How to Respond to an Economic (white‑collar) Criminal Investigation in Austria, Step‑by‑step (2026 Update)

Knowing how to respond to an economic criminal investigation in Austria can determine whether a company emerges with its reputation intact or faces years of costly litigation. Austrian authorities, including the Financial Police (Finanzpolizei), the Federal Criminal Intelligence Service (Bundeskriminalamt, BKA), and the Public Prosecutor’s Office (Staatsanwaltschaft), have sharpened their enforcement tools, particularly around the seizure of mobile data and portable devices under rules reinforced from 1 January 2025. This guide sets out the immediate actions, dawn‑raid protocols, document checklists, timelines and indicative costs that general counsel, directors, compliance officers and affected employees need in 2026.

It reflects the latest amendments to the Austrian Code of Criminal Procedure (Strafprozessordnung, StPO) and practical guidance drawn from official Austrian Government and practitioner sources.

Overview of the Process and Who It Applies To

An economic criminal investigation in Austria targets conduct such as fraud, embezzlement, bribery, money laundering, tax evasion, cartel offences and accounting manipulation. Both natural persons (directors, officers, compliance staff, employees) and legal entities may be investigated. Corporate criminal liability in Austria means a company itself can face prosecution, administrative fines and, in serious cases, court‑imposed sanctions that affect its ability to operate.

Investigations may be triggered by a criminal complaint, a tax audit finding, a suspicious‑transaction report, a whistleblower disclosure or a referral from a regulatory body. Outcomes range from the investigation being dropped with no action, through administrative penalties and settlement, to full criminal indictment and trial.

Who May Investigate

• Financial Police / Anti‑Fraud Office (Finanzpolizei). Part of the Federal Ministry of Finance (BMF), responsible for tax‑related economic crime, social fraud and illicit employment. Officers have powers to enter business premises, demand records and seize evidence.
• Federal Criminal Intelligence Service (Bundeskriminalamt, BKA). Austria’s national criminal investigation body, sometimes described as the closest equivalent to the FBI, with a dedicated economic and cyber‑crime unit. The BKA coordinates complex, multi‑jurisdictional probes and works with Europol.
• Public Prosecutor’s Office (Staatsanwaltschaft). Directs preliminary investigations under the StPO, decides whether to charge, and prosecutes at trial. The Central Public Prosecutor’s Office for Economic Crimes and Corruption (Wirtschafts‑ und Korruptionsstaatsanwaltschaft, WKStA) handles the most significant cases.
• Directorate General for Public Security. Oversees law‑enforcement operations and may be involved where economic crime intersects with organised crime or public‑order concerns.

Eligibility and Prerequisites for Immediate Action

Every company operating in Austria, domestic or foreign‑registered, and every individual who could be treated as a suspect, witness or person of interest falls within the scope of this process. The obligation to act arises the moment the company receives notice: a phone call from an investigator, a written summons, a dawn‑raid team at reception, or even an internal discovery of potential wrongdoing that may attract regulatory attention. Corporate criminal defence in Austria begins before charges are filed; early preparation is decisive.

Before any investigative contact, companies should already have in place a document‑retention policy, a legal‑privilege protocol and a data‑protection impact assessment covering employee devices. If these do not exist, creating them is a priority that should not wait for an investigation to start.

Who Should Be in the Immediate Response Team

• General counsel / in‑house legal. First point of contact; activates the crisis plan and engages external counsel.
• CEO or managing director. Authorises expenditure, approves external appointments and communicates with the board.
• IT / information‑security lead. Preserves evidence, generates device inventories and manages forensic‑imaging logistics.
• HR / compliance officer. Handles employee communications, checks whistleblower files and ensures data‑protection compliance.
• External criminal defence counsel. Advises on rights, manages investigator interactions, reviews privilege and directs forensic vendors.

