Lawful interception Austria requirements under TKG 2021 present unique challenges for telecom operators. Austria’s telecommunications regulatory landscape underwent a significant transformation with the introduction of the Telekommunikationsgesetz 2021 (TKG 2021), which replaced the previous TKG 2003 and brought the country’s legal framework into closer alignment with the European Electronic Communications Code (EECC). For operators — particularly MVNOs and new market entrants — understanding the implications of TKG 2021 for lawful interception is essential to achieving and maintaining compliance in the Austrian market.
Austria’s approach to lawful interception combines a well-defined legal framework with a centralised technical infrastructure operated through the Bundesrechenzentrum (BRZ). This dual structure means that operators must satisfy both the legal requirements set out in the TKG 2021 and the Strafprozessordnung (StPO), and the technical specifications mandated by the BRZ for the delivery of intercepted communications. Getting either side wrong can result in regulatory sanctions, criminal liability, or both.
Lawful Interception Austria Under TKG 2021
The TKG 2021 establishes the general obligation for providers of public telecommunications services to cooperate with lawful interception requests. Section 94 of the TKG 2021 requires that operators maintain the technical capability to execute interceptions and deliver the resulting data to the competent authorities. This obligation applies to all providers of public communications services, regardless of their size or business model — MVNOs are not exempt.
The procedural basis for ordering an interception is found in the StPO (Code of Criminal Procedure). Under Austrian law, a lawful interception order must be issued by a court, typically upon application by the public prosecutor. The StPO specifies the types of offences that can trigger an interception order, the maximum duration of surveillance, and the conditions under which extensions may be granted. Operators are legally bound to comply with valid court orders and face penalties for refusal or undue delay.
One important distinction in Austrian law is between the interception of content data (Inhaltsdaten) and the collection of traffic data (Verkehrsdaten) and location data (Standortdaten). Each category has different legal thresholds and procedural requirements. Content interception requires a higher evidentiary threshold and is subject to stricter judicial oversight, while traffic and location data requests, although still requiring judicial approval, apply to a broader range of offences.
The TKG 2021 also introduced updates to data retention provisions, which had been a contentious topic following the Court of Justice of the European Union (CJEU) rulings invalidating blanket data retention. Austria now operates under a system of targeted data preservation, where retention obligations are triggered by specific legal requests rather than applying universally. Operators must understand how these provisions interact with their general LI obligations to avoid gaps in compliance.
The BRZ: Austria’s Central LI Interface
The Bundesrechenzentrum (BRZ) is Austria’s federal computing centre, and it plays a pivotal role in the lawful interception ecosystem. The BRZ operates the central platform through which intercepted communications are delivered from operators to the requesting law enforcement agencies. This centralised model is similar in concept to the Dutch NBIP, and it means that all operators in Austria must establish a technical connection to the BRZ’s systems.
The BRZ interface specifications define how intercepted data must be formatted, encrypted, and transmitted. Operators must implement the required handover interfaces — aligned with ETSI standards for HI1, HI2, and HI3 — and ensure that their systems can deliver both intercept-related information (IRI) and content of communications (CC) in the prescribed formats. The BRZ provides detailed technical documentation to registered operators, and compliance with these specifications is tested before an operator is permitted to handle live interception orders.
The BRZ’s role extends beyond mere data transport. It also manages the administrative workflow for interception orders, providing a secure channel through which court orders are communicated to operators and through which operators confirm the activation, modification, or deactivation of intercepts. This administrative interface (corresponding to HI1 in ETSI terminology) requires operators to implement secure authentication and logging mechanisms to ensure the integrity and confidentiality of the process.
For operators new to the Austrian market, engaging with the BRZ is one of the earliest steps in the compliance journey. The BRZ conducts onboarding sessions, provides technical specifications, and schedules interoperability testing. Operators should factor in several months for this process, as scheduling, development, and testing cycles can be lengthy — particularly for MVNOs that need to coordinate with their host MNO’s infrastructure.
MVNO-Specific Considerations
MVNOs operating in Austria face the same fundamental challenge as in other European markets: the legal obligation for lawful interception rests with the MVNO as the registered service provider, but the technical capability to intercept often resides with the host MNO. The TKG 2021 does not provide a carve-out or reduced obligation for MVNOs. If you hold a notification with the Rundfunk und Telekom Regulierungs-GmbH (RTR), you bear the full weight of interception obligations.
This means that MVNOs must either deploy their own LI infrastructure — including a mediation function capable of interfacing with the BRZ — or establish a formal agreement with their host MNO under which the MNO performs interception on the MVNO’s behalf. In the latter case, the MVNO must still ensure that the arrangement meets BRZ requirements and that the MVNO retains visibility and control over the process. Simply delegating responsibility to the MNO without formal agreements and technical validation is a compliance risk that Austrian regulators will not overlook.
The architectural model of the MVNO also matters. Full MVNOs that operate their own core network elements have more direct control over interception capabilities and can implement LI systems that interface directly with the BRZ. Light MVNOs and resellers, which rely more heavily on the host MNO’s infrastructure, face greater dependency and must invest more heavily in contractual and procedural safeguards.
