Digital health apps and telemedicine in Austria

The primary legal sources are the EU Medical Device Regulation (MDR), the Austrian Medical Devices Act 2021,  and the Austrian Product Liability Act. According to the EU Medical Devices Regulation, software is considered a medical device if it forms part or is an accessory of a medical device or – where it constitutes stand-alone-software – has a medical purpose and the processing of the data goes beyond mere storage, archiving, communication or simple search.

The Austrian Product Liability Act provides for no-fault liability.  In addition, fault-based liability under Austrian tort law is possible.

Currently, software can be considered a “product” according to the Austrian Product Liability Act if it is embedded and supplied as part of a physical device.  However, with the adoption of the new EU Product Liability Directive (EU) 2024/2853 (PLD), which must be transposed into Austrian law by 9 December 2026, this classification is expected to evolve.  Key changes under the PLD include:  (i) a broader definition of “product”, explicitly covering stand-alone software, including AI systems;. (ii) clarified liability rules, making it easier to determine when software is defective and how liability is allocated; and (iii) enhanced consumer protections, simplifying the process for proving damage and the causal link between a defect and harm.  (For further details, please also see point 7 on future legal developments below.).  Until national implementation, the existing Austrian Product Liability Act remains applicable.

Where the software is considered a product, liability according to the Austrian Product Liability Act is limited to the manufacturer or importer (importing into the EEA) of a faulty product causing death, physical injury or damage to physical property.  Compensation is limited to death and personal injury.  Property damage is only compensated if it has been sustained by a consumer and only to the extent it exceeds the amount of 500 EUR.

There are further exceptions under the Product Liability Act, in particular will the manufacturer/importer not be liable if the fault was caused by a legal order or obligation that the product had to comply with or if the fault was not apparent according to the state of the art in science and technology at the time of distribution.

The General Data Protection Regulation (“GDPR”) and the Austrian Data Protection Act (“DPA”) apply to the processing of personal data within the meaning of Art 4 (1) GDPR – being any information relating to an identified or identifiable natural person. Hence, if the use of digital health software involves the processing of personal data, the requirements of the GDPR and DPA must also be met.

The Austrian Health Telematics Act 2012 regulates the processing of personal electronic health data and genetic data by healthcare providers pursuant to Section 2 no. 2 of this Federal Act.

The Austrian Telecommunications Act 2021 (TKG 2021), which implements the EU ePrivacy Directive 2002/58/EC, applies to digital health software that involves the processing of personal data in connection with electronic communication.

The Austrian E-Commerce Act, which covers inter alia the information obligations of online service providers, the conclusion of online contracts, the responsibility of service providers and the country of origin-principle regarding electronic services in general, may also be applicable. In order to protect public health, the free movement of online services from another Member State may be restricted under this Act.

Furthermore, trade law can be applicable if the software is considered a medical device. According to Sec 94 (33) of the Austrian Trade Act, the manufacturing, processing, distribution and rental of medical devices constitute a regulated trade. The operation of a regulated trade must be notified to the competent authority and a certificate of competence must be provided by the trader.

Moreover, software falls within the scope of the Austrian Copyright Act.

With regard to the territorial scope of the GDPR and ePrivacy Directive (concerning the processing of personal data in relation with electronic communications), it is required that the data processing is carried out in the context of the activities of an establishment of a data controller or a data processor in the European Union or that the digital health software is offered to a data subject in the European Union. It is therefore crucial whether users use the software within their jurisdiction, as this is likely to mean that either the controller/processor providing the software also has an establishment in the EU or at least that the software is offered to users within the EU. In both cases, this leads to the application of the GDPR/ePrivacy Directive.

Austrian trade law regulations may be applicable if users are Austrian residents using the service in Austria. If the service provider can rely on the country of origin rules of the E-Commerce Directive, this may exclude the application of Austrian trade law regulations.

For B2C-transactions, consumer protection law is applicable and contract clauses and terms and conditions must be in compliance with the strict requirements of the Consumer Protection Act, Consumer Warranty Act (providing specific requirements in regard to software) and the Austrian Distant Sales Act. Additionally, where the software constitutes a medical device, advertising to consumers is restricted.

The processing of personal data as part of particular features of digital health software does not, in itself, trigger any additional consent requirement, regulatory approval, and/or other restrictions beyond the GDPR or ePrivacy Directive. 

This aligns with the European and national legislators' goal of maintaining a technology-neutral regulatory framework, where any processing of personal data must be justified by a legal basis under Articles 6 or 9 GDPR.

The European Data Protection Board (EDPB) clarified the technical scope of the ePrivacy Directive in its Guidelines 2/2023, extending its applicability beyond traditional cookies to include various tracking technologies, such as URL and pixel tracking, IP-based tracking, and unique identifiers.  If digital health software employs such technologies for data processing, Austria’s Telecommunications Act (TKG 2021, Section 165 para 3) applies, requiring consent unless the technology is strictly necessary for the provision of the service.