Step‑by‑Step Procedure: How to Respond to an Economic Criminal Investigation in Austria

The steps below cover the critical first 21 days. They are designed as a sequential checklist, each step builds on the previous one. Where a dawn raid occurs, Steps 1 through 5 may compress into a single day. Short scripts are provided for use by reception staff, the designated company representative and counsel.

Step 1: Immediate Containment and Evidence Preservation (0–2 Hours)

The moment an investigation is notified or officers arrive, the company must preserve all potentially relevant evidence. Instruct staff, verbally and, where possible, in writing, not to delete, alter or move any files, emails, messages or physical records. IT should isolate affected systems and disable automated deletion routines (email purge policies, log‑rotation scripts). Generate and timestamp a device inventory listing every company‑owned laptop, desktop, server, mobile phone and USB drive in the affected business unit.

Mark all legal correspondence and advice documents with a privilege tag to prevent inadvertent disclosure. If officers are on site, designate one senior employee to accompany them at all times.

Script for reception / staff: “We are aware of the situation. Our legal counsel is being contacted and will be here shortly. In the meantime, please do not delete any files, do not interact with devices beyond normal use, and direct all questions to [named crisis lead].”

Step 2: Engage External Counsel and Forensic Support (0–4 Hours)

Contact external criminal defence counsel immediately, ideally a firm experienced in economic criminal investigations in Austria. If a dawn raid is under way, counsel should attend the premises as quickly as possible; most experienced firms offer emergency call‑out services.

Simultaneously, identify a forensic‑imaging vendor. The vendor must be capable of producing legally admissible forensic images with a documented chain of custody. Confirm availability, response time and whether the vendor can attend on‑site within hours. Counsel, not the company’s IT department, should direct the forensic process to protect privilege and ensure admissibility.

Consider whether to offer the investigators a forensic image of relevant devices rather than handing over the physical hardware. Under the updated rules reinforced from 2025, companies have stronger grounds to request forensic imaging over blanket device seizure (see the 2026 changes section below).

Step 3: Liaison with Investigators and Verify Authority (0–24 Hours)

Identify the lead investigator by name, badge number and agency. Request, and photograph or copy, the written search warrant or other legal authority (e.g., a prosecutorial order under the StPO). Check the warrant’s scope: which premises, which types of records and which time period does it cover? Record these details in a contemporaneous log.

Ask for time to allow counsel to attend before substantive questioning begins. You are entitled to consult a lawyer before making any statement. Do not make admissions, speculate or volunteer information beyond what the warrant compels.

Script for the designated company representative: “We will cooperate fully within the scope of the warrant. Our external counsel has been contacted and will be present shortly. Until then, we request that no substantive interviews take place. We would like a copy of the warrant and a receipt for any items removed.”

Step 4: Dawn‑Raid and On‑Site Search Handling (Day 0)

If investigators arrive unannounced, the classic dawn raid, follow this dawn raid checklist for Austrian companies to maintain control without obstructing the search:

1. Alert the crisis team immediately using a pre‑agreed escalation channel (phone tree, secure messaging).
2. Designate a single company representative to accompany investigators through the premises. This person should not be a potential suspect.
3. Photograph the search warrant and all supporting documents. Note the issuing court or prosecutor’s name, the date, the file reference and the scope.
4. Log every room entered, every container opened, and every document or device removed. Insist on an itemised inventory receipt signed by the lead officer.
5. Before any documents are reviewed, assert privilege over materials that are subject to legal professional privilege. Prepare a privilege log listing each claimed document by reference number, date, sender and recipient, without disclosing content.
6. Do not allow unaccompanied access to server rooms, filing cabinets or executive offices. If investigators insist, record your objection in the log and notify counsel immediately.

Script for counsel on‑site: “We will cooperate with the search. However, we need to review the documents in this [folder / server directory] for legal privilege before they are examined. We will prepare a privilege log within [agreed timeframe] and make non‑privileged materials available.”

