Do you want to switch the language?
6. February 20261 min reading time

NIS 2 in Austria - The ultimate guide to the new cyber security law!

The digital threat situation has intensified and the European Union has reacted. The NIS 2 Directive (Network and Information Security Directive) has set a new standard for cyber security. In Austria, this standard is now legally binding thanks to the NISG 2026 (Network and Information System Security Act 2026). But what does this mean in concrete terms for domestic companies? In this article, we clarify the most important basic questions about NIS 2 Austria (NISG 2026).

What does NIS2 mean?

The term NIS2 stands for the second version of the EU-wide directive on the security of network and information systems. While the first NIS Directive from 2016 only covered a limited number of sectors, the new NIS2 Directive massively expands the focus. The aim is to create a uniformly high level of cyber security in all member states in order to strengthen the resilience of critical infrastructures and important economic sectors against hacker attacks and IT failures.

What does the NIS 2 Directive say?

The NIS 2 Directive stipulates that companies that play an essential role in society or the economy must implement strict cybersecurity measures. These include, among other things:

  • Proactive risk management.
  • Clear reporting deadlines for security incidents.
  • Securing the supply chain.
  • Personal responsibility of the management for implementing the measures.

The NIS 2 cyber security directive is therefore far more than a mere recommendation - it is a binding legal framework with tangible sanctions for non-compliance.

What is NIS2 in Austria?

In Austria, the EU Directive is implemented by the national NIS 2 Austria Act, officially known as NISG 2026. It replaces the previous regulation from 2018 and expands the group of affected companies from around 100 to an estimated 4,000 organisations. The NISG 2026 distinguishes between "essential" and "important" organisations, with both groups having to fulfil specific obligations in order to guarantee the national security level.

When will NIS-2 come into force in Austria?

This is one of the most frequently asked questions. After the national implementation was delayed, there is now a clear roadmap:

  • The NISG 2026 was officially promulgated at the end of 2025.
  • The main provisions and obligations will come into force on 1 October 2026.
  • Affected companies must register with the competent cybersecurity authority by 31 December 2026 (3 months after entry into force) at the latest.

Our tip: Don't wait until autumn 2026. As the NIS 2 requirements are complex, you should start taking stock now. You can find out which companies are specifically covered by the NIS2 regulation in the article "Who is affected? The NIS2 requirements and affected companies in detail."

How may I help you?
Under this link you will find our privacy policy.