NIS2 Austria (NISG 2026): Obligations from 1 October 2026
Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.
TL;DR
- NISG 2026 transposes the NIS2 Directive into Austrian law; expected application from 1 October 2026
- Roughly 4,500 entities in scope in Austria (compared with about 29,500 in Germany)
- Supervision: Federal Ministry of the Interior (BMI) as central NIS authority, plus sector regulators (FMA, BMK)
- Obligations largely mirror the German NIS2UmsuCG; about 80% of compliance work is reusable across DE/AT
- Group structures with DE and AT subsidiaries must register separately with BSI (DE) and BMI (AT)
1. NISG 2026 overview
The Network and Information Security Act 2026 (NISG 2026) transposes Directive (EU) 2022/2555 into Austrian law, replacing NISG 2018. It addresses approximately 4,500 essential and important entities. As of April 2026, the consultation draft has been in review since March 2026; National Council adoption is expected in Q2 2026, with application from 1 October 2026.
2. Application date: 1 October 2026
- 1 October 2026: entry into force; risk-management duties activate
- 31 December 2026: expected registration deadline with BMI (3 months after entry into force)
- 1 April 2027: first audit obligations in selected sectors (energy, water)
3. Who is in scope?
NISG 2026 follows the EU thresholds. Three checks:
- Sector: activity in one of the 18 sectors under Annex I/II
- Size: >=250 employees or >=EUR 50M turnover (essential) OR 50-249 employees / EUR 10-50M turnover (important)
- Sector exceptions: trust service providers, DNS, the .at TLD registry are essential regardless of size
4. DE vs. AT obligations
| Obligation | DE NIS2UmsuCG (Section 30 BSIG) | AT NISG 2026 (draft) |
|---|---|---|
| Risk analysis | Sec. 30(2) no. 1 | Sec. 21(2) no. 1 |
| Incident response | Sec. 30(2) no. 2 | Sec. 21(2) no. 2 |
| Business continuity | Sec. 30(2) no. 3 | Sec. 21(2) no. 3 |
| Supply-chain security | Sec. 30(2) no. 5 | Sec. 21(2) no. 4 |
| Cyber-hygiene training | Sec. 30(2) no. 7 | Sec. 21(2) no. 6 |
| Cryptography | Sec. 30(2) no. 8 | Sec. 21(2) no. 7 |
| Management duties | Sec. 38 BSIG (incl. internal liability Sec. 38(5)) | Sec. 24 NISG (no explicit internal-liability clause) |
| 24-hour early warning | Sec. 32(1) BSIG | Sec. 26(1) NISG |
| 72-hour incident report | Sec. 32(2) BSIG | Sec. 26(2) NISG |
5. Supervision: BMI vs. BSI
| Area | DE | AT |
|---|---|---|
| Central NIS authority | BSI | BMI |
| National CSIRT | CERT-Bund (within BSI) | GovCERT.gv.at (BMI) |
| Finance sector | BaFin (additional) | FMA |
| Energy sector | BNetzA | BMK + E-Control |
| Health sector | BfArM (medical devices) | BMSGPK |
6. Penalties under NISG 2026
- Essential entities: up to EUR 10M or 2% of global annual turnover (whichever is higher)
- Important entities: up to EUR 7M or 1.4% of global annual turnover
- Management: the AT draft does NOT contain an explicit internal-liability rule equivalent to German Section 38(5) BSIG
7. Seven-step checklist for AT entities
- May 2026: scope analysis (sector + size + group consolidation)
- June 2026: brief management; Section 24 NISG includes a training duty
- July 2026: stand up an ISMS (unless already ISO 27001-certified)
- August 2026: incident-response playbook with GovCERT.gv.at notification templates
- September 2026: supplier assessment and cybersecurity contract clauses
- October 2026: entry into force; activate Section 21 NISG risk management
- December 2026: complete BMI registration and any sector-supervisor notifications
Summary
For DACH groups, NISG 2026 is mostly familiar territory: about 80% of a German NIS2 program is reusable in Austria. The 20% that needs work is the supervisory interface (BMI/GovCERT instead of BSI), AT-specific retention rules, and registration in both jurisdictions.
Frequently Asked Questions
When does the NISG 2026 enter into force?
The Austrian NIS2 implementation act (NISG 2026) is expected to become applicable on 1 October 2026. Adoption by the National Council is expected in Q2/2026, with publication in the Federal Law Gazette (BGBl.) approximately 4 weeks earlier. The delay relative to the EU deadline (17 October 2024) follows the pattern seen in many EU Member States.
Who is affected by NIS2 in Austria?
Estimate: approximately 4,500 entities in Austria, compared with around 29,500 in Germany. The definition of essential and important entities follows the EU Directive: large enterprises with ≥250 employees in high-criticality sectors are essential; medium-sized enterprises with 50-249 employees are important; sector-specific rules (e.g., trust service providers) apply regardless of size.
Who is the supervisory authority in Austria?
The Federal Ministry of the Interior (BMI) acts as the central NIS authority, together with GovCERT.gv.at as the national CSIRT. Sector-specific supervision: the FMA for finance, the BMK for energy, and the BMK for transport. For many SMEs this means two supervisory authorities instead of one (BMI plus the sector regulator).
How does the NISG 2026 differ from the German NIS2UmsuCG?
Differences: (1) Application date 1 October 2026 instead of 6 December 2025 (Germany). (2) Supervision: BMI plus sector regulators (Austria) vs. centralized BSI (Germany). (3) Austria builds more strongly on the existing Security Research Act, whereas Germany builds on the BSIG (German IT Security Act) reform. (4) Fines: Austria adopts the EU maximums 1:1, while Germany differentiates more sharply between essential and important entities. (5) The Austrian NISG has no internal liability rule analogous to Section 38 in Germany.
Do Austrian companies need to register separately?
Yes, with the relevant supervisory authority (typically the BMI). The deadline is expected to be 3 months after the NISG 2026 enters into force — so approximately by 31 December 2026. Corporate group structures with Austrian and German subsidiaries must register separately (BSI in Germany and BMI in Austria).
Is a German NIS2 compliance program sufficient for the Austrian subsidiary?
Largely yes, with adjustments. Transferable: risk management, ISMS, incident response playbook, supply chain assessment. Not transferable: Austrian supervisory interfaces (BMI/CSIRT reporting channels), Austrian-specific retention periods, and Austrian-specific fine rules. In practice: 80% is reusable, 20% requires Austrian adaptation.
Which sectors are particularly affected in Austria?
Energy (electricity grid operators, gas, district heating), transport (rail, Vienna Airport, Danube shipping), banking plus financial market infrastructure (DORA interface), healthcare (KAGES, Vienna General Hospital, private clinics), water, digital infrastructure (.at TLD, internet exchange points), and public administration (federal, state, and municipalities with ≥10,000 inhabitants).
Sources
- Directive (EU) 2022/2555 — NIS2 (As of: 2026-05-02)
- BSIG 2025 (consolidated after NIS2UmsuCG) (As of: 2026-05-02)
- European Commission — Digital Omnibus (As of: 2026-05-02)