The Austrian Network and Information Systems Security Act (NISG) already requires that:

“The operator shall ensure that employees are trustworthy and aware of their responsibilities. Furthermore, the operator shall ensure that employees are qualified for the roles assigned to them.”

With the upcoming NIS2 Directive, this requirement becomes even more specific. Annex 3, Section 5(b), refers to mandatory background checks for security-sensitive roles. Likewise, the internationally recognized ISO/IEC 27001 standard requires, under control A.6.1, appropriate background verification of all candidates prior to employment, proportionate to the organization’s business requirements, the classification of the information to be accessed, and applicable laws, regulations, and ethical considerations.

But what does this mean in practice? How far can employers go? And what is actually permitted?

Why Background Checks Are Becoming More Important

Effective risk management begins with hiring the right people.

A study by the Association of Certified Fraud Examiners (ACFE) found that in 85% of internal fraud cases, the perpetrators had already exhibited behavioral warning signs before being hired—yet were employed regardless.

Particularly for security-sensitive positions or roles in high-risk environments, pre-employment screening is a valuable preventive measure. It helps organizations identify applicants who may pose a legal, financial, or security risk — for example due to falsified qualifications, criminal records, a history of financial crime, or extremist affiliations.

What Is Pre-Employment Screening?

Pre-employment screening refers to structured background checks performed during the hiring process. The objective is to identify applicants who may present legal, financial, or security-related risks before they join the organization.

Depending on the industry and the specific role, a screening may include:

  1. Verification of résumés and professional references
  2. Criminal record or police clearance certificate
  3. Credit history or financial background check
  4. Review of publicly available online presence
  5. Verification of academic qualifications
  6. Identity verification (particularly for remote hiring)

In sectors such as banking or other critical industries (e.g. energy or aviation), such background checks are sometimes required by law (for example under Section 39 of the Austrian Banking Act).

However, the scope and depth of the screening must always be proportionate to the responsibilities and risks associated with the position.

What Is Permitted — and What Is Not?

Pre-employment screening is legally permissible — but only within clearly defined legal boundaries.

Permitted are background checks that:

  • serve a legitimate business interest,
  • are transparent,
  • are based on the applicant’s informed and voluntary consent,
  • are proportionate to the position,
  • and comply with applicable data protection laws such as the GDPR and Section 26 of the German Federal Data Protection Act (BDSG).

In practice, this means that the extent of the screening should always reflect the specific role. A credit check for a prospective accountant may be justified; the same check for a cleaning staff position would generally be considered disproportionate.

Not permitted are investigations without a valid legal basis, including:

  1. Requesting information without the applicant’s consent (e.g. criminal record extracts)
  2. Evaluating private social media content that is unrelated to the role
  3. Processing health data without a legitimate legal or medical justification
  4. Conducting blanket or discriminatory checks (e.g. based on religion)

The most relevant legal provisions include:

  1. Articles 5, 6, and 9 of the GDPR (purpose limitation, data minimization, and protection of special categories of personal data)
  2. Section 26 of the German Federal Data Protection Act (BDSG) governing employee-related data processing
  3. Industry-specific legislation, such as Section 39 of the Austrian Banking Act (BWG) or requirements under aviation security legislation

Conclusion: Organizations must conduct an individual risk assessment for every position and ensure that pre-employment screenings are carried out proportionately, transparently, and in compliance with applicable laws. In most cases, the applicant’s consent is required — and this consent must be voluntary, informed, and revocable.

Prevention vs. Oversight: What Organizations Should Know

Background checks are not a silver bullet — but they are an important component of a comprehensive security strategy. They should be embedded within a holistic Internal Control System (ICS) that also includes technical and organizational measures such as the principle of least privilege and separation of duties.

Organizations should also be aware that not every risk is visible in advance. According to the ACFE study, 83% of internal fraud cases were committed by first-time offenders. A background check is therefore not a guarantee against insider threats, but rather a preventive measure—nothing more, and certainly nothing less.

Conclusion: People Are Both the Greatest Asset—and the Greatest Risk

Background checks help organizations make informed hiring decisions and manage security risks proactively. For operators of critical infrastructure and ISO-certified organizations, they are no longer merely a best practice—they are increasingly becoming a regulatory and standards-based requirement.

Organizations that rely solely on résumés and intuition expose themselves to unnecessary risk. Those that conduct legally compliant, transparent, and proportionate background checks not only protect their business, but also their employees, partners, and customers.

Sources:

  1. https://www.nis.gv.at/dam/jcr:bbe1c393-ba27-43b3-8d38-890610cfcc75/NIS_Factsheet_9_2022_1_0.pdf
  2. https://acfepublic.s3.us-west-2.amazonaws.com/2022+Report+to+the+Nations.pdf