Guide

Website Compliance in Austria

This guide outlines the national laws and EU regulations that may apply even to relatively simple websites. As it demonstrates, compliance is rarely straightforward and often requires specialized expertise to ensure requirements are met correctly and to minimize the risk of fines, penalties, or other legal consequences. If you have any questions about your website's compliance obligations, particularly in relation to the European Accessibility Act, please do not hesitate to contact us. We would be happy to help assess your requirements and guide you through the process.

Important: This is a practical orientation page, not legal advice. It is meant to help you identify which laws are likely to matter first, but it does not replace a legal review of your specific business model, user journeys, sector rules, contracts, or enforcement risk. Some of the EU rules below are directives rather than directly self-contained fine regimes, which means the real exposure often appears through Austrian implementation law, regulator action, injunctions, competitor claims, or court practice instead of one simple EU-wide penalty table.

Website types

Pick the website type that is closest to your setup

The highlighted cards below identify the laws and regulations that are most commonly relevant for a website of this type and are usually the first areas to review. However, every website is different. This overview is intended as a general guide and should not be considered a substitute for professional legal advice or a formal legal review.

EU Laws

These laws create the main cross-border framework. If your site targets EU users, sells online, tracks visitors, or delivers a covered digital service, this is usually where the first layer of analysis starts.

GDPR

Usually relevant

Area of applicability

Almost any website that processes personal data of people in the EU or EEA. In practice this includes contact forms, analytics, newsletters, user accounts, CRM flows, embedded third-party tools, and many cookie-based trackers.

Most important obligations

  • Use a valid legal basis for each processing activity.
  • Provide a clear privacy notice and explain what data is used, why, and for how long.
  • Control processors, transfers, and security measures instead of simply pasting in tools.
  • Respect access, deletion, objection, and other data-subject rights in real workflows.

Potential fees / exposure

Administrative fines can reach EUR 20 million or 4% of worldwide annual turnover, whichever is higher. On top of that, orders, complaints, and damages claims are also possible.

European Accessibility Act

Usually relevant

Area of applicability

Relevant where the website or app is the user-facing channel for a covered product or consumer service, such as parts of e-commerce, banking, transport, e-books, communications, or audiovisual media access. It does not automatically cover every brochure site.

Most important obligations

  • Make the covered digital journey accessible, not just isolated pages.
  • Ensure content, forms, navigation, and transactions are perceivable and operable for users with disabilities.
  • Provide accessibility information and keep it available in an accessible format.
  • Build remediation and evidence processes instead of treating accessibility as a one-time design pass.

Potential fees / exposure

The directive sets the legal framework, but penalties are national. In Austria, practical enforcement risk sits mainly in the BaFG implementation layer shown on the right.

E-Commerce Directive

Usually relevant

Area of applicability

Providers of information society services, especially commercial websites, online service providers, webshops, and many digital platforms or intermediaries.

Most important obligations

  • Provide clear provider information so users know who is behind the service.
  • Make commercial communications identifiable and not misleading.
  • Handle online contract information in a transparent way where e-contracting is involved.
  • For intermediary-type services, understand the liability and notice-handling framework instead of assuming complete immunity.

Potential fees / exposure

The directive itself does not use one harmonized EU fine table. In Austria, the real exposure usually shows up through ECG offences, unfair-competition claims, and regulator or court action.

ePrivacy Directive and cookie rules

Usually relevant

Area of applicability

Any website that stores information on a user's device or reads from it, especially through analytics cookies, marketing pixels, A/B testing tools, chat widgets, replay tools, and similar trackers.

Most important obligations

  • Get prior consent before setting non-essential cookies or similar technologies.
  • Keep refusal as easy and visible as acceptance; no deceptive banner design.
  • Separate necessary cookies from optional measurement or marketing tools.
  • Avoid loading analytics or advertising scripts before consent is actually given.

Potential fees / exposure

There is no single EU-wide fine cap in the directive itself. In Austria, the practical exposure normally appears through TKG 2021 on the Austrian side, often combined with GDPR follow-up issues.

Austrian Laws

These are the laws that usually make the EU framework tangible in Austria. This is often where teams run into imprint duties, cookie enforcement, Austrian disclosure rules, or national accessibility implementation.

Datenschutzgesetz (DSG)

Lower priority

Area of applicability

Austria's national privacy layer alongside the GDPR. For websites, it matters mainly as the local supplement around Austrian procedure, authority practice, and certain national privacy rules.

Most important obligations

  • Treat Austrian privacy compliance as GDPR plus local implementation, not GDPR alone.
  • Align notices, complaint handling, and internal privacy processes with Austrian enforcement reality.
  • Check whether local Austrian privacy expectations affect how forms, support, or internal handling are organized.

Potential fees / exposure

For most commercial websites, the main monetary exposure still comes from the GDPR fine regime. The DSG matters heavily for complaints, enforcement, and local procedural context.

Barrierefreiheitsgesetz (BaFG)

Usually relevant

Area of applicability

Austria's implementation layer for the European Accessibility Act. It becomes relevant when the Austrian business offers a covered product or consumer-facing service and the website or app is part of that delivery channel.

Most important obligations

  • Make the in-scope digital service accessible in practice, including key user journeys.
  • Provide accessibility information and keep it available to users.
  • Build accessibility into design, procurement, content, and release processes instead of checking it only at the end.
  • Keep documentation and remediation logic ready if an authority or market-surveillance body asks questions.

Potential fees / exposure

Exposure here is materially more serious than a typical imprint issue. Austria's implementation can lead to significant administrative fines and formal remediation orders, especially for persistent accessibility failures in in-scope services.

Telekommunikationsgesetz 2021 (TKG 2021)

Usually relevant

Area of applicability

Especially relevant for cookies and similar technologies, device access, and some electronic marketing practices. If your site uses analytics, advertising pixels, consent banners, or similar tracking, this law quickly becomes important.

Most important obligations

  • Do not set non-essential analytics or marketing cookies before valid consent.
  • Use a cookie banner that offers a real reject path and a real settings path.
  • Make withdrawal and later changes possible instead of turning consent into a one-way action.
  • Review marketing and tracking flows together rather than treating the banner as a cosmetic add-on.

Potential fees / exposure

Administrative fines are possible, and cookie mistakes can become costly quickly because they often sit next to GDPR exposure rather than replacing it.

E-Commerce-Gesetz (ECG)

Usually relevant

Area of applicability

A core Austrian law for commercial websites, webshops, and many online service providers. If a site is operated professionally and markets or sells online, ECG issues are often among the first Austrian checks.

Most important obligations

  • Publish complete provider and contact information in a legally usable imprint.
  • Add company-register, VAT, and profession-specific information where applicable.
  • Keep commercial communications and online ordering information transparent.
  • Make sure legal pages and provider details match the business actually operating the site.

Potential fees / exposure

Administrative fines are possible, but the bigger practical risk is often competitor action, injunctions, and avoidable legal cleanup costs caused by missing or defective provider information.

Mediengesetz

Lower priority

Area of applicability

Especially relevant where a website has editorial, publication-like, or recurring public-information characteristics, such as online magazines, company media sections, high-content blogs, or opinion-driven publication formats.

Most important obligations

  • Check whether the site needs Austrian disclosure information beyond a standard commercial imprint.
  • Identify media owner, publisher, and responsibility details where the medium rules require them.
  • Treat publication-style sections with more care than a simple brochure page.

Potential fees / exposure

Administrative fines and media-law claims can arise, particularly where required disclosure information is missing or where a site behaves like a publication without carrying the matching legal details.