Austria has moved from passive transposition to active enforcement of digital services obligations. The Austrian regulatory authority – the Kommunikationsbehörde Austria (KommAustria. The Austrian communications regulator) – has issued binding guidance and announced enforcement actions against providers that have not yet aligned their operations with the full set of requirements flowing from EU digital services legislation. International technology companies operating in Austria, or actively targeting Austrian users, now face a hard compliance deadline. Missing it carries the risk of fines, service suspension orders, and reputational damage in one of the EU's most commercially significant markets.
Austria's implementation of EU digital services legislation requires technology companies, online platforms. Additionally, digital intermediaries to meet new obligations around algorithmic accountability. Content moderation transparency. Additionally, software liability by the compliance deadline established under the Austrian regulatory system. Providers with active user bases in Austria must designate a local legal representative and register with KommAustria. Companies that fail to act before the enforcement window closes face administrative penalties calibrated to annual global turnover.
This alert identifies the businesses affected, the threshold criteria that determine obligation intensity, and the immediate steps international companies should take now.
What has changed and when it takes effect
EU digital services legislation – now in full application across all member states – establishes a layered set of obligations for providers of digital services, covering everything from basic hosting to very large online platforms. Austria's national implementation statute, enacted through dedicated digital services legislation, designates KommAustria as the competent Digital Services Coordinator for Austria. This designation became fully operative in early 2025.
KommAustria has published its first enforcement priorities for 2025 and 2026. The authority is specifically targeting three gaps. First, providers that have not appointed a legal representative in Austria or the EU. Second, platforms that have not filed the required transparency reports on content moderation decisions. Third, services using recommender systems or automated decision-making that have not published the required algorithmic accountability documentation.
The compliance baseline applies from the moment a service is directed at Austrian users – regardless of where the provider is incorporated. A technology company headquartered in the United States, Singapore, or Brazil is subject to these rules if it actively targets Austrian consumers or businesses. The Digitalrechtsgesetz (Austrian digital law instrument) gives KommAustria the power to issue compliance orders within 30 days and to impose fines thereafter.
For AI Act compliance specifically, Austria mirrors the EU-wide phased schedule. Prohibited AI practices were banned from February 2025. Requirements for high-risk AI systems enter full application during 2026. Austrian authorities have confirmed they will coordinate enforcement with the EU AI Office. Providers deploying AI-driven digital services in Austria must therefore address both sets of obligations simultaneously.
Which companies are affected and the threshold criteria
The obligations apply to any provider of digital services – including online marketplaces, social networks, app stores, cloud computing services, and technology licensing platforms – that direct services at users in Austria. The intensity of obligations scales with provider size and the nature of the service.
Tier 1 – All providers: Every digital intermediary, regardless of size, must comply with basic transparency obligations and designate a single point of contact for Austrian regulatory correspondence.
Tier 2 – Providers above the micro-enterprise threshold: Companies with more than 50 employees or annual turnover exceeding the micro-enterprise ceiling under EU legislation must implement full content moderation reporting. Maintain accessible complaint-handling mechanisms. Additionally, publish terms of service in German.
Tier 3 – Very large online platforms and search engines: Providers reaching the threshold of 45 million average monthly active users across the EU are subject to the most demanding regime. This includes independent annual audits, data access obligations for researchers, and heightened algorithmic accountability requirements. These providers must notify the European Commission and KommAustria of their status.
For AI-enabled digital services, the risk classification under AI Act compliance rules adds a further layer. A recommender system used by a technology licensing platform may be classified as a high-risk AI system. That classification triggers conformity assessment obligations, registration in the EU database, and ongoing post-market monitoring. Austrian businesses and international providers alike are expected to conduct this classification exercise now – not when enforcement begins.
Providers of software liability-sensitive applications. including automated contract-formation tools, credit-scoring systems. Additionally. AI-assisted hiring platforms. must also assess whether their services fall within the scope of the incoming EU product liability rules as applied in Austria. The interaction between digital services rules and product liability legislation is a live enforcement area for KommAustria in 2026.
For specialist counsel on how these obligations apply to your specific service category, contact us at Ferraz & Whitmore's AI and technology law practice in Austria or reach out directly to info@ferrazwhitmore.com.
Immediate actions for international companies
The following steps address the highest-priority compliance gaps identified by KommAustria in its 2025–2026 enforcement programme. International companies should treat these as sequential, not parallel – the representative appointment must come first, as it unlocks formal regulatory dialogue.
- Appoint an EU or Austrian legal representative. If your company is not established in the EU, you must designate a legal representative in an EU member state. Austria accepts representatives established elsewhere in the EU, but KommAustria strongly prefers a locally reachable contact for enforcement correspondence. Failure to appoint is itself an infringement – and one KommAustria has begun citing in its first-wave enforcement decisions.
- Register with KommAustria and file your initial transparency report. Providers above the micro-enterprise threshold must notify KommAustria of their service category, user volume, and content moderation arrangements. The registration process requires submission of basic company documentation and a description of complaint-handling procedures. First-time filers should allow four to six weeks for the complete submission cycle.
- Audit your algorithmic accountability documentation. Any service using automated ranking, content filtering, or recommender systems must maintain accessible, up-to-date descriptions of those systems' parameters and the main criteria used. This documentation must be available to users and to KommAustria on request. Many international providers have this documentation in English only – Austrian rules require it in German for consumer-facing services.
- Classify your AI systems under the AI Act framework. Map every AI component in your digital service against the prohibited, high-risk, and limited-risk categories. Document the classification reasoning. Where a system is borderline, the safer position is to treat it as high-risk and begin conformity assessment. Reclassification downward is possible; enforcement for an unclassified high-risk system is not.
- Review your technology licensing and software liability exposure. Austrian courts have applied civil liability rules to software providers whose products caused damage through defective automated outputs. Review your service terms, indemnity provisions, and incident-response procedures against the incoming product liability rules. Where your contracts are governed by Austrian law, update them now rather than after an enforcement event.
Intellectual property considerations are also relevant here. Technology companies restructuring their Austrian compliance operations should review whether their software and platform architecture requires updated protection strategies. Our analysis of intellectual property protection in Austria provides a detailed overview of registration, enforcement, and licensing options under Austrian IP legislation.
For companies operating across multiple EU jurisdictions, Austria's enforcement posture is part of a broader pattern of Digital Services Coordinator activation across Europe. A parallel assessment of obligations in other EU member states is advisable. Our alert on digital services developments in Portugal illustrates how implementation approaches differ across civil law EU jurisdictions.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising technology companies, digital platform operators, and institutional investors across 46 jurisdictions. Our AI and technology law practice supports clients through AI Act compliance, algorithmic accountability audits, digital services registration, and technology licensing reviews across European and international markets. As a law firm in Austria and across the EU, we combine Portuguese civil law expertise with English common law tradition to deliver cross-border legal solutions for companies facing concurrent regulatory obligations in multiple jurisdictions. Our IP and technology team includes practitioners with experience before Austrian regulatory bodies and the EU AI Office. Engaging a lawyer in Austria with cross-border regulatory experience is particularly valuable where EU-level and national-level enforcement timelines interact. To discuss your company's compliance position under Austria's digital services rules, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.