Am I affected, and what must my network meet?
NIS-2 and NISG 2026: Network Security
NIS-2 in Austria: the NISG 2026 takes effect on 1 October 2026. Check whether you are affected and secure connectivity, monitoring, and provider processes in line with the law.
Request a NIS-2 network checkWhat is NIS-2 and NISG 2026: Network Security?
Austria's NISG 2026 implements the EU NIS-2 Directive and takes effect on 1 October 2026; the registration deadline is 31 December 2026. Around 4,000 organisations from medium size up (50+ employees or EUR 10M+ turnover) across 18 sectors are affected, and smaller suppliers are pulled in through supply chains. Anexum covers the network and connectivity part: risk management for internet access, monitoring, redundancy, provider security, and evidence. The overall legal assessment stays with your legal advisers.
Service scope
- Affected-or-not check for the NISG 2026
- Network and connectivity risk management
- Redundancy and 5G failover for critical sites
- 24/7 monitoring with evidence
- Provider and supply-chain security
- Incident-response method for connectivity events
Clarity on whether you are affected
Thresholds (50 employees or EUR 10M), 18 sectors, and supply-chain duties - we place your situation factually.
The network part, done by the book
NIS-2 requires risk management, monitoring, and incident response. That is exactly our strength: connectivity, redundancy, and solid evidence.
Deadlines in view
In force on 1 October 2026, registration by 31 December 2026. Starting now leaves enough lead time.
Am I affected by NIS-2 / NISG 2026?
In principle, organisations from medium size up are affected, meaning 50+ employees or EUR 10M+ turnover, in one of the 18 covered sectors. Beyond that, smaller companies can be affected in practice through the supply-chain requirements of their customers. When in doubt, a structured affected-or-not check clarifies the classification.
When does the NISG 2026 apply and by when must I register?
The NISG 2026 takes effect on 1 October 2026. Affected entities must register by 31 December 2026, with further evidence and audit duties following in the years after.
Which duties concern the network and internet access?
NIS-2 requires, among other things, risk management, business-continuity measures, monitoring, and orderly incident handling. For internet access this means concretely: assessed redundancy, monitored availability, documented provider processes, and traceable incident handling.
Does NIS-2 also apply to small suppliers of large companies?
Yes, indirectly. Affected entities must account for the security of their supply chain and pass requirements down to suppliers. A smaller company can therefore be obliged in practice to take security measures and provide evidence, without falling directly under the law itself.
What does Anexum cover for NIS-2, and what not?
Anexum covers the network and connectivity part: risk assessment of the connection, redundancy and failover, monitoring with evidence, provider and supply-chain security, and an incident-response method. The overall legal assessment, governance, and reporting duties toward the authority belong with your legal and compliance advisers.
What penalties apply for breaches?
For essential entities, the NIS-2 Directive provides for fines of up to EUR 10M or 2% of worldwide annual turnover; for important entities, up to EUR 7M or 1.4%. The exact form follows the NISG 2026.