One area of particular complexity for MVNOs is the handling of VoLTE traffic. As Austrian operators have migrated voice services to LTE and increasingly to 5G, the interception of voice calls has moved from circuit-switched to packet-switched infrastructure. MVNOs that rely on their host MNO for VoLTE services must ensure that the interception of VoLTE calls is covered in their LI arrangements, as the technical mechanisms differ significantly from traditional circuit-switched interception.
Technical Implementation Requirements
The technical requirements for LI in Austria follow ETSI standards but include BRZ-specific adaptations. Operators must support the delivery of IRI (via HI2) and CC (via HI3) in formats specified by the BRZ. The IRI must include all required metadata, such as calling and called numbers, timestamps, cell identifiers, and IP addresses, depending on the type of communication being intercepted.
For voice interception, the CC must be delivered as a real-time audio stream. For data interception, the CC consists of the IP packets associated with the target’s sessions. In both cases, the data must be delivered securely to the BRZ using encrypted transport mechanisms. The BRZ specifies the encryption protocols and key management procedures that operators must follow.
Operators must also implement robust target identification capabilities. Austrian interception orders may identify targets by telephone number (MSISDN), IMSI, IMEI, IP address, or email address. The operator’s LI system must be capable of resolving these identifiers to active sessions or subscribers and initiating interception accordingly. For MVNOs, this may require integration with the host MNO’s subscriber management systems to accurately identify and track targets.
Testing with the BRZ is mandatory before an operator can receive live interception orders. The testing process covers multiple scenarios, including voice call interception, SMS interception, data session interception, and target identification using various selectors. Operators must pass all test cases before being certified as operational. The BRZ maintains records of each operator’s certification status and may require periodic recertification as systems are upgraded or modified.
Compliance Timelines and Enforcement
The RTR, as Austria’s telecommunications regulator, is responsible for overseeing compliance with the TKG 2021, including lawful interception obligations. While the RTR does not typically conduct proactive audits of LI systems in the same way that Germany’s BNetzA does, it has the authority to investigate complaints, respond to reports of non-compliance, and impose sanctions. The Austrian criminal justice system can also pursue operators that fail to comply with valid interception orders under the obstruction provisions of the StPO.
Operators entering the Austrian market should plan for a compliance timeline of at least six to twelve months from the point of initial engagement with the BRZ to achieving full operational capability. This timeline accounts for technical development, integration testing, BRZ interoperability testing, and internal process development. MVNOs with more complex supply chains may need longer, particularly if their host MNO agreements need to be renegotiated to include LI provisions.
The enforcement landscape in Austria is evolving. As the telecommunications market becomes more fragmented, with new MVNOs, IoT operators, and OTT providers entering the market, regulatory attention to LI compliance is likely to increase. Operators that establish robust compliance frameworks early will be better positioned to adapt to future regulatory changes and avoid enforcement actions.
Practical Recommendations
For operators preparing for lawful interception compliance in Austria, several practical steps are recommended. Begin by thoroughly reviewing the TKG 2021 and the relevant sections of the StPO to understand your legal obligations. Engage legal counsel with specific Austrian telecommunications expertise, as the interaction between criminal procedure law and telecommunications regulation requires specialist knowledge.
Contact the BRZ early in your planning process to initiate the onboarding procedure and obtain the current technical specifications. Develop your technical infrastructure — whether in-house or through a managed service provider — to meet the BRZ’s interface requirements. Ensure that your LI management system supports the full lifecycle of interception orders, from receipt and activation through monitoring and deactivation.
If you are an MVNO, review and if necessary renegotiate your host MNO agreement to explicitly address LI responsibilities. Establish clear escalation paths and response time commitments for interception requests. Finally, develop and document internal processes for handling interception orders, including access controls, confidentiality procedures, and audit trails.
Conclusion
Austria’s lawful interception framework, anchored by the TKG 2021 and operationalised through the BRZ, represents a well-structured but demanding compliance environment. For MVNOs and new market entrants, the combination of legal obligations and technical requirements means that early planning, proactive engagement with regulators and the BRZ, and investment in robust LI infrastructure are essential. The consequences of non-compliance — regulatory sanctions, criminal liability, and reputational damage — far outweigh the costs of getting it right from the start. By understanding the Austrian LI landscape and taking a systematic approach to compliance, operators can build a solid foundation for long-term success in this important European market.
The lawful interception Austria compliance landscape continues to evolve as the BRZ modernises its technical interfaces. Operators must ensure their lawful interception Austria implementations remain aligned with current specifications.
Related Articles
For further reading on related topics, explore these articles:
- LI Requirements in the Netherlands: BWNI, NBIP, and What MVNOs Must Know
- Italy’s LI Framework: The Garante, AGCOM, and What Foreign Operators Miss
- How to Pass a BNetzA LI Audit: What Inspectors Actually Check
External Resources
The following external resources provide additional context and official documentation:
