Autonomous vehicles law and regulation in Austria

Austria has established a legal framework for the operation and testing of autonomous vehicles in 2016. The primary regulation governing automated driving is the Automated Driving Ordinance (Automatisiertes Fahren Verordnung), introduced in December 2016, which defines the conditions under which certain driving tasks may be delegated to automated driving systems. In December 2020, the 39th amendment to the Austrian Motor Vehicle Act (Kraftfahrgesetz) added further provisions specifically focused on testing automated work machines under 10 km/h.

Since its introduction, the Automated Driving Ordinance has undergone three amendments. With the first amendment in March 2019, the regulation was expanded not only to govern the framework for testing but also to establish the basis for the deployment of series-approved driver assistance systems. The second amendment, in spring 2022, primarily focused on expanding the permitted testing use cases. The third amendment, in the autumn of 2024, introduced further adaptations to enable additional testing applications.

There are no specific legal provisions in Austria dedicated exclusively to AV operation on private property.

The Automated Driving Ordinance makes a clear distinction between test operations for high- and fully automated vehicles and the regular use of driver assistance systems that have already been approved and are in series production.

Test Operations

For testing, the Automated Driving Ordinance does not allow blanket testing of all types of automated driving; instead, it details specific use cases with high potential in which testing may occur. These include: 

• Automated vehicles for passenger transport 
• Automated vehicles for freight transport 
• Highway pilot with automated lane-change 
• Highway pilot with automated on- and off-ramps 
• Self-driving military vehicles 
• Automated parking services
• Automated work machines (with speed restrictions) 
• Automated safety (shield) vehicles

For testing AVs on public roads, a permit must be obtained from the competent Federal Ministry (Bundesminister für Klimaschutz, Umwelt, Energie, Mobilität, Innovation und Technologie). Before being tested on public roads, highly or fully automated systems must first be validated in simulations and on private grounds to ensure their reliability and safety. This process includes a route-based risk assessment, particularly focusing on potential impacts on pedestrians and cyclists. If the Federal Ministry deems the safety measures sufficient, it issues a time-limited test certificate (Bescheinigung). During testing, a trained and licensed driver—who is no longer in the probationary phase—must always be present and able to override or deactivate the automated system immediately. Additionally, if tests are conducted on motorways, the applicant must inform the relevant road operator and involve them in planning.

Testing Conditions and Requirements

Austria does not have designated AV test tracks. Instead, testing companies must establish their own structured testing environments, often within innovation labs, before transitioning to public roads. Companies with extensive experience may apply for public road testing, provided they comply with regulatory requirements.

The Automated Driving Ordinance defines which roads and areas may be used for testing. Some use cases are restricted to the high-level road network, while others are limited to lower-level roads. Testing companies must conduct a detailed route analysis and risk assessment, ensuring that high-risk areas are identified, and appropriate safety measures are in place. The final approval of testing locations lies with the Federal Ministry.

Test permits issued in other countries are not valid for public road testing in Austria. However, prior approvals may expedite the application process.

The non-binding Code of Practice (CoP) provides additional guidelines for vehicle manufacturers and testing organizations, outlining safety measures to be followed during testing. While not legally binding, compliance with the CoP promotes responsible testing but does not exempt companies from liability.

Vehicle Classes and Testing Scenarios  

Pursuant to the Automated Driving Ordinance, different types of AVs are subject to specific testing conditions: 

• Passenger and Freight Transport: Vehicles of classes M and L7e may be tested for passenger transport, while categories L7e, N1, N2, and N3 may be tested for goods transport. Testing must occur on predefined routes or areas, with speed limits of 30 km/h (or up to 50 km/h for approved vehicles). The system must not be activated on highways or expressways. 
• Highway Pilot with Automated Lane Changes: This system, which manages both longitudinal and lateral control, may only be tested on highways and expressways using vehicles of classes M1, M2, M3, N1, N2, and N3. 
• Highway Pilot with Automated On- and Off-Ramps: These systems may only be tested on motorways, dual carriageways, and approved slip roads, using vehicles of classes M1, M2, M3, N1, N2, and N3. 
• Military Vehicles: The Federal Ministry of Defence is authorized to test fully automated military vehicles (classes N1, N2, N3, T1-T5). Testing may involve autonomous driving, tele-operated driving, convoy driving, and steering via external force, with a test driver ready to assume control in critical situations. 
• Automated Parking Services: Car manufacturers, system developers, research institutions, traffic companies, and car park operators may test automated parking systems for M1-class vehicles. The driver is not required to be inside the vehicle but must monitor the process and be able to intervene if needed.
• Automated Work Machines: Vehicles operating for work purposes at speeds up to 20 km/h may be tested in predefined areas. If operating at a maximum of 10 km/h, the driver may remain outside the vehicle, provided they have a clear view and can intervene when necessary. 
• Since 2024, autonomous safety vehicles (N-class) designed for road safety operations may be tested exclusively on highways and expressways at speeds up to 20 km/h. If operating at 10 km/h or lower, the driver may remain outside the vehicle but must stay nearby and monitor all movements.

