15 May 2025

newsletter

austria

Digital Law Monitor Austria: recent developments in the field of digitalisation law

Keeping up with developments in Digital Law is an increasing challenge.

To assist you handling this challenge, we created this comprehensive (though not necessarily complete) overview of these developments and will update it on a regular basis. This overview includes legal acts, draft legal acts, guidelines and occasionally other legal materials.

For weekly news please subscribe to the Schönherr Datenschutzmonitor for updates on legal acts and guidelines (in German)

EU Legal Acts, Guidelines and more

Regulations

Passenger Data Regulation
Passenger Data Regulation for Law Enforce-ment
Managed Security Services Regulation
Cyber Solidarity Act
European Health Data Space Regulation

Directives

Corporate Directive on Digital Tools

Commission Guidelines

Draft Commission Guidelines on prohibited AI practices
Draft Commission Guidelines on the definition of an AI system established by AI Act

European Data Protection Board

Guidelines 01/2025 on Pseudonymisation Guidelines 02/2025 on processing of personal data through blockchain technologies

Commission Delegated and Implemented Regulations (incl. drafts)

Digital Operational Resilience Act (DORA)
Markets in Crypto-Assets Regulation (MiCAR)
Cyber Resilience Regulation (CRA)
EU Customs Code

Austrian Acts

Health Telematics Adjustment Ordinance 2025
FATF Report Adjustment Act 2024
BMKÖS Data Retention Ordinance Amendment of the Ordinance on the e-justice system (ERV 2021)
Transparency Database Query Ordinance 2025
Ordinance of the Federal Minister of the In-terior on the e-justice system in the Field of Criminal Justice

EU Legal Acts, Guidelines and more

Regulations
Passenger Data Regulation

On 08.01.2025 the "Regulation (EU) 2025/12 of the European Parliament and of the Council of 19 December 2024 on the collection and transfer of advance passenger information for enhancing and facilitating external border checks, amending Regulations (EU) 2018/1726 and (EU) 2019/817, and repealing Council Directive 2004/82/EC", OJ L 2025/12, was published.
The Passenger Data Regulation imposes an obligation on airlines to collect so-called API data (advance passenger information) for flights to the EU and to transmit this data in encrypted form to the competent border authorities. The API data includes identification, aircraft and baggage data.

Passenger Data Regulation for Law Enforcement

On 08.01.2025 the "Regulation (EU) 2025/13 of the European Parliament and of the Council of 19 December 2024 on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818", OJ L 2025/13, was published.
The Passenger Data Regulation for Law Enforcement imposes an obligation on airlines to transmit encrypted API data and other PNR data to the so-called Passenger Information Units (PIU) in order to combat transnational serious and organized crime and terrorism.

Managed Security Services Regulation

On 15.01.2025 the "Regulation (EU) 2025/37 of the European Parliament and of the Council of 19 December 2024 amending Regulation (EU) 2019/881 as regards managed security services", OJ L 2025/37, was published.
The Managed Security Services Regulation introduces European schemes for cybersecurity certification. It also creates a European certification framework for cybersecurity.

Cyber Solidarity Act

On 15.01.2025 the "Regulation (EU) 2025/38 of the European Parliament and of the Council of 19 December 2024 laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cyber threats and incidents and amending Regulation (EU) 2021/694 (Cyber Solidarity Act)", OJ L 2025/38, was published.
The Cyber Solidarity Act establishes measures to strengthen the EU's capacity to detect, prevent and respond to cyber threats and security incidents.

European Health Data Space Regulation

On 05.03.2025 the "Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space and amending Directive 2011/24/EU and Regulation (EU) 2024/2847" was published, OJ L 2025/327.
The European Health Data Space Regulation specifies, inter alia, the rights of natural persons regarding the primary and secondary use of their personal electronic health data. The aim of the Regulation is to improve natural persons' access to their personal electronic health data.

Directives
Corporate Directive on Digital Tools

On 10.01.2025 the "Directive (EU) 2025/25 of the European Parliament and of the Council of 19 December 2024 amending Directives 2009/102/EC and (EU) 2017/1132 as regards further expanding and upgrading the use of digital tools and processes in company law", OJ L 2025/25, was published.
The aim of the Corporate Directive on Digital Tools is to facilitate the cross-border establishment of companies, the registration of branches and the submission of documents and information to the business registers by creating digital tools and processes.