If certain features are used by the controller to evaluate certain aspects related to the individual, this will regularly be subject to the provisions on profiling pursuant to GDPR.

Where the software constitutes a product according to the Austrian Product Liability Act, the producer or importer (into EEA), rather than the physician, will bear no-fault liability under the Product Liability Act. The physician may still be liable under general rules. However, such liability would require causation by the physician as well as fault, which may both be lacking if the inaccuracy is due to a fault of the software rather than the physician's error.

Violations of the Austrian Medical Devices Act are subject to administrative fines, for example, if an unsafe medical device has been put on the market or if no instruction manual has been provided. Moreover, competitors or consumer protection organizations may initiate unfair competition proceedings based on non-compliance with the provisions of the Medical Devices Act (breach of law), asking for an injunction, publication of the judgment, recovery of lawyers' fees and (rarely) damages.

Damage claims that are based on the Austrian Product Liability Act or general tort law must be brought before the competent civil court by the injured party.

Compliance with trade law falls under the jurisdiction of the administrative courts and authorities. If a regulated trade is conducted unlawfully, administrative fines may be imposed.

There are also enforcement mechanisms with regard to data protection. Infringements of the GDPR are subject to administrative fines – depending on the violation – of up to 10,000,000 EUR, or in the case of a company, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher; in case of severe violations up to 20,000,000 EUR, or in the case of a company, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

With regard to the Austrian Telecommunications Act 2021, administrative fines of up to 100,000 EUR may be imposed in case of violations.  Fines will be accumulated in case of several violations.  According to case law of the Austrian Data Protection Authority, a violation of the Austrian Telecommunications Act may at the same time constitute a violation of the fundamental right to data protection pursuant to Sec. 1 para 1 of the Austrian Data Protection Act and also a violation of those provisions of the GDPR which do not impose any additional obligations on the controller within the meaning of Art 95 GDPR.

As mentioned in point 1.2 above, the new Product Liability Directive (PLD), which must be transposed into Austrian law by December 9, 2026, introduces significant changes to Austria’s Product Liability Act (PHG).  One of the key amendments is the explicit expansion of the definition of "product" to include software, including AI systems as defined in the AI Act.  This marks a shift from the previous case-by-case approach, providing greater legal certainty regarding liability for defects in digital products.  The PLD establishes clear conditions under which manufacturers, importers, and retailers can be held strictly liable for defective software, aligning it with traditional product liability principles.  Furthermore, the PLD introduces new disclosure obligations and causality presumptions, making it easier for consumers to enforce claims, particularly in cases involving complex digital products such as AI-driven health applications.  The removal of the EUR 500 threshold for material damage claims further strengthens consumer protection by allowing recovery for smaller damages.  However, challenges remain, particularly concerning the obligation to disclose evidence (Art. 8 of the PLD), which may conflict with trade secret protections and GDPR requirements.  Additionally, the handling of technical and digital evidence in Austrian courts is still uncertain.  Businesses in the software, AI, and digital health sectors should proactively assess their product documentation, liability limitations, and compliance with both the PLD and the AI Act to mitigate legal risks and ensure regulatory alignment.

Currently, the establishment of a legal framework regarding the reimbursement of digital Health apps/software by the Austrian Social Insurance Fund is expected (please see below for more detail).

Another important upcoming legal development in Austria affecting digital health apps and software is the Barrierefreiheitsgesetz (BaFG), which transposes the European Accessibility Act (EAA) into national law.  As of June 28, 2025, digital products and services, including health apps and software, must comply with accessibility requirements to ensure usability for people with disabilities, provided they fall within the scope of the BaFG (see Section 2 BaFG for details).  The BaFG applies to a broad range of products, such as self-service terminals, smartphones, and e-books, as well as services, including digital banking and e-commerce platforms operating within the framework of a consumer contract.  This means that all online shops and website operators engaging in B2C transactions must ensure compliance.  The law mandates adherence to accessibility standards covering perceivability, operability, and compatibility with assistive technologies to enhance digital inclusion.

Amongst the primary legal sources in this regard are the Austrian Doctors Act, the Ordinance of the Austrian Doctors Association on the type and form of permissible advertisement and the Code of Conduct of the Austrian Doctors Association.

The Austrian Doctors Association is a self-governed professional body which may enforce disciplinary sanctions. It is also responsible for maintaining the Austria Doctor’s list – all physicians located in Austria must be included in this list. It makes its decisions independently but is subject to legal supervision by the Federal Ministry of Health.

