not advice on an individual case.

What accusation is at issue?

Four situations, one clear next step.

The right steps differ depending on the specific accusation. Choose your situation and you will receive the key points and the next concrete step.

Already know you want to get in touch? Go straight to the enquiry form.

01 Question 1

What does your case involve?

The right steps differ depending on the accusation at issue and whether you are accused or injured. Choose your situation and you will receive the key points and the next concrete step.

All paths at a glance

Overview of all answers.

01

Accusation of unauthorised access: § 118a requires overcoming a security measure.

Unlawful access to a computer system under § 118a StGB requires that a specific security measure is overcome in order to obtain access for oneself or a third party. Not every login with someone else’s data meets this offence. From a legal perspective, it must be examined precisely whether a security measure existed and whether it was actually overcome.

Important: this offence is prosecuted only on the authorisation of the injured party. Do not make a statement on the matter before you have obtained access to the file, and secure technical evidence that supports your account.

In depth: the central computer offences →
02

Data damage and system disruption: the penalty rises with loss and scale.

Data damage under § 126a StGB and disruption of the functionality of a computer system under § 126b StGB cover altering, deleting or rendering data unusable, as well as paralysing systems. The penalty rises significantly with the amount of loss, the number of affected systems and where critical infrastructure is involved.

From a legal perspective, the precise calculation of loss and the question of whether a loss was caused intentionally are often the decisive points of dispute. Secure all technical records.

In depth: the central computer offences →
03

Tools and access data: § 126c already covers preparatory acts.

The misuse of computer programs or access data under § 126c StGB already criminalises preparatory acts, such as producing, obtaining or possessing hacking tools or someone else’s passwords, where there is the intent to use them to commit one of the computer offences. From a legal perspective, the inner intent is the decisive point here, because many tools also have legitimate applications.

For this offence, the law provides for a separate form of active repentance. Before each step, have it examined whether and how this can be used.

In depth: the central computer offences →
04

As a victim: secure evidence, file a complaint, observe the deadline for authorisation offences.

Anyone who has become the victim of a cyber offence should secure evidence immediately: screenshots, log files, emails and system messages. You can then file a complaint. For some offences, such as unlawful access under § 118a or violation of the secrecy of telecommunications under § 119, prosecution takes place only on your authorisation as the injured party.

From a legal perspective, it is worth securing the evidence professionally at an early stage and documenting your claims as a private participant before traces are lost.

In depth: what injured parties can do →

The central computer offences at a glance

The StGB regulates computer offences in several provisions that cover different forms of attack.

Unlawful access to a computer system (§ 118a). It is punishable to obtain access to a computer system by overcoming a specific security measure. The penalty extends to up to two years, and to up to three years where critical infrastructure is involved. Prosecution takes place only on the authorisation of the injured party.

Violation of the secrecy of telecommunications (§ 119) and improper interception of data (§ 119a). These cover the unauthorised interception of messages or data. Both offences carry up to two years’ imprisonment and are prosecuted only on authorisation.

Data damage (§ 126a). Anyone who alters, deletes or renders someone else’s data unusable is punishable. The penalty rises with the amount of loss, the number of affected systems and where critical infrastructure is involved.

Disruption of the functionality of a computer system (§ 126b). This covers the serious disruption of a system, for example through overload attacks. Here too the penalty rises with the scale.

Tools, computer fraud and data forgery

In addition to the actual attacks, the law also covers preparatory acts and particular forms of commission.

Misuse of computer programs or access data (§ 126c). Even producing, obtaining or possessing hacking tools or someone else’s access data can be punishable where there is the intent to use them to commit a computer offence. The law provides for a separate form of active repentance here.

Fraudulent misuse of data processing (§ 148a). This is computer fraud: anyone who, by manipulating a data-processing operation, causes a pecuniary loss in order to enrich themselves unlawfully is punishable. As with classic fraud, the penalty depends on the amount of loss, with the value thresholds of 5,000 and 300,000 euros.

Data forgery (§ 225a). Anyone who, by entering, altering or deleting data, produces false data with the intent to use it in legal dealings faces up to one year’s imprisonment or a fine of up to 720 daily rates.