Commission Guidelines
Commission Guidelines on prohibited AI practices

On 04.02.2025 the European Commission published its Draft Commission Guidelines on prohibited AI practices.
The "Commission Guidelines on prohibited AI practices" provide detailed definition of the prohibited AI systems described in Art. 5 of the AI Act. The Guidelines, moreover, attempt to clarify the difference between prohibited and permissible AI practices by using examples. For instance, the examples address the permissibility of AI practices such as social scoring and real-time biometric identification. Additionally, the Commission Guidelines deal with interactions with other EU legal acts, such as the GDPR, the DSA, etc.

Commission Guidelines on the definition of an AI system established by AI Act

On 06.02.2025 the European Commission published its Draft commission Guidelines on the definition of an AI system established by AI Act.
The "Commission Guidelines on the definition of an AI system established by AI Act" provide a more concrete definition of the term "AI systems". Additionally, this Commission Guidelines include exceptions for which the AI Act does not apply.

European Data Protection Board (EDPB)
Guidelines 01/2025 on Pseudonymisation

On 17.01.2025 the EDPB published its Guidelines 01/2025 on Pseudonymisation .
The "Guidelines 01/2025 on Pseudonymisation" offer a detailed guidance on pseudonymization techniques and the effects of pseudonymization.

Guidelines 02/2025 on processing of personal data through blockchain technologies

On 14.04.2025 the EDPB published its Guidelines 02/2025 on processing of personal data through blockchain technologies^1.1.
The "Guidelines 02/2025 on processing of personal data through blockchain technologies" offer a detailed guidance on the interaction between blockchain technologies and the GDPR. The guidelines discuss roles and responsibilities, international transfers, retention periods, security, data protection impact assessments, data subject rights and much more.

Commission Delegated and Implemented Regulations
Digital Operational Resilience Act (DORA)

On 13.02.2025 the "Commission Delegated Regulation (EU) 2025/295 of 24 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards on harmonisation of conditions enabling the conduct of the oversight activities" was published,OJ L 2025/295.
This Delegated Regulation supplements "Regulation (EU) 2022/2554 on digital operational resilience for the financial sector" (DORA) with regard to regulatory technical standards for the provision of information which must be provided by so-called ICT third-party service providers.

On 20.02.2025 the "Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats" was published, OJ L 2025/301.
This Delegated Regulation supplements "Regulation (EU) 2022/2554 on digital operational resilience for the financial sector" (DORA) with regard to regulatory technical standards specifying which information must be transmitted with reports of major ICT-related incidents.

On 20.02.2025 the "Commission Implementing Regulation (EU) 2025/302 of 23 October 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat" was published, OJ L 2025/302.
This Implementing Regulation contains technical standards for the application of the "Regulation (EU) 2022/2554 on digital operational resilience for the financial sector" (DORA). The Regulation provides standard forms, templates and procedures for reporting obligations regarding major ICT-related incidents.

Markets in Crypto-Assets Regulation (MiCAR)

On 13.02.2025 the following five Commission Delegated Regulations were published to supplement "Regulation (EU) 2023/1114 on markets in crypto-assets":

1. Commission Delegated Regulation (EU) 2025/292 on cooperation arrangements between competent authorities and supervisory authorities of third countries, OJ L 2025/292,

2. Commission Delegated Regulation (EU) 2025/296 on the procedure for the approval of a crypto-asset white paper, OJ L 2025/296,

3. Commission Delegated Regulation (EU) 2025/297 on the conditions for the establishment and functioning of consultative supervisory colleges, OJ L 2025/297,

4. Commission Delegated Regulation (EU) 2025/298 on the methodology to estimate the number and value of transactions associated to uses of non-EU asset-referenced tokens and of e-money tokens, OJ L 2025/298, and

5. Commission Delegated Regulation (EU) 2025/299 on continuity and regularity in the performance of crypto-asset services, OJ L 2025/299.

These five Delegated Regulations supplement "Regulation (EU) 2023/1114 on markets in crypto-assets" (MiCAR) with regard to regulatory technical standards for cooperation arrangements between authorities, approval procedures, establishment of consultative supervisory colleges, methodologies and more.

On 20.02.2025 the "Commission Delegated Regulation (EU) 2025/303 of 31 October 2024 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the information to be included by certain financial entities in the notification of their intention to provide crypto-asset services" was published, OJ L 2025/303.
This Delegated Regulations supplements "Regulation (EU) 2023/1114 on markets in crypto-assets" (MiCAR) with regard to regulatory technical standards for the provision of information to be included by certain financial entities in the notification of their intention to provide crypto-asset services.