Application Process for Testing

The process for obtaining a test permit involves several steps:

1. Submission: Applications for automated vehicle testing can be submitted quarterly to the Contact Point for Automated Mobility.
2. Initial Review: The Contact Point assesses which test scenarios fall within existing regulations and which may require amendments.
3. Expert Advisory Board Consultation: An independent advisory board with interdisciplinary expertise provides guidance to the Federal Ministry.
4. Approval: If approved, the Federal Ministry issues a temporary test certificate for specific use cases.
5. Post-Test Reporting: Upon completion of the test, applicants must submit a test report to the Federal Ministry.

Regular Use of Driving Assistance Systems

Beyond testing, Austria currently allows the use of two specific advanced driving assistance systems on public roads: 

Parking Assist: Permitted for M1 and N1 vehicles, parking assist systems may only be used as specified by the manufacturer at speeds up to 10 km/h. The driver must remain close to the vehicle and monitor the process. 

Lane Keeping Assist: This system may be used on highways and expressways in vehicles of classes M1, M2, M3, N1, N2, and N3. The driver must take over before changing lanes, entering construction zones, or exiting the highway. The system must operate strictly within the manufacturer’s specifications and is not permitted in construction zones. 

In Austria, there is no separate legal framework devoted exclusively to liability and insurance for autonomous vehicles. Instead, the established rules on liability and product liability apply, supplemented by strict liability under the Railway and Motor Vehicle Liability Act (Eisenbahn- und Kraftfahrzeughaftpflichtgesetz; EKHG) and by general civil law principles under the Austrian Civil Code (Allgemeines Bürgerliches Gesetzbuch, ABGB). Although AV technology may raise new questions (e.g., the role of crash algorithms, potential cyberattacks), Austrian law has not yet introduced comprehensive, AV-specific rules for these scenarios. The following overview explains how existing legislation is typically interpreted in the AV context.

Traditional Liability of the Driver or Operator

Under Austrian law, the driver (Lenker) remains the primary point of contact following a traffic accident. If a driver’s negligent or intentional behavior causes an accident, they are personally liable for damages, pursuant to §§ 1292 ff ABGB. However, with levels of vehicle automation reaching SAE Levels 3 and above, the standard of care owed by the driver may change. While SAE Level 3 only requires the driver to take over driving upon request of the vehicle, SAE Level 4 no longer obliges the driver to devote their complete attention to the road at all times. This could mean that certain activities—previously deemed negligent—may no longer be regarded as careless if the system lawfully permits the driver to disengage for specific periods.

Austrian law also recognizes strict liability for the vehicle’s operator or owner under the EKHG, i.e. liability in the absence of any fault if damage arises from the operation of a motor vehicle, reflecting the principle that using a potentially dangerous machine on public roads comes with strict responsibilities. This applies even if the vehicle has automated features; as automation increases, liability may shift from individual driver negligence to the operator’s strict liability or ultimately toward manufacturer liability or product liability claims.

Product Liability and the Role of the Manufacturer

Beyond driver or operator liability, Austrian product liability law (in line with the EU Product Liability Directive) covers software integrated into a physical product such as a car. If a defect in the software causes damage (for instance, by misinterpreting sensor data, leading to a crash), the manufacturer can be held liable. A “defect” means that the product does not provide the level of safety reasonably expected, considering all circumstances.

In the case of autonomous or semi-autonomous vehicles, manufacturers rely heavily on AI algorithms that will, on occasion, “be wrong” due to statistical variance. Austrian legal doctrine has yet to offer a definitive solution on how to handle those “inherent” miscalculations under product liability rules. Generally, product liability does not demand absolute perfection, but it does require adequate safeguards, adherence to technical standards, and reasonable protective measures. If an AI-based system systematically falls below these expectations or if a proven design improvement was available to mitigate foreseeable errors without undue burden, the manufacturer could be deemed liable for a design or construction defect.

“Crash algorithms” and Extreme Situations

Austrian law does not specifically address how liability would be allocated if a vehicle’s automated decision-making (e.g., a “crash algorithm”) chooses to sacrifice one party to save another. In principle, the same liability regimes would apply: the driver or owner might still face strict liability under the EKHG, and fault-based liability could come into play if someone acted (or failed to act) negligently. If software programming is found to be flawed—by, for example, systematically prioritizing certain crash outcomes in an unjustifiable manner—it may trigger manufacturer liability. However, no Austrian statute expressly authorizes “autonomous decisions” that weigh personal injury or life in an emergency scenario. As a result, these so-called “trolley problem” cases remain largely theoretical and unresolved in current law.

Cyberattacks and the Manufacturer’s Liability

Cybersecurity is increasingly relevant for modern vehicles, especially at SAE Levels 2–4, which rely on external data transmission and complex software. Under the Product Liability Act (Produkthaftungsgesetz; PHG), a product is defective if it fails to meet the justified safety expectations. A manufacturer that neglects to protect its AV systems against foreseeable cyber risks—thereby enabling remote manipulation leading to an accident—can be found liable if that lack of protection constitutes a product defect.

