NIS2 Compliance in Austria: What Changes, Who's Affected, and What to Do in 2026

Last updated: March 2026

If you've been trying to get a straight answer on NIS2 compliance in Austria, you've probably noticed that most of what's out there is either a generic EU overview, already out of date, or written by lawyers for other lawyers. This article is none of those things. It covers what's actually happening in Austria — the national law, the real deadlines, who's actually caught by it, and what you need to do and when.

---

NIS2 vs NISG 2026: Why Austria Has Its Own Timeline

Let's start by clearing up the biggest source of confusion.

NIS2 is the EU directive — formally Directive (EU) 2022/2555 — which entered into force in January 2023. Member states had until October 17, 2024 to transpose it into national law. Most of them did. Austria didn't.

Austria missed the deadline. The European Commission sent a reasoned opinion in May 2025 — the formal step before infringement proceedings kick in. The national implementation law, NISG 2026, was eventually published on December 23, 2025. It takes effect on October 1, 2026.

Until that date, the old NISG 2018 remains in force.

Why does this matter? Because a lot of English-language content still references a January 2026 effective date, or mentions the rejected NISG 2024 draft as if it's current. The correct dates are October 1, 2026 for entry into force and December 31, 2026 for the registration deadline. If you've been planning around different numbers, now is a good time to recalibrate.

---

Who's Actually Affected? The Scope Is Wider Than You Think

The old NIS law covered roughly 100 organizations in Austria. NISG 2026 expands that to approximately 4,000.

That's a forty-fold increase, and it's not an accident. The scope expansion reflects a deliberate policy decision to bring a much wider range of organizations into the cybersecurity regulatory framework. NISG 2026 creates two categories — and if you're a mid-sized company in almost any sector that relies on technology, there's a reasonable chance at least one of them applies to you.

Essential Entities (wesentliche Einrichtungen) are large companies in critical sectors: energy, transport, banking, health, digital infrastructure, drinking water, wastewater, and public administration. Some providers fall into this category automatically, regardless of their size — trust service providers, DNS operators, and TLD registries are in scope whether they have 10 employees or 10,000.

Important Entities (wichtige Einrichtungen) is the broader category. It covers medium and large companies across postal and courier services, waste management, chemicals, food production, manufacturing, and digital providers. The size threshold is 50 or more employees, or €10 million or more in annual turnover — and you only need to meet one of those criteria, not both. A 60-person company with €8 million in revenue is in scope. So is a 30-person company with €15 million.

So are you in scope? The honest answer for many organizations is: it depends, and you should find out now rather than in September. Here's how to work through it:

Start with your sector. Check your primary business activity against Annexes I and II of the NIS2 Directive. If your sector appears, you're potentially in scope. Then check the size thresholds. Then — and this is where it gets more complicated — think about your group structure.

If you're an IT subsidiary that provides cloud infrastructure or helpdesk services to affiliates, you may be classified as a digital infrastructure provider under NISG 2026, even if you don't sell those services externally. Shared services centers, intra-group IT operations, and captive IT entities have all been caught out by this in other EU member states. The fact that your customers are all internal doesn't automatically take you out of scope.

Sector classification also isn't always intuitive. A manufacturing company with significant digital production systems may have obligations in more than one category. If there's any genuine ambiguity about where you stand, the right call is to get a proper assessment before October — not to assume you're out and discover otherwise later.

---

What NISG 2026 Actually Requires You to Do

Once you know you're in scope, four categories of obligations apply.

Registration

Affected entities must register with the new Bundesamt für Cybersicherheit (Federal Office for Cybersecurity) within three months of the law entering into force — which means by December 31, 2026. You'll need to provide details about your organization, the sector you operate in, contact information for security notifications, and the IP ranges and domain names associated with your operations.

This isn't a one-time form-filling exercise. The register is how the authority tracks who's subject to supervision and how incident notifications get routed. Getting it wrong, incomplete, or late creates enforcement exposure from the very first day.

Risk Management Measures

NISG 2026 requires "appropriate technical, organizational and operational measures" to manage cybersecurity risks. Article 21 of NIS2 breaks this down across ten categories: risk analysis and security policies, incident handling, business continuity, supply chain security, network and system security, effectiveness reviews, cyber hygiene and training, cryptography and encryption, human resources security, and access control.

In practical terms, the minimum most organizations need to have in place: a documented risk assessment, multi-factor authentication across critical systems, a functioning incident detection capability, proper access controls and privilege management, supply chain security reviews for key vendors, and a documented encryption policy.

If you already hold ISO 27001 certification, you're in a much better position than most. It doesn't automatically equal NISG 2026 compliance, but its control set covers most of the same ground, and certification from an accredited body is the kind of evidence the Bundesamt für Cybersicherheit will find hard to dismiss. Organizations without any existing security framework are starting from further back — and should plan their timeline accordingly.

Incident Reporting

Significant incidents must be reported within 24 hours of detection. That's an initial notification confirming an incident has occurred, with basic details. A fuller report follows within 72 hours, and a comprehensive final report within one month.

What counts as "significant"? Any incident that causes, or is capable of causing, severe operational disruption, financial loss, or impact on other organizations. The threshold is lower than most IT managers expect. Ransomware affecting critical systems qualifies. A DDoS attack disrupting services qualifies. A data breach involving in-scope systems qualifies.