On 20.02.2025 the "Commission Implementing Regulation (EU) 2025/304 of 31 October 2024 laying down implementing technical standards for the application of Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to standard forms, templates and procedures for the notification by certain financial entities of their intention to provide crypto-asset services" was published, OJ L 2025/304.
This Implementing Regulation contains standard forms, templates, and procedures for the notification by certain financial entities of their intention to provide crypto-asset services pursuant to the Regulation (EU) 2023/1114 on markets in crypto-assets" (MiCAR).

On 14.03.2025 the "Commission Delegated Regulation (EU) 2025/416 of 29 November 2024 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and format of order book records for crypto-asset service providers operating a trading platform for crypto-assets" was published, OJ L 2025/416.
This Delegated Regulation supplements "Regulation (EU) 2023/1114 on markets in crypto-assets" (MiCAR) with regard to regulatory technical standards for crypto asset trading platforms.

On 14.03.2025 the "Commission Delegated Regulation (EU) 2025/417 of 28 November 2024 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the manner in which crypto-asset service providers operating a trading platform for crypto-assets are to present transparency data" was published, OJ L 2025/417.
This Delegated Regulation supplements "Regulation (EU) 2023/1114 on markets in crypto-assets" (MiCAR) with regard to regulatory technical standards for transparency obligations of crypto asset trading platforms.

On 31.03.2025 the following four Commission Delegated Regulations were published to supplement "Regulation (EU) 2023/1114 on markets in crypto-assets":

1. Commission Delegated Regulation (EU) 2025/300 on information to be exchanged between competent authorities, OJ L 2025/300,

2. Commission Delegated Regulation (EU) 2025/305 on the information to be included in an application for authorisation as a crypto-asset service provider, OJ L 2025/305,

3. Commission Delegated Regulation (EU) 2025/413 on the detailed content of information necessary to carry out the assessment of a proposed acquisition of a qualifying holding in an issuer of an asset-referenced token, OJ L 2025/413 and

4. Commission Delegated Regulation (EU) 2025/414 on the detailed content of information necessary to carry out the assessment of a proposed acquisition of a qualifying holding in a crypto-asset service provider, OJ L 2025/414.

These four Delegated Regulations supplement "Regulation (EU) 2023/1114 on markets in crypto-assets" (MiCAR) with regard to regulatory technical standards on the exchange of information between authorities, crypto-asset service providers and issuers of asset-referenced tokens.

On 31.03.2025 the "Commission Implementing Regulation (EU) 2025/306 of 31 October 2024 laying down implementing technical standards for the application of Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to standard forms, templates and procedures for the information to be included in the application for authorisation as a crypto-asset service provider" was published, OJ L 2025/306.
This Implementing Regulation contains standard forms, templates, and procedures for the information to be included in the application for authorisation as a crypto-asset service provider pursuant to "Regulation (EU) 2023/1114 on markets in crypto-assets" (MiCAR).

Cyber Resilience Regulation (CRA)

On 13.04.2025 the European Commission published its Draft Commission Implementing Regulation on the technical description of the categories of important and critical products with digital elements pursuant to Regulation (EU) 2024/2847.
This Implementing Regulation and its annexes describe the technical specifications of "Important products with digital elements" and "Critical products with digital elements" listed in Annexes III and IV of the Cyber Resilience Regulation (CRA).

EU Customs Code

On 20.03.2025 the "Commission Implementing Regulation (EU) 2025/512 of 13 March 2025 on technical arrangements for developing, maintaining and employing electronic systems for the exchange and storage of information under Regulation (EU) No 952/2013 of the European Parliament and of the Council" was published, OJ L 2025/512.
This Implementing Regulation is based on "Regulation (EU) 952/2013 laying down the Union Customs Code" (Customs Code) and defines technical modalities for the exchange of information in central systems as required by customs regulations. Inter alia, the usage of data mining and thus, the usage of artificial intelligence, is permitted.

eIDAS

On 15.04.2025 the European Commission published the following 12 draft Commission Implementing Regulations to implement "Regulation (EU) 910/2014 on electronic identification and trust services":