Step 5: Data Seizure and Mobile Devices (0–7 Days)

The seizure of mobile data in Austria in 2026 is subject to updated procedural safeguards (detailed in the dedicated section below). When investigators seek to seize or image mobile phones, laptops or portable storage:

• Request the specific written legal basis for the seizure, a general search warrant may not automatically cover the forensic examination of device contents.
• Insist on forensic imaging rather than physical removal of the device, where the law permits and practical circumstances allow.
• Ask for the device to be sealed in a tamper‑evident bag and a signed, timestamped custody receipt issued.
• Request that any access to decrypted data occurs only under conditions agreed with counsel, for example, with a company‑appointed forensic observer present.
• Identify and flag any personal data, customer data or third‑party intellectual property on the devices. Notify the investigators that data‑protection obligations under the GDPR may limit the scope of examination.

Step 6: Internal Investigation and Remediation (1–7 Days)

Launch a parallel internal factual review, directed by external counsel to preserve privilege over its findings. Define the scope: which transactions, which period, which individuals. Prepare a witness‑interview protocol (written questions, contemporaneous notes, separate interviews). Do not coach witnesses; the goal is to establish facts, not to align accounts.

Begin remediation where possible: suspend implicated processes, strengthen internal controls, update compliance training. Documenting remediation steps early can be influential if the matter progresses to sentencing or settlement discussions.

Step 7: Decision Point, Self‑Report, Leniency or Defend (7–21 Days)

Within the first few weeks, counsel and the board should evaluate whether to self‑report, seek leniency or adopt a defensive strategy. Key factors include the strength of the evidence, the company’s prior compliance record, whether a leniency procedure in Austria is available for the relevant offence, and the reputational cost of each path.

If self‑reporting, document the company’s cooperation and remediation measures. Engage with the Public Prosecutor’s Office or the WKStA through counsel only. Settlement negotiations, including diversion (Diversion) under the StPO, are typically most productive when the company can demonstrate genuine, early cooperation.

Response Timeline Summary

Required Documents and Information

Having the right documents ready, and knowing which ones to withhold pending counsel review, is central to a controlled response. The table below serves as a documents checklist for an economic criminal investigation. Before producing any material, request a written statement from the investigators specifying the exact scope and categories of documents sought.

Script when producing documents: “We are producing documents within the scope set out in [warrant/request reference]. We have asserted privilege over the items listed on the attached privilege log and request that those items not be reviewed until a court ruling is obtained.”

Timeline and Key Deadlines for an Economic Criminal Investigation in Austria

Austrian criminal procedure does not impose a single fixed deadline by which preliminary investigations must conclude. Timelines are driven by the complexity of the case, the volume of evidence and prosecutorial workload. The table below sets out the typical practical milestones. All durations should be treated as indicative, counsel should verify statutory requirements applicable to the specific case.

Leniency and self‑reporting decisions should be made early, industry observers expect that companies demonstrating cooperation within the first 21 days receive more favourable treatment in settlement discussions. Diversion (Diversion) under the StPO may be available for certain offences, allowing the matter to be resolved without a public trial, provided conditions such as payment, community service or a probationary period are met.

Costs, Fees and Tax Considerations

The costs of responding to an economic criminal investigation in Austria can escalate rapidly. The table below provides indicative cost bands based on typical market rates. All figures are estimates and should be verified with the specific counsel and vendors engaged.

Budget an initial emergency‑response fund of at least €10,000–€25,000 to cover the first week’s counsel and forensic costs. This figure can be significantly higher for multi‑site or multi‑suspect investigations.

What Changes in 2026: Seizure of Mobile Data and Device Rules

The most significant procedural development affecting how companies respond to an economic criminal investigation in Austria in 2026 concerns the seizure and examination of mobile data. Legislative amendments that took effect from 1 January 2025, and whose practical application has been reinforced through prosecutorial guidance across 2025–2026, introduced stricter safeguards around how investigators access the contents of smartphones, tablets, laptops and portable storage devices.

