NIS 2 in Austria: What Businesses Need to Do Now
Ales
IT Architect
> Summary: Austria's NISG 2026 (BGBl. I Nr. 94/2025) implements the EU NIS 2 Directive and takes effect October 1, 2026. Around 4,000 Austrian organizations are affected. Managing directors face personal liability for gross negligence. Penalties reach up to €10M or 2% of global annual turnover.
What is NIS 2?
The NIS 2 Directive (EU 2022/2555) is the EU's most comprehensive cybersecurity legislation, replacing the original NIS Directive from 2016:
- From 7 to 18 affected sectors
- From ~10,000 to ~160,000 companies EU-wide
- Personal liability for management - unprecedented
- Harmonized penalties instead of national discretion
Who is Affected in Austria?
Essential entities (proactive supervision): Energy, transport, banking, healthcare, digital infrastructure, ICT service management (B2B), public administration, space.
Important entities (reactive supervision): Postal/courier, waste management, food, chemicals, research, manufacturing, digital services.
Size Thresholds
| Criterion | Essential | Important | |
|---|---|---|---|
| Employees | ≥ 250 | ≥ 50 | |
| Annual turnover | > €50M | > €10M | |
| Balance sheet | > €43M | > €10M |
The 10 Minimum Measures (Article 21)
- Risk analysis and security policies
- Incident handling (incident response)
- Business continuity - backup, disaster recovery
- Supply chain security
- Security in IT acquisition and maintenance
- Effectiveness assessment of cybersecurity measures
- Cyber hygiene and training
- Cryptography and encryption
- Personnel security and access control
- Multi-factor authentication
Incident Reporting
| Deadline | Requirement | |
|---|---|---|
| 24 hours | Early warning | |
| 72 hours | Detailed notification | |
| 1 month | Final report with root cause |
Penalties
| Category | Maximum Penalty | |
|---|---|---|
| Essential entities | €10M or 2% of global turnover | |
| Important entities | €7M or 1.4% of global turnover |
Management responsibility: Cybersecurity responsibility rests explicitly with the management body. Managing directors must approve the risk-management measures and oversee their implementation. Breaching these duties exposes them to civil internal-recourse claims (Innenhaftung) toward the company; for essential entities, the NIS-2 Directive additionally allows the authority to impose a temporary ban from management functions.
Austrian Timeline
| Date | Milestone | |
|---|---|---|
| Dec 23, 2025 | NISG 2026 published | |
| Oct 1, 2026 | Enters into force | |
| Dec 31, 2026 | Registration deadline | |
| Sep 30, 2027 | Self-declaration deadline | |
| From Oct 2028 | Audits possible |
How Anexum Can Help
- Readiness Assessment: Structured gap analysis
- Compliance Implementation: Risk management, incident response, documentation
- Managed Security: Ongoing monitoring and vulnerability scans
- Incident Response: 24/7 capability
- Supply Chain Security: Provider assessment
- Management Training: Mandatory leadership training
[Contact us for a free initial consultation →](/kontakt)