EU AI Act in Austria: Authorities, Obligations, and the Road to Enforcement

Austria is a mid-sized EU economy with a substantial base in manufacturing, financial services, tourism technology, and public-sector digital services. Regulation (EU) 2024/1689 — the EU AI Act — applies in Austria directly, without any need for Austrian transposition. What Austria has not yet done, as of June 2026, is complete its national authority designation. The country announced a two-step approach: start with an advisory body at the RTR-GmbH, then evolve it into a fully empowered national AI authority. That process is underway but not finished.

This article sets out what is already legally required of companies operating in Austria, where enforcement stands today, how the advisory KI-Servicestelle interacts with the forthcoming national authority, how the EU AI Act overlaps with the GDPR, the corrected deadline picture following the Digital Omnibus, and what Austrian companies should be doing now.

---

A Regulation, Not a Directive: No Austrian Transposition Required

The EU AI Act is an EU Regulation. Under Article 288 TFEU, it applies in every Member State — including Austria — directly and without being written into national law. Austrian companies do not wait for an Austrian statute before their obligations bite.

Two sets of obligations are already in force. Article 5's prohibited practices — biometric categorisation by sensitive characteristics outside the permitted exceptions, social scoring, real-time remote biometric identification in public spaces (outside the law-enforcement carve-outs), subliminal manipulation, and exploitation of personal vulnerabilities — have applied since 2 February 2025. Companies using AI in any of those categories have been non-compliant for over a year if they have not restructured or stopped. The GPAI obligations under Chapter V (Articles 51–56), the governance framework, and the Article 99 penalty regime have applied since 2 August 2025.

What Austria must provide, as a Member State, is the national enforcement infrastructure: designated competent authorities with the powers to audit, investigate, and fine. That is the piece Austria has not yet completed.

---

Austria's Designation Is Still Taking Shape

Article 70 of the EU AI Act required each Member State to designate at least one national competent authority (NCA) — serving as market surveillance authority and, where relevant, notifying authority — by 2 August 2025. Austria missed that deadline.

Austria announced a KI-Maßnahmenpaket (AI measures package) that sets out a two-step approach. The first step is the establishment of the KI-Servicestelle (AI Service Desk) within the RTR-GmbH (Rundfunk und Telekom Regulierungs-GmbH), Austria's existing telecoms and broadcasting regulator. The KI-Servicestelle is currently an advisory body: it helps stakeholders understand their obligations, provides guidance on how the EU AI Act applies, and builds up institutional knowledge in anticipation of the second step. It does not, at this stage, hold market-surveillance powers, the authority to demand technical documentation, or the power to impose Article 99 fines.

The second step is the planned transition of the RTR/KI-Servicestelle into a dedicated national AI authority with the full range of competences required by the Act: market surveillance, conformity assessment oversight, and certification functions. The KI-Maßnahmenpaket also covers AI transparency and labelling obligations, and competence-building across Austrian industry and public administration.

That transition has not been formally completed as of June 2026. Companies operating in Austria should treat the designation as pending, not settled. The KI-Servicestelle is a genuine resource for understanding your obligations — but the enforcement architecture that can investigate, issue corrective orders, and impose fines is still being constructed.

---

Who Will Enforce the EU AI Act in Austria?

RTR KI-Servicestelle: Advisory Today, Future Authority Tomorrow

The RTR-GmbH hosts the KI-Servicestelle as Austria's current point of contact for EU AI Act questions. Today it functions as a guidance and education body — publishing guidance documents, answering stakeholder queries, and helping organisations understand where their AI systems sit in the Act's classification framework. It is the right first stop for Austrian companies trying to work out whether a system is prohibited, high-risk, limited-risk, or minimal-risk.

When Austria's two-step KI-Maßnahmenpaket is completed, the RTR — or a dedicated authority standing alongside it — will take on market-surveillance powers under Article 74 and related provisions. That means authority to audit technical documentation, review conformity assessments, examine Article 72 post-market monitoring records, issue corrective orders, require recalls or withdrawals from the market, and refer cases for administrative penalties. The contours of that transition are not yet locked down in enacted law.

The Austrian DSB: Relevant for High-Risk AI and Personal Data

The Datenschutzbehörde (DSB) — Austria's national data protection authority — is relevant wherever high-risk AI systems process personal data. That describes nearly every Annex III system: recruitment screening, creditworthiness scoring, biometric identification, public-benefit eligibility, and law enforcement AI all process personal data at their core.

The GDPR does not disappear when the EU AI Act applies. The obligations stack. For AI systems that process personal data in an Annex III high-risk context, companies should anticipate interest from both the eventual Austrian AI authority (market surveillance) and the DSB (data protection). Building both GDPR compliance and EU AI Act compliance in parallel is more efficient than treating them as separate programmes.