The key changes and their practical implications include:

• Separate legal basis required. A general search warrant authorising the search of premises does not automatically entitle investigators to conduct a forensic examination of every device found on those premises. A specific legal basis addressing the examination of stored electronic data may be required, depending on the scope and the nature of the device contents.
• Court authorisation thresholds raised. The amendments strengthened the circumstances in which court, rather than merely prosecutorial, authorisation is needed before data on personal devices is examined. Early indications suggest this has led to greater scrutiny of blanket device‑seizure requests.
• Data minimisation obligations. Investigators are expected to target data relevant to the investigation and avoid indiscriminate copying of entire device contents where a more targeted approach is feasible.
• Enhanced privacy protections. The reforms reflect growing alignment with GDPR principles and European Court of Human Rights jurisprudence on privacy. Companies and individuals can challenge disproportionate seizures.

Practical Checklist: What to Request from Investigators Under the 2026 Rules

• Copy of the specific legal basis. Ask for the warrant or prosecutorial order that authorises examination of device contents, not just premises access.
• Written scope statement. Request a description of the categories of data sought.
• Sealed forensic image. Ask that devices be forensically imaged rather than physically removed, and that images be sealed until a court‑approved examination protocol is in place.
• Custody receipt. Obtain a signed, timestamped record of every device seized or imaged.
• Supervised access. Request that decrypted data be accessed only with a company‑appointed forensic observer or counsel present.

Common Pitfalls and How to Avoid Them

• Making admissions without counsel present. Directors and employees may instinctively try to explain the situation. Any statement, however informal, can be used in evidence. Instruct all staff to decline substantive comment until counsel is present.
• Allowing uncontrolled access to privileged files. If investigators review legally privileged communications without a privilege assertion, it may be difficult to reclaim protection. Always prepare a privilege log before any document production.
• Failing to document the chain of custody. If the company cannot demonstrate that evidence was preserved without alteration, it loses credibility. Log every handover, use tamper‑evident bags, and insist on signed receipts.
• Handing over personal or third‑party data unnecessarily. Producing personal employee data, customer records or third‑party IP without necessity can breach GDPR obligations and expose the company to parallel data‑protection claims. Counsel should vet every production for proportionality.
• Destroying or altering evidence. Whether intentional or the result of automated deletion policies, destroying relevant evidence during an investigation is a criminal offence. Suspend all deletion routines immediately on notification.
• Failing to manage forensic vendors contractually. Engage vendors under a written agreement that specifies scope, confidentiality, chain‑of‑custody standards and data‑handling protocols. Without this, forensic findings may be challenged as unreliable.

If a procedural deadline is missed, such as a time limit for responding to a production request, seek counsel immediately. Prompt notification to the prosecutor or investigating authority, accompanied by an explanation and a proposed remedy, can mitigate the consequences.

Conclusion

Understanding how to respond to an economic criminal investigation in Austria is a matter of structured preparation, immediate action and disciplined communication. The 2026 enforcement landscape, shaped by updated device‑seizure rules, stronger data‑minimisation requirements and active prosecutorial offices, demands that companies have a crisis playbook ready before the first knock on the door. Follow the steps, checklists and scripts in this guide, engage experienced counsel at the earliest opportunity, and find a criminal defence lawyer through the Global Law Experts directory to ensure your response is both legally sound and strategically effective.

Sources

1. Bundesministerium für Justiz (BMJ), Austrian Federal Ministry of Justice
2. Federal Ministry of Finance (BMF), Financial Police / Anti‑Fraud Office
3. Bundeskriminalamt (BKA), Economic Crime Unit
4. Schoenherr, Briefing on Seizure and Mobile Data (2025/2026)
5. Austrian Government Citizens Portal (oesterreich.gv.at)
6. Grant Thornton Austria, Forensic Investigation Services
7. Legal 500, Austria White‑Collar Crime Guide
8. Europol, Austria Member State Cooperation
9. RIS (Rechtsinformationssystem des Bundes), Austrian Criminal Code (StGB) and Code of Criminal Procedure (StPO)
10. eucrim, European Criminal Law Associations’ Forum