1. Verification of identity and attributes at qualified certificate or qualified attestation of attributes issuance,

2. Management of remote qualified signature creation devices as a qualified trust service,

3. Validation of qualified electronic signatures and seals as well as advanced electronic signatures and seals,

4. Qualified validation services for qualified electronic signatures and seals,

5. Provision of qualified electronic time stamping services,

6. Requirements for qualified electronic registered services,

7. Notification and verification of the initiation of a qualified trust service,

8. Submissions of the annual reports by supervisory bodies to the Commission,

9. Procedural arrangements for peer-reviews of electronic identification schemes to be notified to the Commission,

10. Notification of qualified electronic signature & seal creation devices that have been certified by certification bodies,

11. Qualified preservation services for qualified electronic signatures and for qualified electronic seals and

12. Qualified certificates for electronic signatures and electronic seals.

Theses twelve Implementing Regulations and their annexes contain reference standards for identity verification, seals, qualified signatures, time stamping, electronic registered services, trust services and annual reports pursuant to "Regulation (EU) 910/2014 on electronic identification and trust services" (eIDAS).

back

Austrian Legal Acts

Health Telematics Adjustment Ordinance 2025

On 28.01.2025 the "Ordinance of the Federal Minister for Social Affairs, Health, Care, and Consumer Protection, amending the Health Telematics Ordinance 2013 and the ELGA Ordinance 2015, and newly publishing the ELGA and eHealth Support Facility Ordinance as well as the eHealth Ordinance 2025 (Health Telematics Adjustment Ordinance 2025)," was published in the Federal Law Gazette II 2025/11.
The Health Telematics Adjustment Ordinance 2025 ("Gesundheitstelematik-Anpassungsverordnung 2025") amends the Health Telematics Ordinance 2013 ("Gesundheitstelematikverordnung 2013") and the ELGA Ordinance 2015 ("ELGA-Verordnung 2015"). Additionally, within this ordinance two new ordinances, namely the eHealth Support Facility Ordinance ("eHealth-Supporteinrichtungsverordnung") and the eHealth Ordinance 2025 ("eHealth-Verordnung 2025") were published. The amendments and the new ordinances overhaul the regulations on the processing of health data and genetic data by healthcare service providers.

FATF Report Adjustment Act 2024

On 10.02.2025 the "FATF Report Adjustment Act 2024", was published in the Federal Law Gazette I 2025/5.
In the FATF Report Adjustment Act 2024 ("FATF-Prüfungsanpassungsgesetz 2024"), the Sanctions Act 2024 ("Sanktionengesetz 2024") was published. Moreover, several acts, such as the Banking Act (BWG), the Financial Market Authority Act (FMABG), and the Account Register Act (KontRegG) were amended. The regulation includes provisions on the processing of personal data by the competent authorities for the implementation of restrictive measures ("sanctions").

BMKÖS Data Retention Ordinance

On 14.02.2025 the "Ordinance of the Federal Minister for Arts, Culture, Public Service, and Sports, amending the BMKÖS Data Retention Ordinance", was published in the Federal Law Gazette II 2025/18.
This ordinance overhauls certain retention obligations regarding the processing of civil servants' data.

Amendment of the Ordinance on the e-justice system (ERV 2021)

On 18.02.2025 an "Amendment of the Ordinance on the e-justice system (ERV 2021)", was published in the Federal Law Gazette II 2025/27.
The amendments to the e-justice system concern, e.g., land register procedures and the E-ID.

Transparency Database Query Ordinance 2025

On 03.03.2025 the "Transparency Database Query Ordinance 2025" was published in the Federal Law Gazette II 2025/41.
The Transparency Database Query Ordinance 2025 governs the read permissions for service offerings with special categories of personal data ("sensitive data") in the Transparency Database.

Ordinance of the Federal Minister of the Interior on the e-justice system in the Field of Criminal Justice

On 08.04.2025 the "Ordinance of the Federal Minister of the Interior on the e-justice system in the Field of Criminal Justice" was published in the Federal Law Gazette II 2025/63.
The ordinance contains provisions on the usage of the e-justice system for communications with criminal courts, prosecutors and prison authorities.

back

János
Böszörményi

Attorney at Law

austria vienna

+43 1 534 37 50211

j.boeszoermenyi@schoenherr.eu

download contact

co-authors

Caroline Biel

provider	schoenherr
name	sch-ckmdl, sch-nwsltr
runtime	1 year

provider	Matomo
name	_pk_id,_pk_ses