EU AI Office: GPAI Provider Supervision

Austrian companies that develop and place general-purpose AI (GPAI) models on the market — whether open- or closed-weight — are supervised not by any Austrian authority but directly by the EU AI Office in Brussels. The AI Office holds competence over GPAI obligations under Articles 53 and 55. Austrian GPAI model providers should engage with the AI Office's codes of practice process and follow EU AI Office guidance rather than waiting for national direction.

---

How Austria's Framework Interacts with the GDPR

The GDPR and the EU AI Act run concurrently for AI systems that process personal data. That covers essentially every Annex III high-risk system and a significant portion of Art 50 limited-risk deployments.

The most direct intersection is between two mandatory assessments. The GDPR's GDPR Article 35 requires a Data Protection Impact Assessment (DPIA) before processing that is likely to result in high risk to natural persons — which an Annex III high-risk AI deployment almost certainly is. Article 27 of the EU AI Act requires certain deployers to conduct a Fundamental Rights Impact Assessment (FRIA) before putting a high-risk AI system into service. Both must be completed before deployment, both require documented analysis, and both must be available for supervisory inspection. Article 27(4) explicitly acknowledges that the FRIA can build on an existing DPIA; in practice, the factual foundation of both assessments — the system description, the data flows, the affected populations, the potential harms — overlaps substantially, and a well-structured DPIA can provide the raw material for the FRIA.

A second practical overlap concerns record-keeping and automated decisions. Article 12 of the EU AI Act requires record-keeping systems for high-risk AI. GDPR Article 22 governs automated decision-making and requires providing meaningful information about the logic involved, as well as enabling human review. An Austrian company using an AI credit-scoring model faces simultaneous obligations under both instruments on documentation, transparency, and human intervention. The compliance workload is real — but it is substantially the same documentation task viewed through two different legal lenses.

For Austrian public bodies, the DSB has established DPIA guidance under GDPR Article 35. Those bodies deploying high-risk AI systems should extend that DPIA work explicitly to cover the Article 27 FRIA requirements, treating the two assessments as a coordinated exercise rather than separate compliance efforts.

---

The EU AI Act Timeline as It Applies in Austria

The Digital Omnibus — the Commission's amendment package, for which the European Parliament and Council reached political agreement on 7 May 2026, with formal adoption expected before 2 August 2026 — pushed the original August 2026 high-risk deadline back to 2 December 2027 for stand-alone Annex III systems and 2 August 2028 for AI embedded in Annex I regulated products. That deferral is not an invitation to pause. An Article 9 risk management system, Annex IV technical documentation, Article 14 human oversight controls, and a conformity assessment under Article 43 represent six to twelve months of focused work for most organisations. Companies that start in 2026 will be ready; companies that start in mid-2027 will not.

Article 5 is already in force and has been since February 2025. Austria's incomplete authority designation does not affect that: the prohibitions are legally binding on Austrian companies now, and enforcement can follow from the EU level or, once designation is complete, from the national authority.

---

Penalties: What Companies in Austria Face

The penalty framework is Article 99 of Regulation (EU) 2024/1689. Austria will apply these through domestic enforcement procedures once the national authority is designated and empowered. Three tiers, each "whichever is higher" of a fixed sum or a percentage of total worldwide annual turnover:

• €35,000,000 or 7% — for violations of the Article 5 prohibitions. This ceiling has applied since 2 August 2025.
• €15,000,000 or 3% — for non-compliance with most other obligations: high-risk requirements (Articles 9–15), provider obligations (Article 16), deployer obligations (Article 26), and Article 50 transparency duties.
• €7,500,000 or 1% — for supplying incorrect, incomplete, or misleading information to notified bodies or competent authorities.

For companies below a certain size, Article 99(6) provides a genuine proportionality protection: for SMEs and start-ups, the fine is capped at the lower of the fixed amount or the percentage. A company with €8 million annual turnover cannot face a €15 million fine for a high-risk obligation breach — 3% of €8 million is €240,000, and that is the applicable ceiling. Smaller Austrian companies should note this protection, but should not treat it as a reason to defer compliance: the reputational and operational exposure of a non-compliant AI system goes beyond the fine itself.

One example: an Austrian public transport authority deploying a predictive policing AI for route security that falls within an Article 5 prohibition would face the top tier — up to €35 million or 7% of turnover. For a large public body or a listed company, 7% of worldwide turnover can far exceed the fixed €35 million sum.

GPAI-specific fines are a separate instrument: the Commission may fine GPAI model providers up to €15 million or 3% under Article 101.