The 24-hour clock starts when you detect the incident — not when you've finished the investigation, not when legal has reviewed the situation. That's a tight window. Organizations that don't have established detection and response processes in place will find it very difficult to meet, regardless of how good their intentions are. This is one of the clearest arguments for building incident response capability now rather than treating it as a later-phase task.

Management Liability

This is the section that tends to focus board attention, and for good reason.

NISG 2026 explicitly places cybersecurity responsibility on senior management — Geschäftsführer (managing directors) and Vorstand (executive board members). Executives can face personal fines for failing to ensure compliance. In serious cases, they can face temporary disqualification from management duties.

That's not something you can delegate to the IT department and check off on a quarterly status update. NISG 2026 requires management to approve cybersecurity risk management measures, oversee their implementation, and take personal responsibility for the organization's compliance posture. For most Austrian organizations, that represents a genuine change in how information security is governed — and it's the single biggest reason this regulation has moved from an IT compliance discussion to a board agenda item.

---

The Practical Timeline: What to Do and When

Here's what the path to October 1, 2026 actually looks like for an organization that's starting from a realistic position today.

Now through Q2 2026: Figure out whether you're in scope. If the answer is obvious, move straight to gap analysis. If there's any ambiguity — mixed-sector operations, group structures, intra-group IT services — get a proper assessment now. Don't let this drift into Q3 and then discover you've been in scope all along.

Q2–Q3 2026: Conduct a gap analysis against the ten risk management categories in Article 21. Where are you already compliant? Where are the gaps? Prioritize the areas that take longest to fix: MFA deployment across the organization, building an incident response capability, reviewing your supply chain security. This is also the window to decide whether ISO 27001 certification makes sense as a compliance shortcut — though the timeline is tight if you're genuinely starting from scratch.

October 1, 2026: NISG 2026 is live. Incident reporting obligations apply from this date. There's no grace period for organizations that have been in scope and simply weren't ready.

By December 31, 2026: Registration with the Bundesamt für Cybersicherheit must be complete.

By September 30, 2027: A self-declaration confirming that required risk management measures have been implemented must be submitted.

One thing worth saying plainly: if you're starting from near-zero on cybersecurity maturity, a proper implementation takes 6 to 12 months. Starting now is not early — it's about right. Starting in Q3 2026 means you'll be scrambling toward deadlines while managing real compliance exposure.

---

Penalties and Enforcement: What Happens If You Don't Comply

The fine structure mirrors GDPR in severity: up to €10 million or 2% of global annual turnover for essential entities, whichever is higher. For important entities, the ceiling is €7 million or 1.4% of global turnover.

Enforcement sits with the Bundesamt für Cybersicherheit, which has authority to conduct on-site inspections, request documentation, issue binding instructions, and impose fines. It's not a paper regulator.

But the fine is actually the most predictable part of non-compliance. The harder-to-quantify risk is what happens when a real incident hits an organization that hasn't done the work: operational disruption that takes days or weeks to recover from, reputational damage with clients and partners, notification obligations to regulators and affected parties, and the management liability provisions that put individual executives personally in the frame. A fine has a ceiling. The downstream consequences of a serious incident at an unprepared organization don't.

---

How NISG 2026 Connects to ISO 27001 and Other Frameworks

ISO 27001 certification isn't a legal requirement under NISG 2026 — but it's probably the most practical route to demonstrating compliance with the risk management obligations. The control set maps closely to what Article 21 requires, and third-party certification gives you something concrete to point to when the regulator asks how you've addressed your obligations.

Organizations already certified have a genuine head start. Those building from scratch need to factor that into their planning now, not later.

Two adjacent regulations are also worth keeping on your radar. DORA — the Digital Operational Resilience Act — applies to financial sector entities and has been in force since January 2025. If you're in financial services, your DORA work and your NISG 2026 work overlap substantially and are best handled as a single coordinated program. The Cyber Resilience Act introduces cybersecurity requirements for connected products and will affect manufacturers and importers across the EU.

The direction of travel across EU cybersecurity regulation is consistent — more obligations, more accountability, more enforcement. Organizations that build a solid baseline now are better positioned for everything that follows, not just NISG 2026.

---

What This Means for Your Organization

NISG 2026 is real, the timeline is tighter than it looks, and management accountability changes the stakes in a meaningful way.

The organizations that will handle this well are the ones that treat it as an opportunity — to modernize their security posture, to put a documented risk management process in place, to demonstrate to clients and partners that security is governed at the board level. ISO 27001, a functioning incident response capability, supply chain reviews: these aren't just boxes to tick for a regulator. They're the foundations of an organization that can actually absorb what happens when things go wrong.

The organizations that will struggle are the ones waiting for more clarity, a cleaner picture, or a deadline that feels closer. October 1, 2026 is confirmed. December 31, 2026 is the registration deadline. September 30, 2027 is the self-declaration deadline. The clock is running, and it doesn't pause while you're deciding whether to take this seriously.

The right starting point is understanding your specific situation. Are you in scope? Where's your actual gap against NISG 2026 requirements? How long will it take to close? A 30-minute conversation can answer those questions and give you a clear picture of what's required — without the legal bill.