Recent European initiatives, including the revised Product Liability Directive and the Cyber Resilience Act (CRA), emphasize that failure to comply with mandatory cybersecurity or product safety requirements can lead to a presumption of defect. In practice, this means the manufacturer may be liable if it does not provide security patches during the vehicle’s expected lifetime (up to five years after market introduction, under the CRA) and that omission leads to damage stemming from a cyberattack. If technical progress allows for higher security standards at manageable cost, the scope of the manufacturer’s liability may increase accordingly, because consumers’ legitimate safety expectations also rise.

Austria does not have a specific, stand-alone legal framework that exclusively addresses data collection, privacy, and cybersecurity for autonomous vehicles (AVs). Instead, existing general laws and regulations apply. The key instruments are the EU General Data Protection Regulation (GDPR) for personal data, the new EU Data Act for non- personal data, and certain provisions in the Automated Driving Ordinance, which governs the testing of automated vehicles. Below is an overview of how these legal sources interact and how they affect data handling for AVs.

GDPR

The GDPR fully applies whenever personal data are processed, whether during AV testing or in regular operation. Under the GDPR, data processing is only lawful if it can be based on a valid legal ground such as consent, contract performance, or overriding legitimate interests.

Consent: The European Data Protection Board (EDPB) generally views consent as a principal legal basis for processing data collected by connected vehicles. If vehicles collect location data, video feeds, or other personal identifiers, each data subject (e.g., the driver or possibly external road users) must consent, unless another exception applies. However, obtaining consent from “other road users” (pedestrians, cyclists, other drivers) is practically unworkable.

Contract necessity: In theory, the data processing required for automated or autonomous driving could be justified if it is “necessary for the performance of a contract” with the data subject. But if the vehicle’s manufacturer is considered the data controller, then a direct contractual relationship would need to exist between the manufacturer and the driver or owner. This is often complicated by the presence of intermediaries (dealers, leasing firms). Contractual grounds almost never extend to bystanders in traffic.

Non-Personal Data and the EU Data Act

For data that do not qualify as personal under the GDPR, the new EU Data Act (Regulation (EU) 2023/2854) becomes relevant. It aims to establish fair rules for accessing and using non-personal data generated by connected devices—including autonomous vehicles. It entered into force on 11 January 2024 and starts to apply from 12 September 2025. Key implications for AV manufacturers and operators include:

Data access rights: Users of connected products (including AVs) gain the right to access the non-personal data generated by their usage of the vehicle. This typically encompasses performance metrics, usage data, and environmental data.

Obligation to share data: Users have the right to require data holders to share data with third parties. Upon request from a user or a party acting on their behalf, the data holder must promptly provide a third party with readily available data, along with the metadata necessary for interpreting and utilizing the data.

Manufacturers must make data available under fair, transparent, and non- discriminatory conditions. Although they may charge a fee, it must be “reasonable” and justified.

To process or monetize non-personal vehicle data, manufacturers must have data license or data access agreements in place with the user.

Data Obligations under the Automated Driving Ordinance

During the testing of automated vehicles, the Automated Driving Ordinance imposes specific data-related obligations:

Driver’s consent: Section 3(4) of the Automated Driving Ordinance states that the test driver must agree to have data from the vehicle’s electronic control units recorded and stored during test drives.

Accident data recorder: Section 5(1) mandates that every vehicle involved in testing be equipped with an accident data recorder, which must be active throughout the test period. This recorder captures relevant information in the event of a crash, allowing authorities or researchers to reconstruct the incident.

One of Austria’s most significant public experiments with autonomous driving took place in the Seestadt Aspern urban development area in Vienna. The trial used ten-seat autonomous shuttles produced by the French company Navya, which operated at speeds of up to 20 km/h by relying on GPS, laser scanning, and odometry. This pilot ended in June 2021 with the conclusion that the technology was not yet ready for widespread commercial use and would require further refinement. Since then, Austria has not initiated any similarly high-profile public trials, a development suggesting that the country has chosen a more cautious path regarding large-scale autonomous vehicle (AV) deployment.

Despite the lack of major new pilots, Austria still hosts pockets of research and development in the AV field. One notable project is the Linz-based company Digitrans, which operates a test track in St. Valentin. This facility enables experimentation with autonomous driving and platooning—an arrangement in which multiple vehicles (often trucks) drive in close proximity, aligned and synchronized through advanced connectivity and automation.

Austria provides research funding for innovative mobility initiatives, though these tend to be incorporated under broader technology or climate programs rather than dedicated AV subsidies. The country positions itself less as a trailblazer and more as a “fast follower,” observing how European frontrunners such as Germany, the Netherlands, and France handle regulatory challenges before committing to large-scale autonomous driving projects.

Looking ahead, Austria is likely to maintain a moderate, research-driven approach. As EU regulations on data sharing, liability, and cybersecurity evolve, Austria will adapt its national legal framework accordingly. In particular, many of the key questions concerning autonomous driving—such as the lawful handling of vast amounts of personal and non-personal data under the GDPR and the Data Act, as well as the appropriate liability frameworks—are likely to be resolved at the European level.