---

Austria-Specific Compliance Considerations

Industrial and Annex I Product Routes

Austria has a significant manufacturing sector — mechanical engineering, electronics, industrial automation — and companies embedding AI into machinery or safety-critical products face the Annex I product route rather than the Annex III route. Where AI is a safety component of a product covered by EU product regulation (the revised Machinery Regulation (EU) 2023/1230, medical device regulation, or similar), it is classified as high-risk under Article 6(1) rather than Article 6(2) + Annex III. The deadline for those systems is 2 August 2028 under the Digital Omnibus. Critically, the conformity assessment pathway under Article 43 for Annex I products typically involves a Notified Body — the more demanding third-party route, not self-assessment. Austrian manufacturers embedding AI into safety systems should identify and engage suitable Notified Bodies well ahead of the 2028 deadline; capacity at accredited bodies is limited.

Regulatory Sandbox Access

Article 57 of the EU AI Act requires each Member State to establish at least one regulatory sandbox by 2 August 2026, with priority access and reduced fees for smaller companies under Article 58. Sandboxes allow companies to develop and test AI systems in a controlled environment before they go to market. Austrian companies — particularly those developing novel high-risk applications — should monitor developments from the RTR/KI-Servicestelle on sandbox access once the authority transition completes.

Public Sector: Mandatory FRIA Under Article 27

Austrian federal agencies (Bundesbehörden), Länder authorities, and public-service deployers are among the mandatory Article 27 FRIA subjects. Article 27 requires deployers that are public bodies — or that provide certain services of public interest using high-risk Annex III AI — to complete a Fundamental Rights Impact Assessment before deployment. For creditworthiness and health/life insurance systems (Annex III points 5(b) and 5(c)), private deployers are also within scope. The FRIA must be documented, updated when the deployment context changes materially, and available for supervisory inspection. Austrian public bodies should treat this as a pre-deployment gate, not an optional exercise.

Article 25 and Role Shifts: The Customisation Risk

Most Austrian companies deploying third-party AI tools sit in the deployer role under Article 26. But companies that substantially modify a high-risk AI system — fine-tuning a model on proprietary data, adjusting its intended purpose, or placing it on the market under their own name — can cross the Article 25 line into full provider obligations under Article 16. That means re-conducting the conformity assessment, rebuilding the Annex IV technical documentation pack, and issuing a fresh Article 47 / Annex V Declaration of Conformity. Austrian software companies and technology integrators that adapt AI tools for their customers should complete the Article 25 analysis before assuming they are simply deployers.

Using the KI-Servicestelle While Designation Is Pending

The RTR KI-Servicestelle is genuinely useful. While it does not hold enforcement powers, its guidance and advisory output help companies understand where their systems sit in the Act's classification framework and what documentation obligations apply. Austrian companies should track its publications and use it as a reference point while Austria's national authority designation is completed.

---

How Confir Helps Companies in Austria

Austrian compliance teams building EU AI Act programmes face the same documentation challenge as elsewhere in the EU — Article 9 risk management records, Annex IV technical documentation, Article 27 FRIAs, conformity preparation under Article 43, Article 72 post-market monitoring logs, an Article 49 registration, and an AI inventory to underpin all of it. With no fully empowered national authority yet designated in Austria, there is no enforcement body yet issuing formal guidance on local expectations — which makes self-structuring the compliance programme more important, not less.

Confir is an EU-hosted compliance tool built specifically for this work. Its classification engine is rule-based and deterministic: it encodes Articles 5 and 6 with Annex III logic in explicit rules, so the same intake produces the same finding every time, with a human-readable explanation of which rule fired. No inference, no hallucination — a deliberate design choice for a product whose output has to hold up in front of a regulator. Confir generates the full Annex IV technical documentation pack, the Article 47 / Annex V Declaration of Conformity, and the Article 27 FRIA. The structured assessment covers four areas: risk classification and compliance (AIRC), data and technical robustness (AITR), transparency and human oversight (AITO), and governance and post-market monitoring (AIGM). Self-serve from €600 per year, credit-card checkout, no consulting engagement or enterprise sales cycle required.

---

What Companies in Austria Should Do Now

Immediately — Article 5 prohibitions apply now. Audit any AI system that may involve biometric categorisation by sensitive characteristics, real-time remote biometric identification in public spaces, social scoring by public authorities, subliminal or manipulative techniques, or exploitation of individual vulnerabilities. If a system fits an Article 5 category and no exemption applies, it must be stopped or restructured. This has been true since 2 February 2025. Austria's pending authority designation provides no shield.