The main law that applies to physicians in general is the Austrian Doctors Act, which also sets out the permissibility of telemedicine in general.  There is no specific law for telemedicine, except for the Austrian Health Telematics Act 2021, which regulates the processing of personal electronic health data and genetic data by healthcare providers as pointed out under question 2 above.  Moreover, Austrian social security law has been adapted to introduce the use of electronic prescriptions. 

The Federal Ministry of Health provides guidance regarding telemedicine on its website. Among other things, a framework directive for the IT infrastructure for the use of telemonitoring is being provided there. The directive concerns the collection of patient data through telemonitoring and lays out the ideal telemonitoring-procedure including how the relevant IT systems should be set up.

With respect to other aspects of telemedicine there are no specific rules, so the general rules that are applicable to physicians, such as the Austrian Doctor's Act, have to be referred to.

Yes.  Section 49 of the Austrian Doctors Act explicitly permits the use of telemedicine to treat patients.  Physicians must consult with patients directly and in person (Unmittelbarkeitsgrundsatz), or by the use of telemedicine.  In particular,  teleconsultation, teleconference, teletherapy, telesurgery, teleradiology and telepathology are considered permissible areas of application under this Act.

The permissibility of telemedicine requires compliance with the standards of professional justifiability and the maintenance of the necessary professional care, including appropriate patient information and documentation, particularly in the case of exclusive consultation or treatment via communication media.

The obligation to control risks also includes the obligation to inform the patient comprehensively about the possibilities, objectives and limits of telemedical applications and to point out unrealistic expectations.  The physicians must also name the risks associated to the telemedical treatment to the patient, and document the information provided as well as the main contents of the risk assessment.  He/she is obligated to terminate a telemedical intervention prematurely if necessary and at the same time recommend face-to-face treatment.

As it lies within the discretion of the physician to engage in a remote consultation, the physician must check and ensure in each case whether the information and data provided by the patient is sufficient for the telemedical treatment or whether further information is required.  Permissible telemedical consultations therefore regularly require prior personal contact between the doctor and patient.

If the doctor has any doubts about the basis of his/her medical decision, he/she must visit the patient, call the patient to the doctor's office, or refer the patient to the nearest doctor or hospital.

There is no change regarding the applicable standard of care. The standard of care is a relevant factor in deciding whether telemedicine is admissible in a specific case and also includes the decision as to whether or not to engage in distance counseling at all (see above).

Yes.  As with conventional medical treatments informed consent of the patient is required prior a telemedical treatment.

The physician has the obligation to inform the patient comprehensively about the possibilities, objectives and limits of telemedical applications and to point out unrealistic expectations before the treatment. The physicians must discuss the risks associated with the telemedical treatment with the patient and document the information provided as well as the main content of the risk assessment.  He/she must also recommend treatment in person when necessary.

The risk of liability is increased indirectly. Liability depends on whether the physician has acted according to the relevant standard of care. In the case of telemedicine, it will additionally be considered whether it was suitable in the specific case to use telemedicine according to the relevant standard of care.

Currently, only such prescriptions which fall under the responsibility of the public health insurance fonds will be issued electronically. Moreover, medicinal products subject to the Austrian Narcotics Act can never be  prescribed digitally.  

Yes.  Telemedical treatments are reimbursable under the same conditions as conventional medical treatments by the Austrian Social Insurance Fund (Österreichische Gesundheitskasse).

Reimbursement is based on tariff items in corresponding catalogs in Austria.  The reimbursement of telemedical services includes all consultation and discussion services for gGeneral Ppractitioners by telephone or video, as provided for in the respective catalogs.

Currently, digital health applications (DiGA) and health apps are not reimbursable under the Austrian Social Insurance Law (Allgemeines Sozialversicherungsgesetz - ASVG).

Nevertheless, there are endeavours by the Austrian Social Insurance Fund to launch a reimbursement programme for digital health applications (DiGA) in Austria, similar to France or Germany.  In 2024, the eHealth Strategy Austria was published, including the plan to establish a standardized process for the evaluation of digital health and nursing applications.  DiGAs that are medical devices would be reimbursable under the Austrian Social Insurance Law (ASVG). Furthermore, the requirement of proof of efficacy is discussed.  The specific framework for the reimbursement of DiGAs by the Austrian Health Insurance Fund (Österreichische Gesundheitskasse) has not yet been decided but is expected to be determined by 2026 at the latest.

The GDPR and the Austrian Data Protection Act apply to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. The Austrian Telecommunications Act 2021 ​The Austrian Telecommunications Act 2021 (TKG 2021) governs the provision of electronic communications networks and services within Austria, and it also addresses the confidentiality of communications and data protection.

The exact legal framework of the reimbursement of digital health applications is expected to be introduced by 2026.  Furthermore, there are plans to implement a “Digital Health Path” (“DGP”), which will feature a digital Austrian health platform for certified and quality-assured eHealth services for all aspects of healthcare, including digital health applications.