From a legal perspective, with all these offences the inner intent is often the decisive point, because many acts are technically neutral and become punishable only through the intention.

If you are accused

Cyber proceedings are technically complex, which is precisely why a well-considered defence is important.

Silence and access to the file. Do not make a statement on the matter before you have sought legal advice and seen the file. A spontaneous technical explanation can unintentionally become incriminating.

Technical evidence. In cyber proceedings, log files, timestamps and the attribution of devices and accesses often decide the case. This evidence should be secured and examined at an early stage and by experts.

Intent at the centre. With many computer offences, intent is what matters. Whether a tool was used for legitimate purposes or with the intention to cause harm is often the decisive difference.

What injured parties can do

Victims of cyber offences also have several options.

Secure evidence. Keep screenshots, log files, emails and system messages. Digital traces are quickly lost, so acting quickly and carefully is important.

Complaint and authorisation. You can file a complaint. For some offences, such as § 118a or § 119, prosecution takes place only on your authorisation as the injured party. You should give this declaration deliberately and in good time.

Private participation. As an injured party, you can join the criminal proceedings and assert your loss. Good documentation of the loss makes enforcement easier.

The most common mistakes in cyber proceedings. As the accused, giving a technical explanation before the file and the evidence are known. Assuming that possessing a tool is harmless in itself, even though § 126c already covers preparatory acts. As the injured party, securing digital traces too late. In all cases: secure technical evidence early and follow a clear strategy.

Frequently asked questions

What you need to know about cybercrime in Austria.

Is every login with someone else’s data punishable? +

Not automatically. Unlawful access under § 118a StGB requires that a specific security measure is overcome. Whether that is the case depends on the individual situation. In addition, however, other provisions may apply, such as violation of the secrecy of telecommunications or computer fraud. The precise classification should be examined by experts.

Can merely possessing hacking tools be punishable? +

Yes. § 126c StGB already criminalises producing, obtaining or possessing computer programs or access data where there is the intent to use them to commit a computer offence. The inner intent is decisive, because many tools also have legitimate applications. The law provides for a separate form of active repentance for this offence.

What is computer fraud? +

The fraudulent misuse of data processing under § 148a StGB is computer fraud. It is punishable to cause a pecuniary loss by manipulating a data-processing operation in order to enrich oneself unlawfully. The penalty depends on the amount of loss, with the same value thresholds of 5,000 and 300,000 euros as for classic fraud.

Are cyber offences always prosecuted ex officio? +

Not all of them. Some offences, such as unlawful access under § 118a or violation of the secrecy of telecommunications under § 119, are prosecuted only on the authorisation of the injured party. As the injured party, you must therefore actively enable prosecution. Other offences such as data damage are prosecuted ex officio.

What evidence is important in cyber proceedings? +

Log files, timestamps, IP addresses, screenshots and the attribution of devices and accesses are often decisive. These digital traces are quickly lost and should be secured at an early stage and by experts. For both the accused and injured parties, the quality of the technical evidence is often crucial.

What should I do first as the accused? +

Do not make any statement on the matter before you have sought legal advice and obtained access to the file. Technical explanations in particular can unintentionally become incriminating. At the same time, secure evidence that supports your account, such as logs or proof of the legitimate use of devices and programs.

Related topics

You might also be interested in

Fraud under § 146 StGB: complaint, penalty and the first steps

The elements of fraud, the value thresholds and active repentance, also relevant for computer fraud.

What to do after a criminal complaint in Austria? The general overview of the proceedings

The course of criminal proceedings, your rights and the first 72 hours after a complaint.

Topics
cybercrimehackingdata-damagecomputer-fraudsection-118asection-148a

Interview, house search, indictment?

In criminal matters every hour counts. Call us directly or send an email, callback within one business day, earlier in urgent cases.

+43 660 2407152 [email protected]
Contact

A direct line to the firm.

Address

BRANDAUER Rechtsanwälte GmbH Giselakai 51 5020 Salzburg