Before 2 August 2026 — Article 50 transparency. Any AI system that interacts with natural persons — chatbots, voice assistants, customer-facing AI tools — must comply with Article 50's transparency and disclosure requirements: users must know when they are interacting with AI, when content is synthetically generated, and when emotion recognition is in use. This is not the high-risk deadline, but it is a genuine obligation with a hard date in less than two months from today.

2026–2027 — High-risk preparation toward 2 December 2027. Companies with stand-alone Annex III systems have until 2 December 2027 under the Digital Omnibus deferral. Use 2026 to build the AI inventory and classification, apply the Article 6(3) filter to identify which systems genuinely land in high-risk categories, assign provider and deployer roles under Articles 16 and 26, and begin documentation. Organisations building AI into regulated products (Annex I route) should simultaneously engage Notified Bodies for the 2028 track.

Use the RTR KI-Servicestelle. While Austria's full authority designation is pending, the KI-Servicestelle is the primary national resource for guidance on obligations. Monitor its publications and treat its advisory output as the closest available proxy for how the eventual Austrian national AI authority is likely to interpret the Act.

---

Frequently Asked Questions

Has Austria designated a national competent authority for the EU AI Act?

Not yet, as of June 2026. Austria missed the 2 August 2025 Article 70 designation deadline. Under its KI-Maßnahmenpaket, Austria has established the KI-Servicestelle at the RTR-GmbH as an advisory body, with a planned second step to convert it into a fully empowered national AI authority responsible for market surveillance, conformity assessment oversight, and certification. The timing of that transition has not been enacted into law.

What is the RTR KI-Servicestelle and what can it do?

The KI-Servicestelle is an advisory body hosted by the RTR-GmbH (Austria's telecoms and broadcasting regulator). It provides guidance and educational support to stakeholders seeking to understand their EU AI Act obligations. It does not currently hold market-surveillance powers, the authority to demand technical documentation, or the power to impose administrative fines. Those powers will follow once Austria completes the authority designation under its two-step KI-Maßnahmenpaket.

Does the EU AI Act apply in Austria even though no national authority has been designated?

Yes. Regulation (EU) 2024/1689 is directly applicable in Austria under Article 288 TFEU. The absence of a designated national competent authority does not suspend any obligations. Article 5 prohibitions have been enforceable since 2 February 2025; GPAI and penalty provisions since 2 August 2025. Once Austria's designation is complete, the national authority will have retrospective enforcement reach for past conduct.

When is the high-risk compliance deadline for Austrian companies?

Under the Digital Omnibus (political agreement reached 7 May 2026), stand-alone high-risk AI systems on the Annex III list have until 2 December 2027. High-risk AI embedded in Annex I regulated products — machinery, medical devices — has until 2 August 2028. The original August 2026 deadline was deferred. Article 5 prohibitions are already in force.

What penalties can companies in Austria face?

Article 99 sets three tiers: €35 million or 7% of worldwide annual turnover for Article 5 prohibition breaches; €15 million or 3% for most other obligations including high-risk AI requirements and deployer duties under Article 26; and €7.5 million or 1% for supplying incorrect or misleading information to authorities or notified bodies. Article 99(6) caps fines for SMEs and start-ups at the lower of the fixed amount or the percentage.

How do the GDPR and the EU AI Act interact for Austrian companies?

The two regimes stack wherever AI processes personal data. The key practical overlap is between the GDPR's Article 35 DPIA and the EU AI Act's Article 27 FRIA — both must be completed before deploying high-risk AI systems involving personal data, and both cover similar factual ground. Article 27(4) lets the FRIA build on an existing DPIA. Record-keeping under Article 12 of the AI Act also intersects with GDPR Article 22 automated-decision obligations. For companies with personal data exposure, designing both programmes together is more efficient than running them separately.

Is an Austrian company using a third-party AI tool a provider or a deployer?

Most companies using a third-party AI tool are deployers under Article 26. The distinction matters: deployers have lighter obligations than providers, though they must follow instructions, maintain logs, ensure human oversight, and (for certain public-interest or creditworthiness contexts) run an Article 27 FRIA. But a company that substantially modifies a high-risk AI system, re-labels it under its own name, or repurposes it for a different intended use crosses the Article 25 line and takes on full provider obligations under Article 16 — including re-running conformity assessment.

---

Related guides

• EU AI Act in Germany: Enforcement, Authorities & Obligations
• What is the EU AI Act?
• EU AI Act summary
• EU AI Act penalties: Article 99 explained
• EU AI Act timeline and key dates
• Extraterritorial reach of the EU AI Act
• AI risk classification under Article 6 and Annex III
• Conformity assessment under Article 43
• Market surveillance authority — glossary